- An organization is deciding how to handle a risk that has low likelihood but catastrophic impact if it occurs. Leadership determines that the cost of full mitigation exceeds the asset value, but the residual exposure is unacceptable. Which risk treatment is MOST appropriate?
- Risk mitigation with additional controls
- Risk acceptance
- Risk avoidance by ceasing the activity
- Risk transference (e.g., insurance)
Correct answer: Risk transference (e.g., insurance)
When mitigation is too costly and acceptance is unacceptable, transferring the financial impact to a third party such as an insurer is the most appropriate treatment for low-likelihood, high-impact risks.
- A security manager wants to ensure that no single employee can complete a sensitive financial transaction from initiation to approval. Which principle BEST addresses this concern?
- Separation of duties
- Job rotation
- Mandatory vacation
- Least privilege
Correct answer: Separation of duties
Separation of duties divides a critical task among multiple people so that no single individual can complete it alone, reducing the risk of fraud.
- Which document type provides high-level management direction and is mandatory, defining the organization's overall security intent?
- Procedure
- Standard
- Policy
- Guideline
Correct answer: Policy
A security policy is a high-level, mandatory management statement of intent and direction; standards, procedures, and guidelines support it at more detailed levels.
- During business impact analysis, which metric defines the maximum tolerable amount of data loss measured in time?
- Maximum Tolerable Downtime (MTD)
- Recovery Time Objective (RTO)
- Work Recovery Time (WRT)
- Recovery Point Objective (RPO)
Correct answer: Recovery Point Objective (RPO)
RPO defines how much data, measured as a point in time, the organization can afford to lose, driving backup frequency.
- A multinational firm must comply with the EU GDPR. Under GDPR, what is the primary role of a data controller?
- Processes data only on documented instructions from another party
- Determines the purposes and means of processing personal data
- Audits the organization's privacy practices
- Provides cloud infrastructure for storing personal data
Correct answer: Determines the purposes and means of processing personal data
Under GDPR, the data controller determines the purposes and means of processing personal data and bears primary accountability for compliance.
- Which of the following BEST describes the purpose of due diligence in a security program?
- Documenting incident response steps
- Transferring liability to a third party
- Researching and understanding risks before acting
- Implementing and maintaining controls over time
Correct answer: Researching and understanding risks before acting
Due diligence is the act of gathering information and understanding risks; due care is the subsequent act of implementing reasonable controls.
- An employee signs an agreement promising not to disclose confidential information after leaving the company. This is an example of which control type?
- Compensating control
- Physical control
- Technical control
- Administrative control
Correct answer: Administrative control
A non-disclosure agreement is an administrative (managerial) control, relying on policy and legal agreement rather than technology or physical barriers.
- A CISO is calculating Annualized Loss Expectancy. The asset is valued at $200,000, the exposure factor is 25%, and the threat is expected once every four years. What is the ALE?
- $50,000
- $200,000
- $25,000
- $12,500
Correct answer: $12,500
SLE = $200,000 x 0.25 = $50,000; ARO = 0.25 (once per four years); ALE = $50,000 x 0.25 = $12,500.
- Which threat modeling methodology uses the categories Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege?
Correct answer: STRIDE
STRIDE is a Microsoft-developed threat model categorizing threats into those six classes.
- An organization wants to ensure its security program aligns with corporate governance and supports business objectives. Who should ultimately be accountable for the information security program?
- The data owners
- The internal audit team
- Senior executive management
- The information security manager
Correct answer: Senior executive management
Senior management holds ultimate accountability for the security program and for funding, supporting, and aligning it with business goals.
- Which intellectual property protection grants the creator exclusive rights to a literary or artistic work for a limited period?
- Trademark
- Patent
- Copyright
- Trade secret
Correct answer: Copyright
Copyright protects original works of authorship such as software code and documentation for a defined term.
- A company discovers a vendor has access to more data than the contract permits. To prevent recurrence, what should be incorporated into future third-party agreements?
- Service level agreements only
- A higher penalty for downtime
- Right-to-audit clauses and data handling requirements
- Mandatory use of the vendor's encryption
Correct answer: Right-to-audit clauses and data handling requirements
Right-to-audit clauses and explicit data handling requirements let the organization verify and enforce appropriate vendor access and protection.
- What is the PRIMARY purpose of a security awareness training program?
- To document who is responsible for breaches
- To satisfy regulatory checkbox requirements
- To change user behavior and build a security culture
- To replace technical controls
Correct answer: To change user behavior and build a security culture
Awareness training aims to change behavior and instill a security-conscious culture, reducing human-factor risk.
- Which of the following is the BEST example of a qualitative risk assessment technique?
- Using the Delphi method to gather expert opinions
- Computing annualized rate of occurrence
- Determining single loss expectancy in dollars
- Calculating ALE for each asset
Correct answer: Using the Delphi method to gather expert opinions
The Delphi method gathers anonymous expert consensus and is a qualitative, non-monetary technique.
- An organization adopts the (ISC)2 Code of Ethics. Which canon takes precedence when canons appear to conflict?
- Advance and protect the profession
- Protect society, the common good, necessary public trust and confidence, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principals
Correct answer: Protect society, the common good, necessary public trust and confidence, and the infrastructure
The canons are applied in order, with protecting society and the public infrastructure taking the highest precedence.
- A manager must classify a newly discovered risk that could lead to regulatory fines. The MOST important first step in addressing this risk is to:
- Purchase cyber insurance immediately
- Notify the regulator preemptively
- Identify and assess the risk's likelihood and impact
- Implement encryption on all systems
Correct answer: Identify and assess the risk's likelihood and impact
Before selecting a treatment, the risk must first be identified and assessed for likelihood and impact to make an informed decision.
- Which agreement is a legally binding document used between an organization and an external entity that processes personal data on its behalf, defining responsibilities?
- Memorandum of understanding (MOU)
- Data processing agreement (DPA)
- Interconnection security agreement (ISA)
- Operational level agreement (OLA)
Correct answer: Data processing agreement (DPA)
A data processing agreement legally defines how a processor handles personal data on behalf of a controller, a GDPR requirement.
- Which of the following is the strongest reason to perform a business impact analysis before developing a disaster recovery plan?
- To purchase redundant hardware
- To assign blame for past outages
- To select backup vendors
- To identify critical processes and their recovery priorities
Correct answer: To identify critical processes and their recovery priorities
The BIA identifies critical business functions and their recovery priorities and timeframes, which drive the design of the DR plan.
- A security professional learns of an illegal action by their employer. According to the (ISC)2 Code of Ethics, the professional should FIRST:
- Report it anonymously to the media
- Resign immediately without comment
- Act legally and honorably, addressing it through appropriate channels
- Ignore it to protect their job
Correct answer: Act legally and honorably, addressing it through appropriate channels
The code requires acting honestly, justly, and legally; the professional should address the issue through proper, lawful channels.
- Which type of law addresses violations against the state or society and can result in imprisonment?
- Criminal law
- Civil law
- Common law
- Administrative law
Correct answer: Criminal law
Criminal law deals with offenses against society and can result in fines and imprisonment, with a higher burden of proof.
- A risk register lists residual risk after controls are applied. Residual risk is BEST defined as:
- The total risk before any controls
- The risk transferred to a third party
- The cost of the controls
- The risk remaining after controls are implemented
Correct answer: The risk remaining after controls are implemented
Residual risk is the portion of risk that remains after mitigation controls have been applied.
- What is the primary goal of implementing the principle of least privilege?
- Forcing periodic password changes
- Requiring two people to authorize transactions
- Ensuring users have only the access required to perform their duties
- Rotating staff through different roles
Correct answer: Ensuring users have only the access required to perform their duties
Least privilege grants users only the minimum access necessary to perform their job functions, limiting potential damage.
- An organization wants a framework specifically for IT governance that aligns IT goals with business goals. Which framework is MOST appropriate?
- ITIL
- NIST SP 800-53
- COBIT
- ISO 27001
Correct answer: COBIT
COBIT is a governance framework that aligns IT processes and controls with enterprise business objectives.
- Which of the following BEST distinguishes a threat from a vulnerability?
- A threat is a potential cause of harm; a vulnerability is a weakness that can be exploited
- A threat is a weakness; a vulnerability is an actor
- They are synonyms in risk management
- A vulnerability always results in a loss event
Correct answer: A threat is a potential cause of harm; a vulnerability is a weakness that can be exploited
A threat is any potential cause of an unwanted incident, while a vulnerability is a weakness that a threat can exploit.
- During a merger, the acquiring company must assess the target's security posture. This pre-acquisition security review is BEST described as:
- Due diligence
- Risk acceptance
- Due care
- Risk transference
Correct answer: Due diligence
Investigating the target's security posture before acquisition is due diligence, gathering information to make an informed decision.
- A company operates in the United States and processes health records. Which regulation governs the protection of this data?
Correct answer: HIPAA
HIPAA governs the protection of protected health information in the United States.
- What is the MOST important consideration when establishing a security baseline for an organization?
- It must match the strictest competitor's controls
- It should reflect the minimum acceptable level of security aligned to risk
- It should be the most expensive option available
- It must be identical across all systems regardless of function
Correct answer: It should reflect the minimum acceptable level of security aligned to risk
A baseline defines the minimum acceptable level of security, tailored to the organization's risk tolerance and requirements.
- An organization wants to demonstrate, in court, that it acted as a reasonable and prudent entity would in protecting its assets. This standard is known as:
- Strict liability
- The exclusionary rule
- Negligence per se
- The prudent person rule
Correct answer: The prudent person rule
The prudent person (or prudent man) rule judges whether the organization exercised the care a reasonable person would under similar circumstances.
- An organization is classifying data and must label information whose disclosure would cause exceptionally grave damage to national security. In the U.S. government classification scheme, this level is:
- Sensitive But Unclassified
- Top Secret
- Secret
- Confidential
Correct answer: Top Secret
Top Secret is applied to information whose unauthorized disclosure could cause exceptionally grave damage to national security.
- Who is PRIMARILY responsible for determining the classification level of a data set?
- The data owner
- The data custodian
- The end user
- The system administrator
Correct answer: The data owner
The data owner has ultimate responsibility for the data and determines its classification level and protection requirements.
- What is the role of a data custodian?
- Approving budget for security tools
- Setting organizational risk appetite
- Implementing and maintaining the protection controls specified by the owner
- Defining the classification and access policy
Correct answer: Implementing and maintaining the protection controls specified by the owner
The data custodian carries out the day-to-day protection of data per the owner's instructions, such as backups and access enforcement.
- Which data state is MOST associated with the need for full-disk or database encryption?
- Data in use
- Data at rest
- Data in motion
- Data in transit
Correct answer: Data at rest
Data at rest, stored on disks or in databases, is protected primarily through encryption such as full-disk or database encryption.
- An organization wants to ensure sensitive data is unrecoverable from solid-state drives before disposal. Which method is MOST appropriate?
- Reformatting the drive
- Single-pass overwrite
- Cryptographic erasure or physical destruction
- Degaussing
Correct answer: Cryptographic erasure or physical destruction
SSDs do not respond reliably to overwriting or degaussing due to wear leveling; cryptographic erasure or physical destruction is recommended.
- Degaussing is an effective sanitization method for which type of media?
- Optical media (CD/DVD)
- Solid-state drives
- Flash memory cards
- Magnetic media such as tapes and HDDs
Correct answer: Magnetic media such as tapes and HDDs
Degaussing uses a strong magnetic field to erase data on magnetic media; it is ineffective on SSDs and optical media.
- Which concept refers to the practice of removing or obscuring personally identifiable information so that individuals cannot be readily identified?
- Hashing
- Anonymization
- Tokenization
- Encryption
Correct answer: Anonymization
Anonymization irreversibly removes or alters identifying information so that data subjects cannot be re-identified.
- A scoping decision in security control selection refers to:
- Eliminating baseline controls that do not apply to the system
- Transferring control responsibility to a vendor
- Adding controls beyond the baseline
- Documenting why a control was implemented
Correct answer: Eliminating baseline controls that do not apply to the system
Scoping removes controls from a baseline that are not applicable to a particular system or environment.
- Tailoring of security controls is BEST described as:
- Modifying baseline controls to fit the organization's specific needs
- Auditing control effectiveness
- Outsourcing control implementation
- Adopting a baseline without changes
Correct answer: Modifying baseline controls to fit the organization's specific needs
Tailoring adjusts baseline controls (through scoping, compensating controls, and parameter selection) to match the organization's specific environment.
- Data remanence refers to:
- Data replicated to a backup site
- Data intentionally retained for compliance
- Residual data remaining after deletion or erasure attempts
- Data classified at the highest level
Correct answer: Residual data remaining after deletion or erasure attempts
Data remanence is the residual representation of data that remains even after attempts to remove or erase it.
- An organization assigns a retention period to records based on legal and business requirements. The PRIMARY risk of retaining data longer than necessary is:
- Reduced storage costs
- Improved analytics
- Faster backups
- Increased liability and exposure in the event of a breach or e-discovery
Correct answer: Increased liability and exposure in the event of a breach or e-discovery
Excess retention increases legal liability, e-discovery scope, and the volume of data exposed if a breach occurs.
- Which role determines who may access data and approves access requests, but does not perform the technical implementation?
- Data owner
- Data custodian
- Security administrator
- Auditor
Correct answer: Data owner
The data owner sets access policy and approves access; the custodian or administrator implements the technical controls.
- Tokenization protects sensitive data by:
- Hashing it irreversibly
- Encrypting it with a reversible key
- Replacing it with a non-sensitive surrogate value mapped in a secure vault
- Compressing it to reduce size
Correct answer: Replacing it with a non-sensitive surrogate value mapped in a secure vault
Tokenization substitutes sensitive data with a non-sensitive token, with the mapping stored securely in a token vault.
- A data classification policy should PRIMARILY be based on:
- The age of the data
- The value, sensitivity, and criticality of the information
- The department that created it
- The cost of storage media
Correct answer: The value, sensitivity, and criticality of the information
Classification is driven by the information's value, sensitivity, and criticality to determine appropriate protection.
- Which of the following describes the concept of a data subject under privacy regulations?
- The vendor that processes the data
- The regulatory authority
- The individual whom personal data describes
- The organization that determines processing purposes
Correct answer: The individual whom personal data describes
A data subject is the identified or identifiable natural person to whom personal data relates.
- An organization is selecting controls and must ensure a chosen baseline meets a specific regulatory requirement that the baseline does not address. The BEST approach is to:
- Supplement the baseline with additional controls during tailoring
- Ignore the requirement since the baseline is approved
- Lower the classification of affected data
- Outsource the regulated data entirely
Correct answer: Supplement the baseline with additional controls during tailoring
Tailoring includes supplementing a baseline with additional controls to meet specific regulatory or organizational requirements.
- Which of the following BEST protects data in use against memory-scraping attacks on a cloud host?
- TLS encryption
- Tokenization at rest
- Full-disk encryption
- Confidential computing with trusted execution environments
Correct answer: Confidential computing with trusted execution environments
Confidential computing protects data in use by processing it within hardware-based trusted execution environments isolated from the host.
- A media labeling policy primarily helps to:
- Improve read/write performance
- Comply with copyright law
- Ensure handlers know the sensitivity and required handling of the media
- Reduce the cost of media
Correct answer: Ensure handlers know the sensitivity and required handling of the media
Labeling communicates the classification and handling requirements so personnel handle the media appropriately.
- Which sanitization term means rendering media unusable through shredding, incineration, or pulverization?
- Overwriting
- Purging
- Clearing
- Destruction
Correct answer: Destruction
Destruction physically renders media unusable and is the highest assurance sanitization method per NIST SP 800-88.
- Per NIST SP 800-88, 'clearing' media is intended to protect against:
- Electromagnetic emanation analysis
- Keyboard or simple recovery attacks using standard interfaces
- Laboratory-level recovery attacks
- Nation-state forensic recovery
Correct answer: Keyboard or simple recovery attacks using standard interfaces
Clearing protects against simple, non-invasive data recovery using standard read commands, but not against laboratory attacks; purging addresses those.
- A data steward differs from a data owner in that the steward primarily:
- Determines legal retention periods
- Approves the security budget
- Manages day-to-day data quality and governance on behalf of the owner
- Sets the strategic value of the data
Correct answer: Manages day-to-day data quality and governance on behalf of the owner
A data steward handles operational data governance and quality on behalf of the owner, who retains strategic accountability.
- When defining who provides security controls in a cloud environment, the appropriate model to consult is:
- The shared responsibility model
- The Clark-Wilson model
- The Bell-LaPadula model
- The Biba model
Correct answer: The shared responsibility model
The shared responsibility model defines which security responsibilities belong to the cloud provider versus the customer.
- Which security model is concerned PRIMARILY with confidentiality and enforces no-read-up and no-write-down?
- Brewer-Nash
- Biba
- Clark-Wilson
- Bell-LaPadula
Correct answer: Bell-LaPadula
Bell-LaPadula is a confidentiality model enforcing the simple security property (no read up) and the star property (no write down).
- The Biba integrity model enforces which two key properties?
- Separation of duties and least privilege
- No read down and no write up
- No read up and no write down
- Read and write at the same level only
Correct answer: No read down and no write up
Biba protects integrity with the simple integrity property (no read down) and the star integrity property (no write up).
- The Brewer-Nash model is designed to:
- Prevent conflicts of interest by dynamically restricting access
- Ensure data integrity through well-formed transactions
- Provide mandatory access labels
- Enforce multilevel confidentiality
Correct answer: Prevent conflicts of interest by dynamically restricting access
The Brewer-Nash (Chinese Wall) model prevents conflicts of interest by dynamically restricting access based on what the subject has previously accessed.
- In a public key infrastructure, which entity is responsible for validating a requestor's identity before a certificate is issued?
- Certificate Authority (CA)
- Validation Authority (VA)
- Key Escrow Agent
- Registration Authority (RA)
Correct answer: Registration Authority (RA)
The Registration Authority verifies the identity of the certificate requestor; the CA then issues the certificate.
- Which encryption approach uses the same key to encrypt and decrypt data?
- Symmetric encryption
- Hashing
- Digital signatures
- Asymmetric encryption
Correct answer: Symmetric encryption
Symmetric encryption uses a single shared secret key for both encryption and decryption, offering speed but key distribution challenges.
- A digital signature primarily provides which security services?
- Confidentiality only
- Availability and authorization
- Integrity, authentication, and non-repudiation
- Confidentiality and availability
Correct answer: Integrity, authentication, and non-repudiation
A digital signature provides integrity, authentication of the sender, and non-repudiation by signing a hash with the sender's private key.
- Which cryptographic attack involves an attacker capturing and later resending valid data to gain unauthorized access?
- Side-channel attack
- Chosen-plaintext attack
- Replay attack
- Birthday attack
Correct answer: Replay attack
A replay attack captures legitimate transmissions and retransmits them; timestamps and nonces mitigate it.
- The primary advantage of elliptic curve cryptography (ECC) over RSA is:
- It cannot be broken by quantum computers
- It does not require key management
- It is a symmetric algorithm
- It provides equivalent security with smaller key sizes
Correct answer: It provides equivalent security with smaller key sizes
ECC achieves comparable security strength to RSA with much smaller keys, making it efficient for constrained devices.
- A Trusted Platform Module (TPM) is BEST used to:
- Replace antivirus software
- Manage user accounts
- Encrypt network traffic in transit
- Securely store cryptographic keys and support platform integrity measurements
Correct answer: Securely store cryptographic keys and support platform integrity measurements
A TPM is a hardware chip that securely stores keys and supports integrity measurements such as those used by full-disk encryption.
- Which of the following BEST describes a covert timing channel?
- A side channel based on power consumption
- Encrypting data to hide its meaning
- Conveying information by modulating the timing of events or resource use
- Steganography embedding data in images
Correct answer: Conveying information by modulating the timing of events or resource use
A covert timing channel transfers information by altering the timing or rate of system events that another process can observe.
- The reference monitor concept is implemented by the:
- Security kernel
- Protection ring 3
- Trusted computing base
- Hypervisor only
Correct answer: Security kernel
The security kernel is the hardware, firmware, and software that implement the reference monitor, mediating all access between subjects and objects.
- Which property must a reference monitor satisfy?
- It must be replaceable at runtime
- It must run in user space
- It must be optional and bypassable for performance
- It must be tamperproof, always invoked, and small enough to be verified
Correct answer: It must be tamperproof, always invoked, and small enough to be verified
A reference monitor must be tamperproof, always invoked (non-bypassable), and verifiable (small enough to be tested completely).
- A buffer overflow that allows an attacker to execute code is MOST directly enabled by:
- Strong input validation
- Use of parameterized queries
- Lack of bounds checking on memory operations
- Address space layout randomization
Correct answer: Lack of bounds checking on memory operations
Buffer overflows occur when a program writes beyond an allocated buffer due to missing bounds checking, potentially overwriting memory used for control flow.
- Which countermeasure randomizes memory addresses to make buffer overflow exploitation more difficult?
- Stack canaries
- Address Space Layout Randomization (ASLR)
- Data Execution Prevention (DEP)
- Code signing
Correct answer: Address Space Layout Randomization (ASLR)
ASLR randomizes the memory addresses used by processes, making it harder for attackers to predict the location of injected code.
- In cryptography, what is the purpose of a salt when hashing passwords?
- To speed up hash computation
- To encrypt the password reversibly
- To make precomputed rainbow table attacks ineffective
- To compress the password before hashing
Correct answer: To make precomputed rainbow table attacks ineffective
A unique salt added to each password ensures identical passwords hash differently, defeating precomputed rainbow tables.
- Which block cipher mode does NOT use an initialization vector and reveals patterns in repeated plaintext blocks?
- Galois/Counter Mode (GCM)
- Counter (CTR)
- Electronic Codebook (ECB)
- Cipher Block Chaining (CBC)
Correct answer: Electronic Codebook (ECB)
ECB encrypts each block independently, so identical plaintext blocks produce identical ciphertext, revealing patterns.
- A security architect wants a design that fails to a secure state when an error occurs. This principle is known as:
- Defense in depth
- Fail secure (fail closed)
- Open design
- Fail open
Correct answer: Fail secure (fail closed)
Fail secure means that when a control fails, it defaults to denying access, protecting confidentiality and integrity.
- Which type of system would MOST likely use a real-time operating system with deterministic timing and limited update capability?
- An industrial control system (ICS/SCADA)
- A general-purpose laptop
- A web application server
- A database management system
Correct answer: An industrial control system (ICS/SCADA)
Industrial control systems require deterministic, real-time behavior and often have constrained patching, creating unique security challenges.
- What does perfect forward secrecy ensure in a TLS session?
- Compromise of the long-term private key does not expose past session keys
- All traffic is compressed
- Symmetric keys never change
- The server certificate cannot be forged
Correct answer: Compromise of the long-term private key does not expose past session keys
Perfect forward secrecy uses ephemeral keys so that compromising the server's long-term key does not allow decryption of previously recorded sessions.
- A homomorphic encryption scheme is valuable because it allows:
- Hashing to be reversible
- Symmetric and asymmetric keys to be identical
- Computation on encrypted data without decrypting it
- Faster key exchange
Correct answer: Computation on encrypted data without decrypting it
Homomorphic encryption permits computations on ciphertext that, when decrypted, match operations performed on the plaintext, preserving confidentiality during processing.
- Which access control model uses security labels and clearances and is enforced by the system rather than the data owner?
- Mandatory access control (MAC)
- Discretionary access control (DAC)
- Attribute-based access control (ABAC)
- Role-based access control (RBAC)
Correct answer: Mandatory access control (MAC)
MAC enforces access based on labels and clearances set by the system and policy, not at the discretion of individual owners.
- A side-channel attack against a smart card might exploit:
- Power consumption or electromagnetic emissions during cryptographic operations
- An unpatched web server
- A weak TLS cipher suite
- A SQL injection flaw
Correct answer: Power consumption or electromagnetic emissions during cryptographic operations
Side-channel attacks measure physical phenomena such as power usage, timing, or emissions to infer secret keys.
- The concept of 'security through obscurity' is generally discouraged because:
- It conflicts with encryption
- Security should not rely solely on the secrecy of design or implementation
- It is too expensive to implement
- It requires too much documentation
Correct answer: Security should not rely solely on the secrecy of design or implementation
Kerckhoffs's principle holds that a system's security should not depend on the secrecy of its design, only on the secrecy of keys.
- Which firewall type inspects the state of active connections and makes decisions based on the context of traffic?
- Static screening router
- Repeater
- Stateful inspection firewall
- Packet-filtering firewall
Correct answer: Stateful inspection firewall
A stateful inspection firewall tracks the state of connections and allows or denies traffic based on connection context, not just individual packets.
- At which OSI layer does IPSec primarily operate?
- Layer 2 (Data Link)
- Layer 3 (Network)
- Layer 4 (Transport)
- Layer 7 (Application)
Correct answer: Layer 3 (Network)
IPSec operates at the network layer (Layer 3), securing IP packets through authentication and encryption.
- Which IPSec mode encrypts the entire original IP packet and is commonly used for site-to-site VPNs?
- Transport mode
- Quick mode
- Tunnel mode
- Aggressive mode
Correct answer: Tunnel mode
Tunnel mode encrypts the entire original packet and encapsulates it in a new IP header, ideal for gateway-to-gateway VPNs.
- A VLAN provides security primarily by:
- Preventing all malware
- Encrypting all traffic within the segment
- Logically segmenting a network to isolate broadcast domains
- Authenticating users at the port
Correct answer: Logically segmenting a network to isolate broadcast domains
VLANs logically segment a network into separate broadcast domains, limiting the scope of traffic and containing some attacks.
- Which protocol provides secure name resolution by adding digital signatures to DNS records?
- DHCP snooping
- SNMPv3
- DNS over HTTPS
- DNSSEC
Correct answer: DNSSEC
DNSSEC adds cryptographic signatures to DNS records to provide origin authentication and integrity, mitigating cache poisoning.
- An attacker sends gratuitous ARP replies to associate their MAC address with the default gateway's IP. This attack is called:
- DNS poisoning
- SYN flooding
- Smurf attack
- ARP cache poisoning
Correct answer: ARP cache poisoning
ARP cache poisoning sends forged ARP messages to redirect traffic through the attacker, enabling man-in-the-middle attacks.
- Which of the following BEST describes a man-in-the-middle attack?
- Flooding a target with traffic
- Exploiting a buffer overflow
- Intercepting and possibly altering communications between two parties
- Guessing passwords through brute force
Correct answer: Intercepting and possibly altering communications between two parties
A man-in-the-middle attacker secretly relays and may alter communication between two parties who believe they are communicating directly.
- Which wireless security protocol is considered the most secure for enterprise Wi-Fi as of current standards?
- WEP
- WPA2-PSK
- WPA
- WPA3-Enterprise
Correct answer: WPA3-Enterprise
WPA3-Enterprise provides the strongest current Wi-Fi protection with improved key exchange and stronger encryption than its predecessors.
- A network design places public-facing servers in a segment isolated from the internal network. This segment is known as a:
- VPN concentrator
- Honeynet
- Air gap
- Demilitarized zone (DMZ)
Correct answer: Demilitarized zone (DMZ)
A DMZ is a screened subnet hosting public-facing services, isolating them from the trusted internal network.
- Which protocol operates at the transport layer and provides reliable, connection-oriented delivery?
Correct answer: TCP
TCP is a connection-oriented transport protocol that provides reliable, ordered delivery via acknowledgments and retransmission.
- A SYN flood attack targets which mechanism?
- TLS session resumption
- DNS record caching
- The TCP three-way handshake by exhausting half-open connections
- ARP table entries
Correct answer: The TCP three-way handshake by exhausting half-open connections
A SYN flood sends many SYN packets without completing the handshake, exhausting the target's connection table.
- Which technology allows multiple internal hosts to share a single public IP address?
- Quality of Service
- VLAN tagging
- Spanning Tree Protocol
- Network Address Translation (NAT)
Correct answer: Network Address Translation (NAT)
NAT maps multiple private internal addresses to one or more public addresses, conserving public IPs and obscuring internal addressing.
- 802.1X provides which capability on a wired or wireless network?
- Routing between subnets
- Encryption of all stored data
- Automatic IP address assignment
- Port-based network access control with authentication
Correct answer: Port-based network access control with authentication
802.1X enforces port-based access control, requiring authentication (often via a RADIUS server) before granting network access.
- Which of the following is a primary security concern with using older SNMP versions (v1 and v2c)?
- They cannot manage network devices
- They encrypt all traffic by default
- They require TLS certificates
- They send community strings in cleartext
Correct answer: They send community strings in cleartext
SNMPv1 and v2c transmit community strings (effectively passwords) in cleartext; SNMPv3 adds authentication and encryption.
- A content delivery network (CDN) primarily improves security and performance by:
- Replacing the need for firewalls
- Distributing and caching content closer to users and absorbing DDoS traffic
- Encrypting databases at rest
- Performing user authentication
Correct answer: Distributing and caching content closer to users and absorbing DDoS traffic
CDNs cache content at edge locations, improving performance and providing capacity to absorb volumetric DDoS attacks.
- Which of the following describes a key benefit of network segmentation for security?
- It removes the need for encryption
- It limits lateral movement and contains the blast radius of a compromise
- It guarantees zero downtime
- It eliminates the need for endpoint protection
Correct answer: It limits lateral movement and contains the blast radius of a compromise
Segmentation restricts an attacker's lateral movement, containing a breach to a smaller portion of the network.
- TLS 1.3 improved security over TLS 1.2 by:
- Using only symmetric keys
- Adding support for SSL 3.0 fallback
- Disabling certificate validation
- Removing obsolete and weak cryptographic algorithms and requiring forward secrecy
Correct answer: Removing obsolete and weak cryptographic algorithms and requiring forward secrecy
TLS 1.3 removed weak ciphers and legacy features, mandated forward secrecy, and streamlined the handshake.
- A jump server (jump box) is used to:
- Accelerate web content delivery
- Terminate VPN connections only
- Translate private to public IP addresses
- Provide a single, hardened, audited point of access to administer systems in a secure zone
Correct answer: Provide a single, hardened, audited point of access to administer systems in a secure zone
A jump server is a hardened, monitored host through which administrators access systems in a sensitive segment, centralizing and auditing access.
- Which attack overwhelms a target using multiple compromised systems to exhaust resources?
- Phishing
- Distributed denial of service (DDoS)
- Privilege escalation
- SQL injection
Correct answer: Distributed denial of service (DDoS)
A DDoS attack uses many compromised systems (a botnet) to flood a target and deny service to legitimate users.
- Which of the following BEST mitigates VLAN hopping attacks?
- Enabling DHCP
- Disabling automatic trunk negotiation and unused ports, and not using the default VLAN
- Increasing the MTU
- Using SNMPv1
Correct answer: Disabling automatic trunk negotiation and unused ports, and not using the default VLAN
Disabling Dynamic Trunking Protocol negotiation, shutting unused ports, and avoiding the default/native VLAN reduces VLAN hopping risk.
- Out-of-band management of network devices improves security by:
- Disabling all logging
- Allowing anonymous access
- Using the same channel as production traffic
- Separating administrative access onto a dedicated channel isolated from production traffic
Correct answer: Separating administrative access onto a dedicated channel isolated from production traffic
Out-of-band management uses a separate channel for administration, isolating it from production traffic and reducing exposure.
- Which protocol is used to securely transfer files and operates over SSH?
Correct answer: SFTP
SFTP runs over the SSH protocol, providing encrypted and authenticated file transfer, unlike plaintext FTP or TFTP.
- A microsegmentation strategy in a data center is BEST described as:
- Creating broad network zones
- Using a single flat network
- Applying granular, per-workload security policies often enforced in software
- Removing all internal firewalls
Correct answer: Applying granular, per-workload security policies often enforced in software
Microsegmentation applies fine-grained, per-workload policies (often via software-defined controls) to limit east-west traffic.
- Which authentication factor category does a fingerprint belong to?
- Something you know
- Something you are
- Somewhere you are
- Something you have
Correct answer: Something you are
A fingerprint is a biometric trait, falling under the 'something you are' factor category.
- What does the term 'Type I error' (false rejection rate) mean in biometrics?
- An authorized user is incorrectly rejected
- An unauthorized user is incorrectly accepted
- Two users have identical biometrics
- The system fails to enroll a user
Correct answer: An authorized user is incorrectly rejected
A Type I error, or false rejection, occurs when a legitimate, authorized user is wrongly denied access.
- The crossover error rate (CER) of a biometric system represents:
- The enrollment failure rate
- The maximum acceptable false acceptance rate
- The point where the false acceptance rate equals the false rejection rate
- The throughput of the device
Correct answer: The point where the false acceptance rate equals the false rejection rate
The CER is the point where FAR equals FRR; a lower CER indicates a more accurate biometric system.
- Which single sign-on protocol is an XML-based standard commonly used for federated authentication between organizations?
- OAuth 2.0
- RADIUS
- Kerberos
- SAML
Correct answer: SAML
SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization assertions in federation.
- In Kerberos, what does the Key Distribution Center issue to a successfully authenticated user for subsequent service requests?
- A session cookie
- A one-time password
- A digital certificate
- A Ticket Granting Ticket (TGT)
Correct answer: A Ticket Granting Ticket (TGT)
After authentication, the KDC issues a Ticket Granting Ticket, which the user presents to obtain service tickets.
- OAuth 2.0 is primarily a framework for:
- Encryption of data at rest
- Physical access control
- Network segmentation
- Authorization and delegated access to resources
Correct answer: Authorization and delegated access to resources
OAuth 2.0 is an authorization framework that allows applications delegated access to resources without sharing credentials.
- OpenID Connect adds which capability on top of OAuth 2.0?
- An identity (authentication) layer providing user identity information
- Data encryption at rest
- Network routing
- File transfer
Correct answer: An identity (authentication) layer providing user identity information
OpenID Connect builds an authentication and identity layer on top of OAuth 2.0's authorization framework.
- Which access control model grants permissions based on a user's job function within the organization?
- Role-based access control (RBAC)
- Mandatory access control
- Rule-based access control
- Discretionary access control
Correct answer: Role-based access control (RBAC)
RBAC assigns permissions to roles that correspond to job functions, and users inherit permissions through their assigned roles.
- Attribute-based access control (ABAC) makes access decisions based on:
- Policies that evaluate attributes of the subject, object, action, and environment
- Only the user's role
- The data owner's discretion alone
- Security labels only
Correct answer: Policies that evaluate attributes of the subject, object, action, and environment
ABAC evaluates multiple attributes (subject, resource, action, and context) against policies to make dynamic access decisions.
- What is the PRIMARY purpose of a periodic access review (recertification)?
- To increase access for senior staff
- To verify that users still require their assigned access and remove inappropriate entitlements
- To reset all user passwords
- To encrypt user directories
Correct answer: To verify that users still require their assigned access and remove inappropriate entitlements
Access reviews confirm that granted entitlements remain appropriate, removing access that is no longer needed to combat privilege creep.
- Privilege creep occurs when:
- Users are given too little access
- Sessions remain open too long
- Passwords are reused
- Users accumulate access rights over time beyond what their current role requires
Correct answer: Users accumulate access rights over time beyond what their current role requires
Privilege creep is the gradual accumulation of access rights as users change roles without old permissions being revoked.
- A just-in-time (JIT) access model improves security by:
- Sharing administrative accounts
- Granting permanent administrative rights
- Disabling multifactor authentication
- Granting elevated access only for a limited time when needed and revoking it afterward
Correct answer: Granting elevated access only for a limited time when needed and revoking it afterward
JIT access provisions elevated privileges temporarily for a specific task and revokes them afterward, reducing standing privilege.
- Which of the following is the BEST example of multifactor authentication?
- A username and a password
- A smart card and a PIN
- A password and a security question
- Two different passwords
Correct answer: A smart card and a PIN
A smart card (something you have) combined with a PIN (something you know) uses two distinct factor categories, satisfying MFA.
- In identity federation, the entity that authenticates the user and issues assertions is the:
- Identity provider
- Service provider
- Relying party
- Certificate authority
Correct answer: Identity provider
The identity provider authenticates the user and issues assertions that the service provider (relying party) trusts.
- What is the main risk of orphaned accounts?
- They consume excessive bandwidth
- They slow down authentication
- They require frequent password changes
- They remain active without an owner and can be exploited for unauthorized access
Correct answer: They remain active without an owner and can be exploited for unauthorized access
Orphaned accounts belong to departed users or decommissioned services and provide an unmonitored avenue for attackers if not disabled.
- A federated identity system that allows a user to authenticate once and access multiple independent services without re-entering credentials describes:
- Multifactor authentication
- Single sign-on (SSO)
- Privileged access management
- Mandatory access control
Correct answer: Single sign-on (SSO)
Single sign-on lets a user authenticate once and gain access to multiple connected systems without re-authenticating.
- Which is a key disadvantage of single sign-on?
- It prevents the use of MFA
- Compromise of the single credential can grant access to all connected systems
- It cannot be used with federation
- Users must remember many passwords
Correct answer: Compromise of the single credential can grant access to all connected systems
SSO concentrates risk: if the single set of credentials is compromised, the attacker may access all linked systems, which is why SSO is often paired with strong MFA.
- A privileged access management (PAM) solution typically provides which capability?
- Data loss prevention for endpoints
- End-user web filtering
- Email encryption
- Credential vaulting, session recording, and temporary privilege elevation for administrators
Correct answer: Credential vaulting, session recording, and temporary privilege elevation for administrators
PAM solutions vault privileged credentials, broker and record privileged sessions, and grant temporary elevation, reducing standing administrative risk.
- Which provisioning lifecycle stage is MOST critical to security when an employee is terminated?
- Timely de-provisioning of access
- Role assignment
- Account creation
- Password rotation
Correct answer: Timely de-provisioning of access
Prompt de-provisioning upon termination prevents former employees from retaining access that could be misused.
- In the context of access control, accountability is achieved PRIMARILY through:
- Unique identification, authentication, and logging of subject actions
- Use of strong passwords only
- Encryption of data
- Network segmentation
Correct answer: Unique identification, authentication, and logging of subject actions
Accountability requires uniquely identifying and authenticating subjects and logging their actions so behavior can be attributed.
- A SAML assertion that conveys whether a subject is authorized to perform an action is a(n):
- Encryption assertion
- Authorization decision assertion
- Authentication assertion
- Attribute assertion
Correct answer: Authorization decision assertion
SAML defines authentication, attribute, and authorization decision assertions; the latter conveys whether the subject may perform a requested action.
- Which of the following BEST reduces the risk of credential stuffing attacks?
- Disabling account lockout
- Allowing password reuse across sites
- Shortening password length requirements
- Enforcing MFA and monitoring for anomalous login patterns
Correct answer: Enforcing MFA and monitoring for anomalous login patterns
MFA and anomaly detection blunt credential stuffing, which relies on reused passwords leaked from other breaches.
- A device-based 'something you have' factor that generates time-based one-time codes is a:
- Smart lock
- TOTP authenticator (e.g., software/hardware token)
- Biometric scanner
- Password manager
Correct answer: TOTP authenticator (e.g., software/hardware token)
A TOTP authenticator generates time-based one-time passwords and represents a 'something you have' possession factor.
- Which type of security testing involves an authorized simulated attack to evaluate exploitability of vulnerabilities?
- Code review
- Log review
- Vulnerability scanning
- Penetration testing
Correct answer: Penetration testing
Penetration testing actively attempts to exploit vulnerabilities to demonstrate real-world impact, going beyond scanning.
- The key difference between a vulnerability scan and a penetration test is that a vulnerability scan:
- Requires no authorization
- Identifies and reports potential weaknesses without exploiting them
- Is performed only by attackers
- Always exploits findings
Correct answer: Identifies and reports potential weaknesses without exploiting them
A vulnerability scan identifies and reports potential weaknesses; a penetration test attempts to exploit them to prove impact.
- In software testing, which technique provides invalid, unexpected, or random data to a program to find flaws?
- Static analysis
- Unit testing
- Regression testing
- Fuzz testing
Correct answer: Fuzz testing
Fuzz testing feeds malformed or random inputs to a program to uncover crashes, memory errors, and unexpected behavior.
- Static application security testing (SAST) examines:
- Network traffic
- Physical access controls
- Source code or binaries without executing the program
- A running application's behavior
Correct answer: Source code or binaries without executing the program
SAST analyzes source code or binaries at rest, without executing the application, to find security flaws early.
- Dynamic application security testing (DAST) differs from SAST in that DAST:
- Tests the application while it is running, observing its behavior
- Reviews code line by line
- Only checks documentation
- Requires source code access
Correct answer: Tests the application while it is running, observing its behavior
DAST tests a running application from the outside, observing responses to inputs without needing source code.
- A test that combines elements of both static and dynamic analysis, instrumenting an application to observe behavior during execution, is called:
- Penetration testing
- Compliance auditing
- IAST (Interactive Application Security Testing)
- Black-box testing
Correct answer: IAST (Interactive Application Security Testing)
IAST instruments the running application to observe code behavior during execution, blending static and dynamic insights.
- In penetration testing, the term 'black box' indicates that the tester:
- Only reviews source code
- Has no prior knowledge of the internal system
- Is an internal employee
- Has full knowledge of the environment
Correct answer: Has no prior knowledge of the internal system
Black-box testing simulates an external attacker with no prior internal knowledge of the target environment.
- What is the PRIMARY purpose of a security control assessment?
- To determine whether controls are implemented correctly and operating as intended
- To increase the security budget
- To replace the need for audits
- To assign blame for incidents
Correct answer: To determine whether controls are implemented correctly and operating as intended
A security control assessment evaluates whether controls are correctly implemented and effective in meeting security objectives.
- Synthetic transactions are used in security monitoring to:
- Generate real customer orders
- Replace logging
- Encrypt application data
- Simulate user activity to proactively verify that systems and controls work as expected
Correct answer: Simulate user activity to proactively verify that systems and controls work as expected
Synthetic transactions simulate user interactions to proactively test availability, performance, and control effectiveness.
- A report that an independent auditor provides describing the design and operating effectiveness of a service organization's controls over a period is:
- ISO certificate
- SOC 2 Type II
- SOC 1 Type I
- PCI ROC
Correct answer: SOC 2 Type II
A SOC 2 Type II report evaluates the design and operating effectiveness of controls over a defined period, relevant to security and privacy.
- Which is the BEST reason to use an independent third party for a security assessment?
- It is always cheaper
- It eliminates the need for internal controls
- It provides objectivity and avoids conflicts of interest inherent in self-assessment
- It guarantees no vulnerabilities exist
Correct answer: It provides objectivity and avoids conflicts of interest inherent in self-assessment
An independent assessor brings objectivity and avoids the conflicts of interest that can compromise self-assessments.
- Code review that involves developers manually reading source code to find security issues is BEST classified as:
- Penetration testing
- Dynamic testing
- Manual static analysis
- Fuzzing
Correct answer: Manual static analysis
Manual code review reads source code without executing it, making it a form of manual static analysis.
- What does a false positive in vulnerability scanning represent?
- An exploited system
- A reported vulnerability that does not actually exist
- A real vulnerability the scanner missed
- A patched system
Correct answer: A reported vulnerability that does not actually exist
A false positive is a finding the scanner reports as a vulnerability when no real weakness exists, requiring validation.
- Which testing technique verifies that recent changes have not broken existing functionality or reintroduced vulnerabilities?
- Fuzz testing
- Penetration testing
- Regression testing
- Misuse case testing
Correct answer: Regression testing
Regression testing re-runs prior tests after changes to ensure existing functionality and security are not broken.
- Misuse case testing is designed to:
- Model how an attacker might abuse the system to test defenses
- Validate that the system performs intended functions
- Measure system performance under load
- Check spelling in documentation
Correct answer: Model how an attacker might abuse the system to test defenses
Misuse case testing models adversarial behavior and abuse scenarios to verify that the system resists misuse.
- In a coverage analysis of test cases, branch coverage measures:
- The percentage of lines executed
- The percentage of decision branches (true/false paths) exercised
- The number of testers involved
- The number of inputs tested
Correct answer: The percentage of decision branches (true/false paths) exercised
Branch coverage measures the proportion of decision outcomes (each true/false branch) exercised by the test suite.
- An organization wants assurance that log data has not been altered. The BEST control is:
- Forwarding logs to a centralized, write-once or integrity-protected log repository
- Storing logs only locally
- Disabling logging during maintenance
- Allowing administrators to edit logs
Correct answer: Forwarding logs to a centralized, write-once or integrity-protected log repository
Centralized, integrity-protected (e.g., write-once) log storage protects logs from tampering and supports reliable analysis.
- The PRIMARY reason to define a rules of engagement document before a penetration test is to:
- Guarantee no findings
- Establish scope, authorization, timing, and acceptable techniques to avoid legal and operational issues
- Allow the tester unlimited access
- Increase the cost of testing
Correct answer: Establish scope, authorization, timing, and acceptable techniques to avoid legal and operational issues
Rules of engagement set scope, authorization, timing, and limits, ensuring testing is legal, safe, and agreed upon.
- Which metric BEST helps management understand the effectiveness of a security awareness program over time?
- Number of firewalls deployed
- Total storage capacity
- Number of servers patched
- Trend in phishing simulation click rates
Correct answer: Trend in phishing simulation click rates
Tracking phishing simulation click rates over time provides a measurable indicator of awareness program effectiveness.
- A SOC 1 report is PRIMARILY concerned with:
- Application source code
- Network penetration results
- Physical security
- Controls relevant to financial reporting at a service organization
Correct answer: Controls relevant to financial reporting at a service organization
SOC 1 reports address controls at a service organization that are relevant to a client's financial reporting.
- During incident response, which phase focuses on limiting the scope and magnitude of an incident?
- Recovery
- Containment
- Lessons learned
- Detection
Correct answer: Containment
Containment limits the spread and impact of an incident before eradication and recovery can proceed.
- In digital forensics, maintaining a documented record of who handled evidence and when is known as:
- Hearsay
- Chain of custody
- Imaging
- Hashing
Correct answer: Chain of custody
Chain of custody documents the handling of evidence to preserve its integrity and admissibility in legal proceedings.
- The MOST important first action when responding to a confirmed security incident is typically to:
- Immediately wipe affected systems
- Follow the incident response plan and protect/preserve evidence while containing the threat
- Notify the media
- Disable all logging
Correct answer: Follow the incident response plan and protect/preserve evidence while containing the threat
Following the established plan and preserving evidence while containing the threat ensures an orderly, defensible response.
- Which backup strategy backs up only the data changed since the last full backup and does not reset the archive bit?
- Snapshot
- Differential backup
- Full backup
- Incremental backup
Correct answer: Differential backup
A differential backup captures all changes since the last full backup and does not clear the archive bit, so each grows until the next full backup.
- Which backup strategy captures only changes since the last backup of any type and resets the archive bit?
- Differential backup
- Incremental backup
- Full backup
- Mirror backup
Correct answer: Incremental backup
An incremental backup captures changes since the last backup of any type and clears the archive bit, minimizing backup time but lengthening restore.
- A disaster recovery site that is fully equipped and can be operational within minutes to hours is a:
- Warm site
- Cold site
- Hot site
- Mobile site
Correct answer: Hot site
A hot site is fully configured with hardware, software, and current data, enabling near-immediate failover.
- A cold site is characterized by:
- Immediate failover capability
- Pre-loaded applications and data
- Real-time data replication
- Basic facilities (power, space) but no preconfigured systems or current data
Correct answer: Basic facilities (power, space) but no preconfigured systems or current data
A cold site provides the physical space and utilities but lacks hardware and data, requiring significant time to become operational.
- The PRIMARY purpose of the 'lessons learned' phase of incident response is to:
- Assign punishment to staff
- Close the ticket as quickly as possible
- Notify shareholders
- Identify improvements to prevent recurrence and strengthen the response process
Correct answer: Identify improvements to prevent recurrence and strengthen the response process
The lessons-learned phase reviews the incident to improve controls and the response process, reducing future risk.
- Which control category does a security information and event management (SIEM) system MOST directly support?
- Detective
- Preventive
- Deterrent
- Physical
Correct answer: Detective
A SIEM aggregates and correlates logs to detect and alert on suspicious activity, primarily a detective control.
- What is the PRIMARY benefit of egress filtering at the network perimeter?
- Encrypting inbound email
- Detecting and blocking unauthorized outbound traffic such as data exfiltration or command-and-control
- Assigning IP addresses
- Speeding up internal traffic
Correct answer: Detecting and blocking unauthorized outbound traffic such as data exfiltration or command-and-control
Egress filtering controls outbound traffic, helping detect and stop data exfiltration and malware command-and-control communications.
- Configuration management's PRIMARY security value is to:
- Eliminate the need for patching
- Increase server count
- Establish and maintain known-good, documented system states and detect unauthorized changes
- Replace backups
Correct answer: Establish and maintain known-good, documented system states and detect unauthorized changes
Configuration management maintains baselines of approved system states and helps detect unauthorized or drifted configurations.
- Which patch management practice BEST balances security and stability?
- Test patches in a staging environment before deploying to production on a defined schedule
- Apply all patches to production immediately without testing
- Never patch production systems
- Patch only after a breach occurs
Correct answer: Test patches in a staging environment before deploying to production on a defined schedule
Testing patches in staging before scheduled production deployment reduces both security exposure and the risk of operational disruption.
- A honeypot is deployed PRIMARILY to:
- Attract and study attackers and detect malicious activity
- Serve production traffic
- Replace a firewall
- Back up critical data
Correct answer: Attract and study attackers and detect malicious activity
A honeypot is a decoy system designed to attract attackers, detect intrusions, and gather intelligence on attacker techniques.
- In forensic acquisition, why is a bit-for-bit image preferred over a logical file copy?
- It captures all data including slack space and deleted files, preserving evidentiary completeness
- It uses less storage
- It is faster to create
- It automatically decrypts data
Correct answer: It captures all data including slack space and deleted files, preserving evidentiary completeness
A bit-for-bit (physical) image captures the entire medium, including slack space and deleted data, preserving complete evidence.
- To prove that a forensic image has not been altered, an investigator typically:
- Compresses the image
- Encrypts the image with a personal key
- Renames the file
- Computes and records cryptographic hashes of the original and the image
Correct answer: Computes and records cryptographic hashes of the original and the image
Hashing the original media and the image and comparing the values proves the image is an exact, unaltered copy.
- Which of the following is the BEST example of a deterrent control?
- A locked server room door
- Warning signage and visible security cameras
- Data backups
- An intrusion detection system
Correct answer: Warning signage and visible security cameras
Deterrent controls discourage attackers from acting; visible cameras and warning signage are classic examples.
- A RAID 1 configuration provides:
- Parity across three or more disks
- Striping without redundancy
- Mirroring of data across two disks for redundancy
- No fault tolerance
Correct answer: Mirroring of data across two disks for redundancy
RAID 1 mirrors data across disks, providing redundancy so that a single disk failure does not cause data loss.
- During the eradication phase of incident response, the team should:
- Remove the root cause, such as malware and attacker footholds, from affected systems
- Notify customers
- Restore systems to production immediately
- Begin the lessons-learned meeting
Correct answer: Remove the root cause, such as malware and attacker footholds, from affected systems
Eradication removes the cause of the incident (malware, compromised accounts, persistence mechanisms) before recovery begins.
- Which concept ensures that a critical operation requires two authorized individuals to act simultaneously (e.g., dual control of keys)?
- Need to know
- Job rotation
- Least privilege
- Two-person control (dual control)
Correct answer: Two-person control (dual control)
Two-person (dual) control requires two authorized people to perform a sensitive operation together, preventing unilateral action.
- What is the PRIMARY objective of testing a disaster recovery plan?
- To replace backups
- To validate that the plan works and identify gaps before a real disaster
- To satisfy auditors only
- To reduce insurance premiums
Correct answer: To validate that the plan works and identify gaps before a real disaster
DR testing validates the plan's effectiveness and reveals gaps so they can be corrected before an actual disaster.
- A tabletop exercise for disaster recovery is BEST described as:
- A hardware replacement drill
- A discussion-based walkthrough of the response plan without disrupting operations
- A penetration test
- A full failover to the alternate site
Correct answer: A discussion-based walkthrough of the response plan without disrupting operations
A tabletop exercise is a discussion-based review of plan steps and roles, with no actual systems impacted.
- User and entity behavior analytics (UEBA) primarily helps to:
- Filter spam email
- Encrypt user data
- Provision new accounts
- Detect anomalies by baselining normal behavior and flagging deviations
Correct answer: Detect anomalies by baselining normal behavior and flagging deviations
UEBA baselines normal user and entity activity and flags deviations that may indicate compromise or insider threat.
- Which of the following is the MOST appropriate use of allow-listing (whitelisting) of applications?
- Permitting only explicitly approved applications to run, blocking everything else
- Allowing scripts from any source
- Blocking only known malware
- Permitting all applications by default
Correct answer: Permitting only explicitly approved applications to run, blocking everything else
Application allow-listing permits only explicitly approved software to execute, blocking unknown and unauthorized programs by default.
- In which software development phase should security requirements FIRST be defined to be most cost-effective?
- Deployment
- Testing
- Requirements/initiation
- Maintenance
Correct answer: Requirements/initiation
Defining security requirements early, during requirements gathering, is far cheaper than retrofitting security later in the lifecycle.
- Which vulnerability allows an attacker to inject malicious SQL commands through unvalidated input?
- Cross-site request forgery
- SQL injection
- Buffer overflow
- Cross-site scripting
Correct answer: SQL injection
SQL injection exploits unvalidated input that is concatenated into database queries, allowing attackers to manipulate the query.
- The MOST effective defense against SQL injection is:
- Encrypting the database
- Using parameterized queries (prepared statements) with input validation
- Restricting database size
- Hiding error messages
Correct answer: Using parameterized queries (prepared statements) with input validation
Parameterized queries separate code from data so user input cannot alter query structure, the primary defense against SQL injection.
- Cross-site scripting (XSS) primarily targets:
- The database server
- The file system directly
- The network router
- Other users' browsers by injecting malicious scripts into web content
Correct answer: Other users' browsers by injecting malicious scripts into web content
XSS injects malicious scripts into web pages that execute in other users' browsers, enabling session theft and other attacks.
- The BEST defense against cross-site scripting is:
- Increasing session timeout
- Using HTTP instead of HTTPS
- Disabling cookies
- Context-aware output encoding and input validation
Correct answer: Context-aware output encoding and input validation
Encoding output for the appropriate context and validating input prevents injected scripts from executing in the browser.
- Cross-site request forgery (CSRF) is BEST mitigated by:
- Increasing password length
- Disabling JavaScript
- Encrypting the database
- Using anti-CSRF tokens tied to the user session
Correct answer: Using anti-CSRF tokens tied to the user session
Anti-CSRF tokens unique to each session and request ensure that forged requests from other sites are rejected.
- In the software development lifecycle, the maintenance phase from a security perspective primarily involves:
- Applying patches, monitoring, and managing changes securely
- Initial requirements gathering
- Selecting the programming language
- Writing the original code
Correct answer: Applying patches, monitoring, and managing changes securely
During maintenance, security focuses on patching, monitoring, and managing changes to keep the software secure over time.
- Which practice integrates security into a DevOps pipeline, automating security testing throughout development and deployment?
- Waterfall
- DevSecOps
- Manual code review only
- Big-bang integration
Correct answer: DevSecOps
DevSecOps embeds automated security testing and controls throughout the CI/CD pipeline, shifting security left.
- The principle of 'shifting left' in secure development means:
- Removing testing entirely
- Delaying security testing until production
- Introducing security activities earlier in the development lifecycle
- Outsourcing all development
Correct answer: Introducing security activities earlier in the development lifecycle
Shifting left moves security testing and review earlier in the lifecycle, where defects are cheaper and easier to fix.
- A software composition analysis (SCA) tool is used to:
- Identify known vulnerabilities and license issues in third-party and open-source components
- Manage user identities
- Test running applications dynamically
- Encrypt source code
Correct answer: Identify known vulnerabilities and license issues in third-party and open-source components
SCA tools inventory open-source and third-party components and flag known vulnerabilities and licensing concerns.
- Insecure deserialization can lead to which serious outcome?
- Improved performance
- Faster database queries
- Remote code execution or privilege escalation when untrusted data is deserialized
- Stronger encryption
Correct answer: Remote code execution or privilege escalation when untrusted data is deserialized
Deserializing untrusted data without validation can let attackers manipulate objects to execute code or escalate privileges.
- What is the PRIMARY security purpose of input validation?
- To speed up the application
- To reduce storage requirements
- To ensure that data conforms to expected format and reject malicious or malformed input
- To improve user interface design
Correct answer: To ensure that data conforms to expected format and reject malicious or malformed input
Input validation ensures incoming data matches expected formats and constraints, blocking many injection and manipulation attacks.
- A race condition (time-of-check to time-of-use) vulnerability occurs when:
- The state of a resource changes between the check and its use
- Code is compiled twice
- Two users share one password
- A buffer is too small
Correct answer: The state of a resource changes between the check and its use
A TOCTOU race condition arises when a resource's state changes between the time it is checked and the time it is used, enabling exploitation.
- Which type of testing is performed by end users to confirm software meets business requirements before final acceptance?
- User acceptance testing (UAT)
- Integration testing
- Fuzz testing
- Unit testing
Correct answer: User acceptance testing (UAT)
User acceptance testing validates that the software meets business needs and is acceptable to users before release.
- The OWASP Top 10 is BEST described as:
- A list of approved firewalls
- A penetration testing tool
- A programming language specification
- A standard awareness document of the most critical web application security risks
Correct answer: A standard awareness document of the most critical web application security risks
The OWASP Top 10 is a widely used awareness document highlighting the most critical web application security risks.
- A change management process in software development PRIMARILY helps security by:
- Removing version control
- Ensuring changes are reviewed, approved, and documented to prevent unauthorized or risky modifications
- Increasing deployment speed at any cost
- Eliminating the need for testing
Correct answer: Ensuring changes are reviewed, approved, and documented to prevent unauthorized or risky modifications
Formal change management ensures modifications are reviewed, approved, tested, and documented, reducing the risk of insecure or unauthorized changes.
- Which maturity model is specifically used to assess and improve the security of software development practices?
- COSO
- ITIL
- CMMI for acquisition
- BSIMM or OWASP SAMM
Correct answer: BSIMM or OWASP SAMM
BSIMM and OWASP SAMM are models used to measure and improve software security practices within development programs.
- Hardcoding credentials in source code is dangerous because:
- It is required by most frameworks
- It encrypts the secrets
- It improves performance
- Anyone with access to the code or repository can obtain the secrets
Correct answer: Anyone with access to the code or repository can obtain the secrets
Hardcoded secrets in source code can be exposed to anyone with repository access and are difficult to rotate, so secrets should be stored in a secure vault.
- A new analyst asks what the CIA triad means in information security. Which statement BEST describes the three goals it represents?
- Control, inspection, and auditing of systems
- Classification, identification, and authorization of users
- Cryptography, isolation, and accountability of data
- Confidentiality, integrity, and availability of information assets
Correct answer: Confidentiality, integrity, and availability of information assets
The CIA triad stands for confidentiality, integrity, and availability. Confidentiality keeps information from unauthorized disclosure, integrity ensures data is accurate and unaltered, and availability ensures authorized users can access systems and data when needed. The triad is the foundational model for setting security objectives and selecting controls.
- The ISC2 2024 CISSP outline expands the classic CIA triad to five pillars of information security. Which two services are added alongside confidentiality, integrity, and availability?
- Anonymity and resilience
- Authenticity and nonrepudiation
- Accountability and auditability
- Authorization and attribution
Correct answer: Authenticity and nonrepudiation
The five pillars add authenticity and nonrepudiation to confidentiality, integrity, and availability. Authenticity confirms that data and its source are genuine, while nonrepudiation ensures a party cannot deny having performed an action. Accountability and auditability are supporting concepts but are not the two pillars named in the current outline.
- A risk team must choose between a quantitative and a qualitative risk analysis for a new project. What is the PRIMARY distinction between the two approaches?
- Quantitative analysis is faster, while qualitative analysis is always more accurate
- Quantitative analysis is used only for compliance, while qualitative is used only for audits
- Quantitative analysis requires no data, while qualitative analysis requires historical loss records
- Quantitative analysis assigns objective monetary values, while qualitative analysis uses relative ratings such as high, medium, and low
Correct answer: Quantitative analysis assigns objective monetary values, while qualitative analysis uses relative ratings such as high, medium, and low
Quantitative risk analysis assigns objective, numeric monetary values such as SLE and ALE, whereas qualitative analysis uses subjective, relative ratings like high, medium, and low. Quantitative analysis is harder to perform because it depends on reliable data, while qualitative analysis is faster but less precise. Many organizations combine both in a hybrid approach.
- An asset is valued at $80,000, and a fire would destroy an estimated 60% of its value. What is the single loss expectancy (SLE) for a fire event?
- $80,000
- $60,000
- $48,000
- $32,000
Correct answer: $48,000
The single loss expectancy is the asset value multiplied by the exposure factor: $80,000 x 0.60 = $48,000. SLE represents the expected monetary loss from one occurrence of a specific threat. Multiplying SLE by the annualized rate of occurrence then yields the annualized loss expectancy (ALE).
- An organization wants an internationally recognized, certifiable standard for establishing an information security management system (ISMS) audited by an accredited third party. Which statement BEST contrasts ISO/IEC 27001 with the NIST Cybersecurity Framework?
- ISO/IEC 27001 is a US-only mandate, while the NIST CSF is internationally certifiable
- Both are mandatory federal regulations with identical control sets
- ISO/IEC 27001 applies only to government agencies, while the NIST CSF applies only to private companies
- ISO/IEC 27001 is a certifiable ISMS standard verified by an external auditor, while the NIST CSF is a voluntary framework organizations typically self-assess against
Correct answer: ISO/IEC 27001 is a certifiable ISMS standard verified by an external auditor, while the NIST CSF is a voluntary framework organizations typically self-assess against
ISO/IEC 27001 is an internationally recognized, certifiable ISMS standard whose conformity is verified by an accredited external auditor, with certification valid for a three-year cycle. The NIST Cybersecurity Framework is a voluntary, flexible framework that organizations generally self-assess against rather than being formally certified. The two overlap heavily and are often used together.
- A security architect is choosing a governance framework specifically designed to align IT and security with enterprise objectives and define management and governance processes. Which of the following is a recognized security governance framework for that purpose?
- COBIT
- STRIDE
- Diamond Model
- OWASP Top 10
Correct answer: COBIT
COBIT is a governance framework that aligns IT and security activities with enterprise goals and separates governance from management processes. STRIDE is a threat-modeling method, the OWASP Top 10 is an application-security awareness list, and the Diamond Model is an intrusion-analysis method, so none of those serve as enterprise security governance frameworks.
- A compliance officer is mapping which regulation applies to each data type the company holds: EU residents' personal data, US patient health records, and credit card transactions. Which mapping is correct?
- HIPAA covers EU personal data, GDPR covers health records, and PCI DSS covers government secrets
- GDPR covers EU personal data, HIPAA covers US protected health information, and PCI DSS covers cardholder data
- GDPR covers cardholder data, HIPAA covers EU personal data, and PCI DSS covers health records
- All three apply only to US federal agencies
Correct answer: GDPR covers EU personal data, HIPAA covers US protected health information, and PCI DSS covers cardholder data
GDPR governs the personal data of individuals in the EU, HIPAA governs protected health information in the United States, and PCI DSS is a contractual standard governing the handling of payment cardholder data. Each has a distinct scope, though they can overlap, for example when a healthcare provider also processes card payments.
- A company has developed a confidential manufacturing process that gives it a competitive edge and intends to protect it indefinitely without public disclosure. Which form of intellectual property protection is MOST appropriate?
- Copyright
- Trade secret
- Trademark
- Patent
Correct answer: Trade secret
A trade secret protects confidential business information indefinitely as long as it is kept secret and the owner takes reasonable measures to protect it, with no public disclosure required. A patent, by contrast, requires public disclosure and grants protection only for a limited term, after which the invention enters the public domain.
- A finance manager has the ability to both create a new vendor record and approve payments to that vendor. A security review flags this as excessive risk. Beyond simply enforcing separation of duties for one person, which additional control divides the privilege among multiple individuals so collusion is required to commit fraud?
- Split knowledge combined with dual control over the vendor-creation and payment-approval functions
- Mandatory vacation for the finance manager
- Increasing password complexity requirements
- Single sign-on across finance applications
Correct answer: Split knowledge combined with dual control over the vendor-creation and payment-approval functions
Splitting the privilege so that no one person controls both functions, and requiring dual control, means fraud can occur only through collusion between two parties. Separation of duties is the underlying principle, and split knowledge plus dual control operationalize it for high-risk transactions. Mandatory vacation is a detective control and password complexity addresses authentication, not transaction fraud.
- An organization rotates employees through different positions within a department every six months. Which security benefit is the PRIMARY purpose of this practice?
- Reducing the cost of security awareness training
- Eliminating the need for access reviews
- Removing the requirement for least privilege
- Detecting fraud or errors that depend on a single person retaining a role
Correct answer: Detecting fraud or errors that depend on a single person retaining a role
Job rotation moves personnel through roles so that fraudulent or erroneous activity dependent on one person staying in place is more likely to be uncovered by a successor. It also reduces single points of knowledge and supports cross-training. It does not replace access reviews or least privilege, which remain necessary.
- Senior leadership has set the organization's risk appetite. A security manager must explain how risk appetite differs from risk tolerance. Which description is correct?
- Risk appetite is the broad level of risk the organization is willing to pursue, while risk tolerance is the acceptable variation around specific objectives
- Risk appetite is set by auditors, while risk tolerance is set by attackers
- Risk appetite applies only to financial risk, while risk tolerance applies only to cyber risk
- Risk appetite and risk tolerance are identical terms with no practical difference
Correct answer: Risk appetite is the broad level of risk the organization is willing to pursue, while risk tolerance is the acceptable variation around specific objectives
Risk appetite is the overall amount and type of risk an organization is willing to accept in pursuit of its mission, set at the strategic level. Risk tolerance is the acceptable degree of variation around specific objectives or controls. Both are defined by senior management, not auditors or attackers, and they apply across all risk categories.
- After identifying threats with a structured method, a team must prioritize them by estimating likelihood and impact. In the context of threat modeling, which method is a risk-ranking scheme rather than a threat-categorization scheme?
Correct answer: DREAD
DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability) is a scheme for rating and ranking the severity of identified threats. STRIDE categorizes threat types, while PASTA and VAST are broader threat-modeling methodologies. Distinguishing categorization from prioritization is key to applying these methods correctly.
- A multinational SaaS provider processes personal data of EU residents. Under GDPR, what is the maximum administrative fine for the most serious category of infringements?
- A fixed fine of 100,000 euros per violation
- Up to 5 million euros or 1% of annual turnover, whichever is lower
- Up to 20 million euros or 4% of total worldwide annual turnover, whichever is higher
- Up to 50 million euros with no turnover-based alternative
Correct answer: Up to 20 million euros or 4% of total worldwide annual turnover, whichever is higher
For the most serious GDPR infringements, fines can reach up to 20 million euros or 4% of the organization's total worldwide annual turnover of the preceding year, whichever is higher. A lower tier caps at 10 million euros or 2% of turnover. Understanding these thresholds helps justify the business case for privacy controls.
- During business continuity planning, a team computes the maximum length of time a critical business function can be unavailable before the organization suffers unacceptable consequences. Which metric have they defined?
- Recovery Point Objective (RPO)
- Annualized Rate of Occurrence (ARO)
- Mean Time Between Failures (MTBF)
- Maximum Tolerable Downtime (MTD)
Correct answer: Maximum Tolerable Downtime (MTD)
Maximum Tolerable Downtime (also called maximum tolerable period of disruption) is the longest a function can be down before consequences become unacceptable. RPO concerns data loss measured in time, MTBF is a reliability metric, and ARO is a risk-frequency figure. RTO and WRT must together fit within the MTD.
- An organization is assembling its business continuity program and must decide which step establishes the criticality and recovery priorities of business processes. Which activity provides that foundation?
- Penetration testing
- Vendor selection
- Business impact analysis (BIA)
- Tabletop incident response exercise
Correct answer: Business impact analysis (BIA)
The business impact analysis identifies critical business functions, the resources they depend on, and the financial and operational impact of their disruption over time, producing recovery priorities and objectives. Penetration testing and tabletop exercises are valuable but do not establish process criticality. The BIA's outputs drive continuity and disaster recovery design.
- A CISO must select a control framework that provides a comprehensive catalog of security and privacy controls for US federal information systems and is widely adopted by contractors. Which framework BEST fits this need?
- ITIL
- ISO 9001
- Six Sigma
- NIST SP 800-53
Correct answer: NIST SP 800-53
NIST SP 800-53 provides a comprehensive catalog of security and privacy controls used by US federal systems and many private organizations. ISO 9001 addresses quality management, ITIL addresses IT service management, and Six Sigma is a process-improvement methodology, none of which is a security control catalog.
- As organizations integrate machine learning models and large language models into operations, the ISC2 outline now emphasizes managing AI-related risk. Which approach BEST reflects sound security and risk management for adopting a third-party AI service?
- Treat AI services as exempt from third-party risk assessment because the vendor is responsible for all security
- Block all AI tools permanently since no governance model can apply
- Rely solely on the AI vendor's marketing claims without contractual or technical review
- Extend existing risk management and third-party/supply-chain governance to evaluate the AI provider's data handling, model risks, and contractual controls
Correct answer: Extend existing risk management and third-party/supply-chain governance to evaluate the AI provider's data handling, model risks, and contractual controls
Sound practice extends the organization's existing risk management and third-party/supply-chain governance to AI, assessing the provider's data handling, model and output risks, and contractual safeguards. Treating AI as exempt ignores supply-chain risk, and a blanket permanent ban is rarely a balanced business decision. Establishing AI governance is now an explicit Domain 1 concern.
- A company decides that an emerging line of business carries unacceptable legal and reputational risk and chooses to discontinue the activity entirely rather than mitigate it. Which risk treatment does this represent?
- Risk mitigation
- Risk acceptance
- Risk transference
- Risk avoidance
Correct answer: Risk avoidance
Eliminating the risk by ceasing the activity that creates it is risk avoidance. Acceptance would mean continuing the activity and absorbing the risk, transference would shift the financial impact to a third party, and mitigation would reduce the risk through controls while continuing the activity. Avoidance removes the exposure but may forgo a business opportunity.
- A security manager must establish how policies, standards, baselines, procedures, and guidelines relate to one another. Which statement correctly describes a guideline?
- A guideline is a recommended, non-mandatory set of suggestions for achieving security objectives
- A guideline is a mandatory high-level statement of management intent
- A guideline is a step-by-step mandatory set of instructions
- A guideline specifies a mandatory minimum configuration for a system
Correct answer: A guideline is a recommended, non-mandatory set of suggestions for achieving security objectives
A guideline offers recommended, discretionary advice for meeting security objectives and is not mandatory. Mandatory documents include policies (high-level intent), standards (specific mandatory requirements), baselines (minimum configurations), and procedures (step-by-step instructions). Mislabeling a guideline as mandatory undermines the document hierarchy.
- A US-based organization handling sensitive financial information must comply with a law requiring safeguards for customer financial data and the issuance of privacy notices. Which regulation imposes these requirements on financial institutions?
- Family Educational Rights and Privacy Act (FERPA)
- Children's Online Privacy Protection Act (COPPA)
- Sarbanes-Oxley Act (SOX) only
- Gramm-Leach-Bliley Act (GLBA)
Correct answer: Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act requires financial institutions to protect customer financial information through its Safeguards Rule and to provide privacy notices under its Privacy Rule. FERPA governs education records, COPPA governs children's online data, and SOX focuses on financial reporting integrity rather than customer-data safeguards.
- When measuring the effectiveness of a security awareness program, which metric BEST indicates whether the training is actually changing behavior rather than merely being completed?
- The file size of the training videos delivered
- The number of employees who logged into the training portal
- The total budget spent on the training platform
- The phishing simulation click-through rate trending downward over time
Correct answer: The phishing simulation click-through rate trending downward over time
A declining phishing simulation click-through rate is an outcome metric showing that behavior is changing, which is the goal of awareness training. Login counts and budget are activity or input metrics that show effort, not effectiveness. Measuring behavioral outcomes is the stronger way to demonstrate program value to leadership.
- A risk analyst calculates the annualized loss expectancy for two countermeasures and compares it to the annual cost of each control to decide which is justified. This comparison is BEST described as:
- A cost-benefit analysis where a control is justified if (ALE before minus ALE after) exceeds the annual cost of the control
- A qualitative heat-map assessment with no monetary inputs
- A penetration test scoping exercise
- A data classification scheme
Correct answer: A cost-benefit analysis where a control is justified if (ALE before minus ALE after) exceeds the annual cost of the control
A cost-benefit analysis compares the reduction in annualized loss expectancy a control provides against the control's annual cost; the control is justified when the savings exceed the cost. This is a quantitative technique relying on ALE figures, not a qualitative heat map. It helps leadership prioritize spending on the controls that deliver the greatest net risk reduction.
- An organization outsources part of its operations to a supplier that in turn relies on its own subcontractors. To manage this exposure, the security program should PRIMARILY focus on:
- Limiting review to the supplier's marketing website
- Assuming the prime supplier's certification automatically covers all subcontractors
- Eliminating all contracts to remove third-party risk entirely
- Supply-chain risk management, including assessing fourth-party (downstream) dependencies and flowing security requirements through contracts
Correct answer: Supply-chain risk management, including assessing fourth-party (downstream) dependencies and flowing security requirements through contracts
Effective supply-chain risk management assesses not only direct suppliers but also their subcontractors (fourth parties) and uses contractual flow-down of security requirements and right-to-audit provisions. A prime supplier's certification does not automatically extend to its subcontractors. Eliminating all contracts is impractical, so the goal is to manage and monitor the chain.
- A security professional discovers that an action requested by management would violate the law. Applying the ISC2 Code of Ethics canons in their order of precedence, which obligation ranks HIGHEST?
- Provide diligent and competent service to principals
- Advance and protect the profession
- Protect society, the common good, necessary public trust and confidence, and the infrastructure
- Act in the financial interest of the employer above all else
Correct answer: Protect society, the common good, necessary public trust and confidence, and the infrastructure
The ISC2 canons are applied in order, with protecting society, the common good, public trust, and the infrastructure ranked highest as Canon 1. Canon 2 requires acting honorably, honestly, justly, responsibly, and legally. Canon 3 is providing diligent and competent service to principals, and Canon 4 is advancing and protecting the profession. Acting purely in the employer's financial interest is not a canon and would not justify an illegal act.
- A multinational firm transfers EU personal data to its US operations and needs a lawful transfer mechanism under GDPR after earlier frameworks were invalidated. Which mechanism is a recognized safeguard for such cross-border transfers?
- PCI DSS attestation of compliance
- Standard Contractual Clauses (SCCs) approved by the European Commission
- A simple internal email authorizing the transfer
- An ISO 9001 quality certificate
Correct answer: Standard Contractual Clauses (SCCs) approved by the European Commission
Standard Contractual Clauses are European Commission-approved contractual terms that provide an adequate safeguard for transferring EU personal data to countries without an adequacy decision. Binding Corporate Rules are another recognized mechanism for intra-group transfers. PCI DSS attestation and ISO 9001 certificates address different domains and do not authorize cross-border personal-data transfers.
- A commercial bank is establishing data classification levels for its private-sector information. It wants the standard four-tier commercial scheme, ordered from most to least sensitive. Which ordering correctly reflects a typical commercial (non-government) classification hierarchy?
- Restricted, Internal, Need-to-Know, Open
- Top Secret, Secret, Confidential, Unclassified
- Critical, Important, Standard, Optional
- Confidential, Private, Sensitive, Public
Correct answer: Confidential, Private, Sensitive, Public
The correct commercial hierarchy is Confidential, Private, Sensitive, Public, from most to least sensitive. In the private-sector scheme commonly referenced in the CISSP CBK, Confidential is the highest tier for the most sensitive internal data, Private covers internal-only data about the organization or its people, Sensitive is data requiring protection above Public, and Public is information whose disclosure causes no harm. Top Secret, Secret, Confidential, Unclassified is the U.S. government (military) scheme, not the commercial one.
- An organization is writing a data retention policy. Which input MOST directly determines the minimum length of time a given record category must be kept?
- The compression ratio achievable on the archive medium
- The available capacity of the backup storage system
- The preference of the employee who created the record
- Legal, regulatory, and contractual requirements applicable to that record type
Correct answer: Legal, regulatory, and contractual requirements applicable to that record type
Legal, regulatory, and contractual requirements applicable to the record type set the minimum retention period in a data retention policy. A retention schedule maps each record category to a required duration driven by statutes, regulators, and contracts; business need may extend retention but cannot shorten it below the legal floor. Storage capacity, individual preference, and compression ratios are operational factors that do not establish how long records must legally be kept.
- A records manager argues that the company should keep all customer emails indefinitely 'just in case.' From a data retention policy standpoint, what is the BEST reason to set a defined maximum retention period and dispose of data afterward?
- Defined disposal reduces e-discovery scope, breach exposure, and storage cost while supporting legal-hold compliance
- Indefinite retention always violates copyright law
- Disposal is required to keep backups running quickly
- Older data is automatically more accurate than new data
Correct answer: Defined disposal reduces e-discovery scope, breach exposure, and storage cost while supporting legal-hold compliance
Setting a defined maximum retention period and disposing of data afterward reduces e-discovery scope, breach exposure, and storage cost while supporting legal-hold compliance. A retention policy with enforced disposal limits the volume of data subject to litigation discovery and the amount exposed in a breach, and it demonstrates defensible, consistent handling. Indefinite 'just in case' retention increases liability rather than reducing it, and the other options are not the governing rationale.
- After running a standard logical overwrite on a hard drive, a forensic team using laboratory techniques is still able to recover fragments of the original data. The residual data that survived the erasure attempt is BEST described as which of the following?
- A covert storage channel
- Data in transit
- Data aggregation
- Data remanence
Correct answer: Data remanence
The residual data surviving an erasure attempt is data remanence. Data remanence is the leftover physical representation of information that persists even after logical deletion, formatting, or a single overwrite, and it is exactly why higher-assurance sanitization (purge or destroy) is needed for sensitive media. Data in transit and aggregation describe unrelated concepts, and a covert storage channel is a means of unauthorized information flow, not residual data.
- A security engineer wants to eliminate data remanence on a stack of decommissioned magnetic hard disk drives that will NOT be reused, using a method classified as Purge under NIST media-sanitization guidance. Which technique is MOST appropriate?
- Deleting all visible files and emptying the recycle bin
- Degaussing each drive with a NIST-rated degausser
- Reformatting the file system on each drive
- Copying random files over the drive until it is full
Correct answer: Degaussing each drive with a NIST-rated degausser
Degaussing each drive with a NIST-rated degausser is the appropriate Purge method for magnetic HDDs being retired. Degaussing applies a strong magnetic field that disrupts the magnetic domains, addressing data remanence against laboratory recovery; NIST classifies it as Purge and it renders the magnetic drive unusable afterward, which is acceptable since the drives are not being reused. Reformatting, file deletion, and copying files are only Clear-level (or weaker) actions that can leave remanence recoverable in a lab.
- An administrator plans to degauss a batch of solid-state drives (SSDs) and USB flash drives to sanitize them before disposal. Why is degaussing the WRONG choice for this media, and what should be used instead?
- Flash and SSD store data in non-magnetic NAND cells, so degaussing does not erase them; use cryptographic erase or physical destruction instead
- Degaussing works fine on flash; no change is needed
- Flash drives must be reformatted three times, after which degaussing succeeds
- Degaussing only works on optical discs, so use degaussing only for CDs
Correct answer: Flash and SSD store data in non-magnetic NAND cells, so degaussing does not erase them; use cryptographic erase or physical destruction instead
Flash and SSDs store data in non-magnetic NAND cells, so degaussing does not erase them; cryptographic erase or physical destruction should be used instead. A degausser only affects magnetic media such as tapes and spinning HDDs, and it has no effect on solid-state storage; in addition, wear-leveling on SSDs can leave overwrite-resistant remnants, which is why crypto-erase (destroying the encryption key) or shredding/pulverizing is recommended for flash. The other options misstate how flash media works.
- In a data-governance model, a business unit leader is formally accountable for a customer dataset: she defines its classification, approves who may access it, and sets handling rules, but she does not perform backups or configure permissions herself. Which role is she filling?
- Data processor
- Data custodian
- Data owner
- Data subject
Correct answer: Data owner
She is filling the data owner role. The data owner holds accountability for an information asset and decides its classification, access approvals, and handling requirements, while delegating the hands-on technical protection (backups, permission configuration) to a custodian. A custodian implements controls rather than setting policy, a processor handles data on instructions from a controller, and a data subject is the individual the personal data describes.
- NIST SP 800-88 was revised in 2025 (Revision 2), which points organizations to IEEE 2883-2022 for approved sanitization techniques while retaining three sanitization categories. Which set of categories does the guidance use to describe increasing levels of assurance against data recovery?
- Label, Store, Retain
- Encrypt, Compress, Archive
- Backup, Mirror, Replicate
- Clear, Purge, Destroy
Correct answer: Clear, Purge, Destroy
The categories are Clear, Purge, and Destroy, in increasing order of assurance against recovery. Clear uses standard read/write commands to resist simple, non-invasive recovery; Purge (for example degaussing, cryptographic erase, or firmware sanitize) resists laboratory recovery; and Destroy physically renders media unusable for the highest assurance. NIST SP 800-88 Rev. 2 (2025) keeps these three categories and references IEEE 2883-2022 for the specific approved methods. The other groupings describe storage or data-protection operations, not sanitization assurance levels.
- A hospital is selecting a baseline of security controls for a new system that stores patient records. The chosen control baseline does not address a specific state privacy statute that applies to the hospital. Within asset-security control selection, what is the BEST next step?
- Discard the baseline entirely and start from zero
- Accept the gap because the baseline was pre-approved
- Tailor the baseline by supplementing it with the additional controls needed to satisfy the statute
- Lower the data classification so the statute no longer applies
Correct answer: Tailor the baseline by supplementing it with the additional controls needed to satisfy the statute
The best step is to tailor the baseline by supplementing it with the additional controls needed to satisfy the statute. Tailoring adjusts a starting baseline to the environment through scoping out inapplicable controls, adding compensating or supplemental controls, and setting parameter values; adding controls to meet a specific legal requirement is a normal tailoring activity. Discarding the baseline wastes a sound starting point, manipulating classification to dodge a law is improper, and accepting an unmet legal requirement is not defensible.
- A privacy team wants to share a customer dataset with analysts but reduce the risk of re-identifying individuals. They replace direct identifiers with consistent surrogate values and generalize quasi-identifiers like ZIP code and birth date. Which data-protection technique are they applying?
- RAID mirroring
- De-identification (pseudonymization and generalization)
- Degaussing
- Full-disk encryption
Correct answer: De-identification (pseudonymization and generalization)
They are applying de-identification through pseudonymization and generalization. De-identification reduces the linkability of data to individuals by substituting direct identifiers with surrogates (pseudonymization) and by coarsening quasi-identifiers such as ZIP and birth date (generalization), which lowers re-identification risk while preserving analytic value. Full-disk encryption protects data at rest but does not reduce re-identification once decrypted, degaussing is a sanitization method, and RAID mirroring is for availability.
- An organization defines an asset's End of Life (EOL) and End of Support (EOS) dates as part of asset management. From a security perspective, why is tracking EOL/EOS critical for asset security?
- EOL and EOS only matter for physical building access, not data
- After EOS the vendor doubles the warranty period automatically
- EOL dates determine the data classification level of the asset
- After EOS the vendor stops issuing security patches, so unpatched vulnerabilities accumulate and the asset must be replaced or compensated for
Correct answer: After EOS the vendor stops issuing security patches, so unpatched vulnerabilities accumulate and the asset must be replaced or compensated for
Tracking EOL/EOS matters because after End of Support the vendor stops issuing security patches, so unpatched vulnerabilities accumulate and the asset must be replaced or have compensating controls applied. Running unsupported hardware or software leaves known flaws unfixable, raising risk to the data the asset handles, which is why lifecycle dates feed remediation and refresh planning. EOS does not extend warranties, set classification, or pertain only to physical access.
- A military system must prevent a user holding only a Confidential clearance from viewing data marked Top Secret. Which property of the Bell-LaPadula confidentiality model directly enforces this restriction?
- The Star (*) Property, often summarized as 'no write down'
- The Discretionary Security Property, governed by an access matrix
- The Simple Security Property, often summarized as 'no read up'
- The Strong Tranquility Property, which freezes labels
Correct answer: The Simple Security Property, often summarized as 'no read up'
The Simple Security Property ('no read up') is what stops a subject from reading data classified above its clearance, so a Confidential user cannot view Top Secret data. The Star Property ('no write down') prevents writing to a lower level, which protects against leaking information downward but is not what blocks reading higher data. Bell-LaPadula is a confidentiality model built around these two mandatory rules.
- In the Biba integrity model, a high-integrity process is prevented from reading a low-integrity file so it cannot be corrupted by untrustworthy data. Which Biba rule expresses this behavior?
- The Star Integrity Property, summarized as 'no write up'
- The Simple Security Property, summarized as 'no read up'
- The Simple Integrity Property, summarized as 'no read down'
- The Invocation Property, governing subject-to-subject calls
Correct answer: The Simple Integrity Property, summarized as 'no read down'
The Simple Integrity Property ('no read down') prevents a high-integrity subject from reading lower-integrity data, protecting it from contamination. The Star Integrity Property ('no write up') stops a low-integrity subject from writing to higher-integrity objects. Biba's rules are the inverse of Bell-LaPadula because Biba protects integrity rather than confidentiality.
- A security architect is asked to summarize the fundamental difference between the Bell-LaPadula and Biba access control models. Which statement is MOST accurate?
- Bell-LaPadula protects integrity while Biba protects availability, using the same axioms
- Bell-LaPadula protects confidentiality with no-read-up and no-write-down, while Biba protects integrity with no-read-down and no-write-up
- Bell-LaPadula uses discretionary access control while Biba uses role-based access control
- Both models protect confidentiality, but Biba adds dynamic separation of duties
Correct answer: Bell-LaPadula protects confidentiality with no-read-up and no-write-down, while Biba protects integrity with no-read-down and no-write-up
Bell-LaPadula protects confidentiality using no-read-up and no-write-down, whereas Biba protects integrity using the inverted rules no-read-down and no-write-up. The two are mirror images: one keeps secrets from flowing down to unauthorized levels, the other keeps low-quality data from flowing up to corrupt trusted information. Neither model addresses availability, and both are lattice-based mandatory models rather than DAC or RBAC.
- A commercial bank wants users to modify financial records only through audited, programmed transactions rather than directly editing the data. Which integrity model is specifically designed around well-formed transactions and an access control triple of subject, program, and object?
- The Graham-Denning model
- The Clark-Wilson model
- The Brewer-Nash (Chinese Wall) model
- The Bell-LaPadula model
Correct answer: The Clark-Wilson model
The Clark-Wilson model enforces integrity in commercial systems by requiring subjects to act on constrained data items only through certified transformation procedures, forming the subject-program-object access control triple. It also mandates separation of duties so the person who certifies a transaction differs from the one who implements it. Bell-LaPadula addresses confidentiality, not transaction-based commercial integrity.
- Under the Clark-Wilson model, what is the role of a transformation procedure (TP)?
- It records the clearance level of each user accessing the system
- It is the only mechanism allowed to change a constrained data item from one valid state to another
- It encrypts constrained data items while they are at rest
- It assigns mandatory confidentiality labels to subjects and objects
Correct answer: It is the only mechanism allowed to change a constrained data item from one valid state to another
A transformation procedure is the certified program through which a constrained data item (CDI) may be changed, moving it from one consistent, valid state to another. Subjects never touch CDIs directly; they invoke TPs, which preserve integrity and produce an audit trail. Clark-Wilson is about controlling how data is modified, not about assigning confidentiality labels or encrypting data.
- A protection model represents a system as a directed graph where vertices are subjects and objects and labeled edges show rights, then uses four operations to analyze whether a right can be 'leaked' to an unauthorized subject. Which model is described?
- The Biba model
- The Bell-LaPadula model
- The lattice-based information flow model
- The Take-Grant protection model
Correct answer: The Take-Grant protection model
The Take-Grant protection model uses a directed graph and four primitive rules, take, grant, create, and remove, to formally prove or disprove whether rights can propagate to subjects that should not have them. The take rule lets a subject acquire another's rights, while the grant rule lets a subject pass its own rights to another. It is an analysis model for rights propagation, not a confidentiality or integrity enforcement model.
- Which two operations in the Take-Grant protection model directly govern how access rights move between subjects in the graph?
- Take and grant
- Encrypt and sign
- Read and write
- Certify and enforce
Correct answer: Take and grant
The take and grant operations control rights movement: take lets a subject pull a right that another subject possesses, and grant lets a subject hand one of its own rights to another. The other two primitives, create and remove, add nodes or strip rights but do not transfer rights between existing subjects. Certify and enforce belong to Clark-Wilson, not Take-Grant.
- An organization needs to exchange large volumes of data quickly between two systems and prioritizes encryption and decryption speed. Which characteristic of symmetric encryption makes it the preferred choice for bulk data?
- It provides non-repudiation automatically as a byproduct of decryption
- It uses a public/private key pair, eliminating the need to distribute keys
- It scales to large numbers of users without any key-management challenge
- It uses a single shared key and is far faster than asymmetric algorithms for large data
Correct answer: It uses a single shared key and is far faster than asymmetric algorithms for large data
Symmetric encryption uses one shared secret key for both encryption and decryption and is computationally much faster than asymmetric encryption, which is why it is used for bulk data. Its trade-off is key distribution: both parties must securely obtain the same key, and the number of keys grows rapidly as users are added. Public/private key pairs and built-in non-repudiation belong to asymmetric cryptography.
- A developer asks how asymmetric encryption lets two parties communicate securely without ever sharing a secret key in advance. What is the defining mechanism of asymmetric encryption?
- A shared initialization vector replaces the need for any key
- A one-way hash function scrambles the data irreversibly
- Each party has a mathematically related public/private key pair; data encrypted with one key is decrypted only with the other
- Both parties use one identical secret key derived from a password
Correct answer: Each party has a mathematically related public/private key pair; data encrypted with one key is decrypted only with the other
Asymmetric encryption gives each party a related public/private key pair: anyone can encrypt with the recipient's public key, but only the recipient's private key can decrypt it, so no pre-shared secret is required. This same pairing enables digital signatures and key establishment. A single identical secret key describes symmetric encryption, and a one-way hash is not reversible encryption at all.
- A team must distinguish symmetric from asymmetric encryption when choosing algorithms. Which pairing correctly contrasts the two approaches?
- Symmetric uses a key pair and is slow; asymmetric uses one shared key and is fast
- Both use a single shared key, differing only in block size
- Symmetric uses one shared key and is fast; asymmetric uses a key pair and solves key distribution but is slower
- Symmetric provides non-repudiation; asymmetric provides only confidentiality
Correct answer: Symmetric uses one shared key and is fast; asymmetric uses a key pair and solves key distribution but is slower
Symmetric encryption relies on a single shared secret key and is fast, making it ideal for bulk data, while asymmetric encryption uses a public/private key pair that solves the key-distribution problem and enables signatures, at the cost of slower performance. Hybrid systems use asymmetric encryption to exchange a symmetric session key, then symmetric encryption for the data. Non-repudiation comes from asymmetric private-key signatures, not symmetric keys.
- RSA encryption is widely used for key exchange and digital signatures. On what mathematical problem does the security of RSA fundamentally rely?
- The difficulty of factoring the product of two large prime numbers
- The difficulty of computing discrete logarithms over an elliptic curve
- The difficulty of finding collisions in a cryptographic hash function
- The difficulty of reversing a symmetric substitution-permutation network
Correct answer: The difficulty of factoring the product of two large prime numbers
RSA's security rests on the computational difficulty of factoring a large modulus that is the product of two large primes; recovering the private key would require that factorization. Discrete logarithms on an elliptic curve underpin ECC, not RSA. Because factoring large numbers is slow, RSA is typically used to protect or sign small data such as a symmetric session key rather than to bulk-encrypt large messages.
- Why does elliptic curve cryptography (ECC) provide an advantage over RSA for resource-constrained devices such as smart cards and mobile phones?
- ECC does not require random number generation, simplifying implementation
- ECC achieves equivalent security strength with much smaller key sizes, reducing computation and storage
- ECC is a symmetric algorithm and therefore far faster than RSA
- ECC eliminates the need for any private key on the device
Correct answer: ECC achieves equivalent security strength with much smaller key sizes, reducing computation and storage
Elliptic curve cryptography delivers the same security strength as RSA using far smaller keys, for example a 256-bit ECC key is comparable to a 3072-bit RSA key, which lowers processing, memory, and power demands on constrained devices. ECC is still asymmetric and uses public/private key pairs and random values; its benefit is efficiency, not the removal of keys or randomness.
- Two parties who have never met need to agree on a shared symmetric key over an insecure channel without transmitting the key itself. Which algorithm is specifically designed to accomplish this?
- The Secure Hash Algorithm (SHA-256)
- The Data Encryption Standard (DES)
- The Diffie-Hellman key exchange
- The Advanced Encryption Standard (AES)
Correct answer: The Diffie-Hellman key exchange
Diffie-Hellman key exchange lets two parties independently compute the same shared secret over a public channel without ever sending the secret, by exchanging public values derived from private exponents. AES and DES are symmetric ciphers that use a key but do not establish one, and SHA-256 is a hash function. Diffie-Hellman is vulnerable to man-in-the-middle attacks unless the exchanged values are authenticated.
- An auditor asks why AES replaced DES as the U.S. government symmetric encryption standard. Which difference is the MOST significant security reason?
- AES uses a 56-bit key while DES uses 128-bit keys
- DES uses a 56-bit effective key that is now brute-forceable, while AES supports 128, 192, and 256-bit keys
- DES uses a larger block size than AES, slowing it down
- DES is an asymmetric cipher while AES is symmetric
Correct answer: DES uses a 56-bit effective key that is now brute-forceable, while AES supports 128, 192, and 256-bit keys
DES has only a 56-bit effective key, small enough to be brute-forced with modern hardware, whereas AES supports 128, 192, and 256-bit keys that resist brute-force attacks, which is the core reason AES superseded DES. Both are symmetric block ciphers, so the asymmetric claim is wrong, and AES uses a 128-bit block, larger than DES's 64-bit block. Triple DES was an interim fix, but AES became the long-term standard.
- A security analyst must explain the fundamental difference between hashing and encryption to a developer. Which distinction is correct?
- Both hashing and encryption require a shared secret key to reverse
- Hashing is reversible with the correct key; encryption is irreversible
- Hashing produces variable-length output while encryption produces fixed-length output
- Encryption is a reversible two-way function for confidentiality; hashing is a one-way function for integrity verification
Correct answer: Encryption is a reversible two-way function for confidentiality; hashing is a one-way function for integrity verification
Encryption is reversible: with the proper key, ciphertext can be decrypted back to plaintext, which is why it provides confidentiality. Hashing is a one-way function that produces a fixed-length digest and cannot be reversed to recover the input, so it is used to verify integrity, not to conceal recoverable data. A password store, for example, keeps hashes precisely because they should not be reversible.
- A signed contract is sent electronically and the sender later denies having sent it. Which security service, provided by a digital signature created with the sender's private key, defeats this denial?
- Availability
- Tranquility
- Non-repudiation
- Confidentiality
Correct answer: Non-repudiation
Non-repudiation prevents the sender from credibly denying an action because the digital signature could only have been produced with the sender's private key, which only the sender controls. This binds the message to that identity and provides proof of origin. Confidentiality conceals content and availability ensures access, but neither establishes proof that a specific party performed the action.
- A recipient wants to verify both that a message came from the claimed sender and that it was not altered in transit. How does a digital signature work to provide this assurance?
- The sender encrypts the message with a shared symmetric session key
- The sender hashes the message and encrypts the hash with their private key; the recipient verifies it using the sender's public key
- The sender hashes the message twice and sends both hashes for comparison
- The sender encrypts the entire message with the recipient's private key
Correct answer: The sender hashes the message and encrypts the hash with their private key; the recipient verifies it using the sender's public key
A digital signature is created by hashing the message and encrypting that hash with the sender's private key; the recipient decrypts the signature with the sender's public key and compares the result to a freshly computed hash. A match confirms both authenticity, only the sender's private key could create it, and integrity, the hashes agree only if the message is unchanged. Encrypting with the recipient's private key is impossible since the sender does not hold it.
- An enterprise is deploying a public key infrastructure (PKI). Which component is responsible for digitally signing and issuing certificates that bind a public key to a verified identity?
- The hardware security module (HSM)
- The certificate authority (CA)
- The registration authority (RA)
- The certificate revocation list (CRL)
Correct answer: The certificate authority (CA)
The certificate authority is the trusted entity that issues and digitally signs certificates, binding a subject's identity to its public key. The registration authority verifies identity and forwards requests but does not sign certificates, while a CRL lists certificates that have been revoked. An HSM may securely store the CA's private key, but the CA itself performs the issuance and signing.
- A defense-in-depth strategy is recommended for a new data center. Which design choice BEST reflects the defense-in-depth principle?
- Selecting the single strongest perimeter firewall and relying on it exclusively
- Layering multiple independent controls such as firewalls, network segmentation, host hardening, and encryption so no single failure is catastrophic
- Granting administrators broad access to reduce the number of controls to manage
- Encrypting all data so that other controls become unnecessary
Correct answer: Layering multiple independent controls such as firewalls, network segmentation, host hardening, and encryption so no single failure is catastrophic
Defense in depth layers multiple, diverse, and independent controls so that if one fails, others still protect the asset, avoiding a single point of failure. Relying on one strong perimeter device or on encryption alone creates exactly the single-control dependency the strategy is meant to prevent. The goal is overlapping safeguards across physical, network, host, application, and data layers.
- A security engineer wants a system design that, when a component fails or an error occurs, defaults to denying access rather than allowing it. Which secure design principle does this implement?
- Fail-secure (fail-safe defaults that deny by default)
- Psychological acceptability
- Open design
- Least common mechanism
Correct answer: Fail-secure (fail-safe defaults that deny by default)
A fail-secure design with secure defaults denies access when a failure or error occurs, ensuring that an unexpected fault does not leave the system in a permissive state. Open design holds that security should not depend on secrecy of the design, and least common mechanism minimizes shared resources, but neither defines the failure-state behavior. Defaulting to deny is the conservative, secure choice in access control.
- During trusted computing base (TCB) design, the reference monitor concept must be enforced by a tamperproof component. Which property requires that the reference monitor cannot be bypassed when a subject requests access to an object?
- Verifiability through small size
- Tamper resistance
- Complete mediation (non-bypassability)
- Economy of mechanism
Correct answer: Complete mediation (non-bypassability)
Complete mediation, or non-bypassability, requires that every access request from a subject to an object pass through the reference monitor with no way around it. The reference monitor must also be tamperproof and small enough to be verifiable, but those are separate properties; non-bypassability specifically guarantees that no access escapes mediation. The security kernel is the implementation that enforces this concept.
- How many layers make up the Open Systems Interconnection (OSI) reference model used to describe network communication?
- Eight layers
- Five layers
- Four layers
- Seven layers
Correct answer: Seven layers
The OSI model has seven layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application, numbered 1 through 7 from the bottom up. This protocol-independent reference model describes the functions involved in moving data across a network so that security professionals can reason about where controls apply at each layer.
- A security architect is comparing the OSI reference model with the TCP/IP (DoD) model used by the modern Internet. Which statement accurately describes the relationship between the two models?
- The TCP/IP model has eight layers while OSI has seven
- The TCP/IP model and OSI model both define exactly seven equivalent layers
- The TCP/IP model places the Physical layer at the top and the Application layer at the bottom
- The TCP/IP model collapses the OSI Application, Presentation, and Session layers into a single Application layer and has four layers total
Correct answer: The TCP/IP model collapses the OSI Application, Presentation, and Session layers into a single Application layer and has four layers total
The TCP/IP model combines OSI's Application, Presentation, and Session layers into one Application layer and merges the Physical and Data Link layers into a Link (Network Access) layer, yielding four layers (Application, Transport, Internet, Link). The OSI model is a more granular seven-layer teaching and reference framework, while the four-layer TCP/IP model reflects how the Internet protocol suite is actually implemented.
- Which sequence correctly describes the TCP three-way handshake that establishes a connection before data is exchanged?
- ACK, then SYN, then SYN-ACK
- SYN, then SYN-ACK, then ACK
- FIN, then FIN-ACK, then RST
- SYN, then ACK, then FIN
Correct answer: SYN, then SYN-ACK, then ACK
The TCP three-way handshake proceeds as SYN (client requests a connection and sends its initial sequence number), SYN-ACK (server acknowledges and sends its own sequence number), and ACK (client acknowledges the server's sequence number), after which the connection is established. FIN packets are used to gracefully close a connection, not open one, and RST forcibly resets a connection.
- An organization deploys a basic packet-filtering firewall at its network perimeter. On which OSI layers does a packet-filtering firewall primarily make its allow-or-deny decisions?
- Layer 7 (Application) only, inspecting message payloads
- Layers 5 and 6 (Session and Presentation)
- Layers 3 and 4 (Network and Transport), using IP addresses, ports, and protocol
- Layers 1 and 2 (Physical and Data Link)
Correct answer: Layers 3 and 4 (Network and Transport), using IP addresses, ports, and protocol
A packet-filtering firewall operates at the Network and Transport layers (Layers 3 and 4), filtering on source and destination IP address, port number, and protocol in each packet header. It does not inspect application payloads, so it cannot understand session context or detect attacks hidden inside Layer 7 content.
- What is the fundamental difference between a stateless (packet-filtering) firewall and a stateful inspection firewall?
- A stateless firewall operates at Layer 7 while a stateful firewall operates at Layer 1
- A stateless firewall evaluates each packet in isolation against static rules, while a stateful firewall tracks the state of active connections in a state table
- A stateless firewall encrypts traffic while a stateful firewall does not
- A stateful firewall works only on wireless networks
Correct answer: A stateless firewall evaluates each packet in isolation against static rules, while a stateful firewall tracks the state of active connections in a state table
A stateless firewall examines each packet independently against a fixed rule set with no memory of prior traffic, whereas a stateful firewall maintains a state table tracking active connections so it can permit return traffic that belongs to an established session and drop out-of-context packets. This connection awareness lets stateful firewalls block crafted packets that a stateless filter would mistakenly pass.
- A company needs a firewall that can terminate client connections, inspect full application-layer content, and make decisions based on the specific application protocol such as HTTP or FTP. Which firewall type BEST meets this requirement?
- A bridging firewall operating at Layer 2
- A static packet-filtering firewall
- A circuit-level gateway
- An application-level (proxy) gateway firewall
Correct answer: An application-level (proxy) gateway firewall
An application-level gateway, or proxy firewall, operates at Layer 7 and brokers connections on behalf of clients, inspecting the full application-layer payload and enforcing rules specific to each application protocol. A packet-filtering firewall sees only headers, and a circuit-level gateway validates sessions at the Transport/Session layers without inspecting application content.
- A next-generation firewall (NGFW) is distinguished from a traditional stateful firewall primarily by its ability to:
- Operate without any rule set
- Replace the need for routing on the network
- Perform deep packet inspection with application awareness, user identity, and integrated intrusion prevention
- Filter traffic only by MAC address
Correct answer: Perform deep packet inspection with application awareness, user identity, and integrated intrusion prevention
A next-generation firewall extends stateful inspection by adding deep packet inspection that recognizes specific applications regardless of port, ties decisions to user identity, and integrates intrusion prevention and threat intelligence. A traditional stateful firewall tracks connection state but lacks this application and user awareness, so it cannot, for example, allow a sanctioned app while blocking a risky one on the same port.
- A network engineer wants to use VLANs to improve security by separating the finance department's traffic from the rest of the corporate LAN on the same physical switches. What does VLAN segmentation accomplish at the data-link layer?
- It encrypts all frames sent between the segmented hosts
- It guarantees that no malware can spread between any devices
- It assigns a single shared IP address to every host in the VLAN
- It creates separate logical broadcast domains so hosts in one VLAN cannot directly reach hosts in another without passing through a Layer 3 device
Correct answer: It creates separate logical broadcast domains so hosts in one VLAN cannot directly reach hosts in another without passing through a Layer 3 device
VLAN segmentation partitions a switched network into separate logical broadcast domains so that traffic in one VLAN is isolated from another, and inter-VLAN communication must traverse a router or Layer 3 switch where access control can be applied. VLANs do not encrypt traffic by themselves; their security value comes from isolation and the ability to enforce policy at the routing boundary.
- Inter-VLAN routing is required when hosts in different VLANs must communicate. From a security standpoint, what advantage does forcing inter-VLAN traffic through a Layer 3 device provide?
- It removes the broadcast domain boundary between VLANs
- It creates a chokepoint where access control lists and inspection can be applied between segments
- It automatically encrypts traffic between VLANs
- It eliminates the need for any access control lists
Correct answer: It creates a chokepoint where access control lists and inspection can be applied between segments
Because VLANs are isolated broadcast domains, traffic between them must pass through a router or Layer 3 switch, creating a natural enforcement point where ACLs, firewalling, and inspection can govern east-west traffic. This is why VLAN segmentation paired with inter-VLAN ACLs is an effective way to contain lateral movement.
- At which OSI layer do switches make their primary forwarding decisions, and on what addressing do they rely?
- Layer 4 (Transport), using port numbers
- Layer 3 (Network), using IP addresses
- Layer 2 (Data Link), using MAC addresses
- Layer 7 (Application), using URLs
Correct answer: Layer 2 (Data Link), using MAC addresses
Switches operate at the Data Link layer (Layer 2) and forward frames based on MAC addresses learned into a content-addressable memory (CAM) table. Routers, by contrast, operate at the Network layer (Layer 3) and forward packets using IP addresses, which is why protecting the Layer 2 environment against MAC-table and ARP attacks is a distinct concern.
- Voice over IP (VoIP) is an example of a converged protocol that carries voice traffic over an IP data network. What is a PRIMARY security concern introduced by converging voice and data onto the same infrastructure?
- VoIP cannot be encrypted under any circumstances
- A compromise or denial-of-service condition on the data network can now also disrupt voice communications, and call signaling such as SIP can be intercepted or spoofed
- Converged protocols eliminate the need for VLANs
- VoIP traffic is immune to eavesdropping by design
Correct answer: A compromise or denial-of-service condition on the data network can now also disrupt voice communications, and call signaling such as SIP can be intercepted or spoofed
Converging voice onto the IP data network means a single attack or outage can affect both data and telephony, and unprotected signaling protocols like SIP can be intercepted, spoofed, or flooded. A common mitigation is to place voice traffic on a separate VLAN and encrypt media and signaling with protocols such as SRTP and TLS.
- Which protocol family secures voice and video media streams in a VoIP deployment by providing encryption, message authentication, and replay protection for RTP traffic?
- SRTP (Secure Real-time Transport Protocol)
- SNMP
- NTP
- SMTP
Correct answer: SRTP (Secure Real-time Transport Protocol)
SRTP (Secure Real-time Transport Protocol) adds confidentiality, integrity, and replay protection to the RTP media streams used for VoIP and video. Plain RTP carries media in the clear, so SRTP (often paired with TLS to protect SIP signaling) is the standard control for protecting real-time communications.
- A storage architect is designing an iSCSI storage area network. Because iSCSI encapsulates SCSI commands inside TCP/IP packets that traverse the regular Ethernet network, which control is MOST important to protect the storage traffic?
- Disabling all authentication to improve throughput
- Leaving the storage network on the same VLAN as user workstations for simplicity
- Isolating the storage traffic on a dedicated VLAN or physically separate network and enabling CHAP authentication and IPSec where supported
- Relying solely on the operating system file permissions
Correct answer: Isolating the storage traffic on a dedicated VLAN or physically separate network and enabling CHAP authentication and IPSec where supported
Because iSCSI rides over standard TCP/IP and Ethernet, its traffic should be isolated on a dedicated storage VLAN or separate network and protected with CHAP authentication and IPSec encryption where supported. Mixing storage traffic with general user traffic exposes block-level data to sniffing and unauthorized initiators.
- Which Wi-Fi network discovery practice describes an access point that is configured NOT to broadcast its SSID, and why is hiding the SSID a weak security measure?
- SSID cloaking; it is weak because the SSID is still transmitted in client probe and association frames and is easily captured
- MAC filtering; it is weak because MAC addresses are encrypted
- WPS; it is weak because it disables encryption
- Band steering; it is weak because it broadcasts the password
Correct answer: SSID cloaking; it is weak because the SSID is still transmitted in client probe and association frames and is easily captured
SSID cloaking (disabling SSID broadcast) is the practice in question, and it offers little real protection because the SSID still appears in client probe requests, association frames, and re-association traffic, where an attacker can passively capture it. Hiding the SSID is therefore an obscurity measure, not a substitute for strong authentication and encryption such as WPA3.
- An organization wants to prevent an attacker who has gained access to one switch port from exhausting the switch's MAC address (CAM) table and forcing it to flood all frames out every port. Which control BEST mitigates a CAM table overflow (MAC flooding) attack?
- Disabling the spanning tree protocol
- Configuring port security to limit the number of MAC addresses learned per port
- Increasing the DHCP lease time
- Enabling jumbo frames
Correct answer: Configuring port security to limit the number of MAC addresses learned per port
Port security limits how many MAC addresses a switch port will learn and can shut down or restrict a port that exceeds the limit, defeating MAC flooding attacks that try to overflow the CAM table and turn the switch into a hub. CAM overflow is a Layer 2 attack, so the countermeasure is applied at the switch port, not at Layer 3.
- A security team is told that a remote-access VPN must protect data only between two specific hosts while leaving the original IP header visible for routing on a trusted internal network. Which IPSec mode fits this requirement?
- Aggressive mode
- Tunnel mode
- Transport mode
- Promiscuous mode
Correct answer: Transport mode
IPSec transport mode protects only the payload of the IP packet and leaves the original IP header intact, making it suitable for securing host-to-host communications on a network where the original addressing is needed for routing. Tunnel mode, by contrast, encrypts the entire original packet inside a new header and is typically used for gateway-to-gateway site VPNs.
- Which two protocols within the IPSec suite provide, respectively, authentication and integrity without encryption, and confidentiality plus integrity with encryption?
- TLS for authentication and SSH for encryption
- AH (Authentication Header) for authentication/integrity and ESP (Encapsulating Security Payload) for confidentiality and integrity
- RADIUS for authentication and TACACS+ for encryption
- PPTP for authentication and L2TP for encryption
Correct answer: AH (Authentication Header) for authentication/integrity and ESP (Encapsulating Security Payload) for confidentiality and integrity
In IPSec, the Authentication Header (AH) provides connectionless integrity and data-origin authentication but no encryption, while the Encapsulating Security Payload (ESP) provides confidentiality through encryption along with integrity and authentication of the payload. Most modern deployments use ESP because it adds the confidentiality that AH lacks.
- A network monitoring sensor is connected to a switch SPAN (mirror) port to passively capture copies of traffic for an intrusion detection system. What is the PRIMARY security benefit of deploying the IDS sensor in this passive, out-of-band manner rather than inline?
- It encrypts the mirrored traffic automatically
- It eliminates the need to tune detection signatures
- It can monitor traffic without becoming a single point of failure or latency on the production data path
- It can block malicious packets in real time before they reach the host
Correct answer: It can monitor traffic without becoming a single point of failure or latency on the production data path
A passive IDS attached to a SPAN/mirror port receives copies of traffic, so it can analyze and alert without sitting in the live data path, meaning a sensor failure or overload does not interrupt production traffic. The trade-off is that a passive IDS only detects and alerts; preventing or blocking traffic in real time requires an inline intrusion prevention system (IPS).
- An enterprise is implementing a zero trust network architecture to replace its traditional flat, perimeter-based network. Which principle BEST characterizes the zero trust approach to network communication?
- Trust all internal traffic once a device is inside the perimeter firewall
- Eliminate authentication for systems on the internal LAN
- Never implicitly trust any user or device; continuously authenticate, authorize, and verify each access request regardless of network location
- Allow unrestricted east-west traffic to improve performance
Correct answer: Never implicitly trust any user or device; continuously authenticate, authorize, and verify each access request regardless of network location
Zero trust assumes no implicit trust based on network location and requires every access request to be authenticated, authorized, and continuously validated against policy, even for traffic already inside the perimeter. This directly counters the legacy model where being inside the perimeter firewall granted broad lateral access, and it pairs naturally with microsegmentation to control east-west traffic.
- In a discretionary access control (DAC) model, who decides which other users may access a given file or object?
- An automated policy engine evaluating environmental attributes
- A central security administrator applying organization-wide labels
- The owner of the resource, at their own discretion
- The operating system kernel based on clearance levels
Correct answer: The owner of the resource, at their own discretion
In discretionary access control the owner of the resource grants or denies access at their own discretion, typically by editing an access control list (ACL) attached to the object. This is why DAC is used in common operating systems like Windows and Unix where users set permissions on their own files. A central administrator using labels describes mandatory access control, not DAC.
- A defense contractor's classified system enforces access using security labels and clearances, and a user with Secret clearance cannot grant a Top Secret document to a colleague even if the user can read it. Which access control model is in use?
- Mandatory access control (MAC)
- Role-based access control (RBAC)
- Risk-based access control
- Discretionary access control (DAC)
Correct answer: Mandatory access control (MAC)
Mandatory access control (MAC) is in use because access decisions are made by a central authority comparing security labels on objects with clearances on subjects, and users cannot pass on or alter those rights. The inability of a subject to grant access it possesses is the defining trait that separates MAC from DAC, where owners can share at their discretion. MAC is favored for highly sensitive military and government data.
- A security manager is comparing access control models and needs the one that scales best for a 5,000-employee company where permissions should follow job functions, while still allowing the system rather than individual owners to enforce policy. Which statement BEST distinguishes the three models?
- DAC uses labels, MAC uses roles, and RBAC lets owners decide
- RBAC requires security clearances while MAC uses access control lists set by users
- All three rely on the resource owner to assign permissions directly
- DAC is owner-driven, MAC is label/clearance-driven and centrally enforced, and RBAC grants permissions through job-function roles
Correct answer: DAC is owner-driven, MAC is label/clearance-driven and centrally enforced, and RBAC grants permissions through job-function roles
The correct distinction is that DAC is owner-driven (owners set ACLs at their discretion), MAC is driven by labels and clearances and centrally enforced so users cannot delegate rights, and RBAC assigns permissions to roles that map to job functions. For a large organization that wants permissions to follow job functions with central enforcement, RBAC scales best because administrators manage a manageable number of roles rather than per-user ACLs. The other options invert or confuse the defining traits of each model.
- An engineering firm wants access decisions that adapt in real time to conditions such as the user's department, the document's classification, the time of day, and whether the request comes from a managed device. Which access control model is MOST appropriate?
- Mandatory access control
- Attribute-based access control
- Discretionary access control
- Role-based access control
Correct answer: Attribute-based access control
Attribute-based access control (ABAC) is most appropriate because it evaluates policies built from attributes of the subject, the resource, the action, and the environment (such as time of day and device posture) to make dynamic, context-aware decisions. Role-based access control is more static, granting access purely by assigned role and unable to factor in environmental context like device health or time. ABAC's flexibility makes it well suited to fine-grained, conditional access.
- A developer is choosing a standard for an integration. The team needs to authenticate enterprise users into a partner web application using XML-based assertions, NOT merely delegate API access. Which standard fits, and why?
- SAML, because it is an XML-based authentication and SSO standard, whereas OAuth 2.0 is an authorization framework
- Both are identical and interchangeable for authentication and authorization
- OAuth 2.0, because it is the standard for authenticating users with XML assertions
- OAuth 2.0, because SAML cannot be used between separate organizations
Correct answer: SAML, because it is an XML-based authentication and SSO standard, whereas OAuth 2.0 is an authorization framework
SAML fits because it is an XML-based standard designed to authenticate users and enable single sign-on across organizations by passing assertions from an identity provider to a service provider. OAuth 2.0 is fundamentally an authorization framework that delegates access to resources (typically APIs) using access tokens and does not, by itself, authenticate the user or provide SSO. The key CISSP distinction is SAML handles authentication and SSO while OAuth handles delegated authorization.
- Two independent companies, each with its own directory, agree to let employees of one access a shared application hosted by the other using their home credentials, based on a pre-established trust relationship. This arrangement is BEST described as:
- Federated identity
- Privileged access management
- Just-in-time provisioning
- Mandatory access control
Correct answer: Federated identity
Federated identity is the correct term because it links a user's identity across multiple separate organizations or security domains through a pre-established trust relationship, letting users authenticate at their home identity provider and access another domain's resources. This is the foundation that lets one company's employees use their existing credentials at a partner's application. Privileged access management governs administrative accounts and does not describe cross-organization identity trust.
- In an identity federation, which party RELIES on assertions from a trusted identity provider to grant a user access to its application?
- The certificate authority
- The key distribution center
- The service provider (relying party)
- The registration authority
Correct answer: The service provider (relying party)
The service provider, also called the relying party, is the party that consumes and relies on assertions issued by a trusted identity provider to make an access decision for its application. In identity federation the identity provider authenticates the user and the service provider trusts the resulting assertion rather than authenticating the user itself. A certificate authority issues certificates and is not the consumer of federation assertions.
- Walk through how Kerberos authenticates a user to a network service. After the user proves their identity, what sequence correctly describes obtaining access to a specific application server?
- The Authentication Server issues a TGT; the user presents the TGT to the Ticket Granting Service to obtain a service ticket; the user presents the service ticket to the application server
- The user sends a password directly to the application server, which validates it against the KDC
- The KDC sends the user's password to the application server over an encrypted channel for verification
- The application server queries a certificate authority to verify the user's smart card before granting access
Correct answer: The Authentication Server issues a TGT; the user presents the TGT to the Ticket Granting Service to obtain a service ticket; the user presents the service ticket to the application server
The correct flow is that the Authentication Server within the KDC issues a Ticket Granting Ticket (TGT) after initial authentication, the user then presents the TGT to the Ticket Granting Service to request a service ticket for a specific resource, and finally presents that service ticket to the application server. A core Kerberos design goal is that the user's password is never transmitted to application servers — only tickets are exchanged with services. This ticket-based mediation by the KDC is what makes Kerberos a single sign-on protocol.
- A security architect explains that authentication factors fall into distinct categories and that combining factors from DIFFERENT categories strengthens authentication. Which set lists three valid factor CATEGORIES?
- Something you know, something you have, something you are
- A fingerprint, a retina scan, and a voiceprint
- A password, a PIN, and a passphrase
- A username, an email address, and a security question
Correct answer: Something you know, something you have, something you are
The three classic authentication factor categories are something you know (a secret like a password), something you have (a possession like a token or smart card), and something you are (a biometric trait). The strength of multifactor authentication comes from combining factors from different categories, not from stacking multiple items in the same category. A password, PIN, and passphrase are all the same category (knowledge), as are multiple biometrics, so those sets do not represent distinct factor categories.
- An access control program enforces that a payroll analyst can use only the minimum permissions required for the role AND can view only the specific employee records assigned to their region. Which two principles are being applied, respectively?
- Least privilege and need-to-know
- Accountability and non-repudiation
- Defense in depth and fail-secure
- Separation of duties and job rotation
Correct answer: Least privilege and need-to-know
Least privilege and need-to-know are the two principles applied: least privilege limits the analyst to the minimum permissions the role requires, while need-to-know further restricts access to only the specific data the person must see to perform a task, such as records for their region. The two are related but distinct — least privilege governs the breadth of permissions and need-to-know governs access to particular information. Separation of duties instead splits a task among multiple people.
- During the identity lifecycle, an organization wants to ensure that when an employee transfers from sales to finance, their old sales entitlements are removed as the new finance ones are added. The control that systematically grants and revokes access across such lifecycle events is:
- Session management
- Certificate pinning
- Penetration testing
- Provisioning and deprovisioning
Correct answer: Provisioning and deprovisioning
Provisioning and deprovisioning is the lifecycle control that grants access when it is needed (onboarding or role change) and revokes it when it is no longer appropriate (transfer or termination). Applying both during a transfer prevents privilege creep by ensuring stale sales entitlements are removed as finance access is added. Failing to deprovision is what leaves users with accumulated, excessive rights over time.
- An identity provider authenticates an employee once in the morning, and the employee then opens the email, HR, and expense applications throughout the day without re-entering credentials. The capability that makes this possible is:
- Federated deprovisioning
- Mandatory access control
- Single sign-on
- Data loss prevention
Correct answer: Single sign-on
Single sign-on (SSO) is the capability that lets a user authenticate once and then access multiple connected applications without re-entering credentials for each one. It improves user experience and reduces password fatigue, though it concentrates risk in one credential, which is why SSO is typically paired with strong multifactor authentication. Mandatory access control governs how access decisions are made, not whether a user must re-authenticate per application.
- A bank deploys role-based access control so that anyone assigned the 'teller' role automatically inherits a defined set of transaction permissions. What is the PRIMARY administrative advantage of this approach over assigning permissions to each user individually?
- It allows each user to set their own permissions
- It simplifies administration and reduces errors by managing permissions at the role level
- It encrypts all transaction data automatically
- It eliminates the need for authentication
Correct answer: It simplifies administration and reduces errors by managing permissions at the role level
The primary advantage of role-based access control is that permissions are managed at the role level, so administrators assign or change access for an entire job function once rather than configuring each user individually, which simplifies administration and reduces the chance of error. When a new teller is hired, granting the teller role instantly conveys the correct, consistent permissions. RBAC does not replace authentication, and it specifically removes per-user discretion rather than enabling it.
- A company refers to 'identity and access management' (IAM) in its security strategy. Which statement BEST captures the scope of IAM as a discipline?
- It refers only to the firewall rules that segment a network
- It is solely the technology used to encrypt passwords in a database
- It is limited to issuing biometric badges for physical building entry
- It encompasses the processes and technologies for managing digital identities and controlling their access to resources across their lifecycle
Correct answer: It encompasses the processes and technologies for managing digital identities and controlling their access to resources across their lifecycle
Identity and access management is best understood as the full set of policies, processes, and technologies for managing digital identities and governing their access to resources throughout the identity lifecycle, including provisioning, authentication, authorization, and deprovisioning. It is far broader than any single mechanism such as password hashing or firewall segmentation. Treating IAM as only one tool understates its role as an end-to-end identity governance discipline.
- Before issuing an account, a government agency requires an applicant to present identity documents that are verified against authoritative sources. Within the access control lifecycle, this step is BEST described as:
- Authorization
- Identity proofing (registration)
- Accountability
- Session termination
Correct answer: Identity proofing (registration)
Identity proofing, also called registration or enrollment, is the lifecycle step in which an individual's claimed identity is validated against authoritative evidence before credentials are issued. It establishes assurance that the person is who they claim to be and underpins the trustworthiness of every later authentication. Authorization, by contrast, occurs after authentication and determines what an already-identified subject is permitted to do.
- An organization is preparing for a certification audit against ISO/IEC 27001. Leadership wants the assessment to carry weight with external customers and regulators. Which audit approach BEST satisfies that requirement?
- A self-assessment completed by each department's manager
- An internal audit performed by the organization's own information security team
- An external audit performed by an accredited, independent third party
- A peer review conducted by another business unit within the same company
Correct answer: An external audit performed by an accredited, independent third party
An external audit performed by an accredited, independent third party best satisfies the requirement. External (independent) audits provide objective assurance that customers and regulators trust precisely because the auditor has no organizational stake in the outcome and is often accredited to certify against a standard. Internal audits and self-assessments are valuable for continuous improvement but lack the independence external stakeholders require for formal certification.
- A CISO wants periodic reviews that surface control gaps before an external certification audit, using staff who already understand the organization's systems and culture. Which characteristic MOST distinguishes the internal audits that serve this goal from external audits?
- Internal audits always produce a publicly distributable certificate
- Internal audits can only test technical controls, while external audits test administrative controls
- Internal audits are legally required, while external audits are optional
- Internal audits are performed by employees of the organization and emphasize ongoing self-improvement
Correct answer: Internal audits are performed by employees of the organization and emphasize ongoing self-improvement
Internal audits are performed by the organization's own staff and emphasize ongoing self-improvement. Because internal auditors know the environment well, they can find and remediate gaps continuously and prepare the organization for formal external review. External audits, by contrast, are valued for their independence and may produce certifications, but they do not have the insider familiarity that makes internal audits efficient for routine checkups.
- During a penetration test, the tester is given network diagrams and a limited set of valid user credentials but not full source code or administrator access. This engagement is BEST described as:
- Black box testing
- Gray box testing
- Blind testing
- White box testing
Correct answer: Gray box testing
Gray box testing best describes this engagement. Gray box testing gives the tester partial knowledge of the target, such as architecture diagrams and standard-user credentials, simulating an attacker who has gained some insider information or a malicious authenticated user. Black box testing provides no internal knowledge, and white box testing provides full knowledge including source code and configurations.
- A security architect wants the MOST thorough form of application security testing, in which the tester has complete access to source code, design documents, and system configurations to examine every internal path. Which testing approach provides this?
- Closed box testing
- White box testing
- Double-blind testing
- Black box testing
Correct answer: White box testing
White box testing provides this. White box (also called full-knowledge or clear box) testing gives the tester complete internal information, enabling exhaustive examination of code paths, logic, and configurations. Black box testing deliberately withholds internal knowledge to emulate an external attacker, so it cannot guarantee the same internal coverage.
- A development team using a well-defined input protocol wants a fuzzing approach that constructs test inputs directly from the protocol's format specification rather than mutating captured samples. Which fuzzing technique fits this need?
- Generation-based (intelligent) fuzzing
- Static fuzzing
- Mutation-based (dumb) fuzzing
- Regression fuzzing
Correct answer: Generation-based (intelligent) fuzzing
Generation-based (intelligent) fuzzing fits this need. Generation-based fuzzers build test cases from a model or grammar of the expected input format, allowing them to reach deeper, format-aware code paths. Mutation-based fuzzing instead takes existing valid samples and randomly alters them, which is simpler to set up but less likely to satisfy strict protocol structure.
- A team adopts a coverage-guided fuzzer that instruments the target binary, observes which code paths each input reaches, and uses that feedback to steer the generation of new inputs toward unexplored branches. This describes:
- A gray box (coverage-guided) fuzzer
- A static analysis tool that never executes the code
- A manual code review technique
- A purely black box fuzzer with no internal visibility
Correct answer: A gray box (coverage-guided) fuzzer
This describes a gray box (coverage-guided) fuzzer. Coverage-guided fuzzers use lightweight instrumentation to measure which paths an input exercises, then feed that data back to bias mutation toward new code, combining partial internal visibility with execution. A pure black box fuzzer has no path feedback, and static analysis never executes the program at all.
- A SaaS provider stores and processes customer health and operational data but does not affect customers' financial reporting. Customers want detailed assurance over the security, availability, and confidentiality of that data, under NDA. Which report is MOST appropriate?
- A SOC 1 report
- A PCI DSS Attestation of Compliance
- A SOC 2 report
- A SOC 3 report
Correct answer: A SOC 2 report
A SOC 2 report is most appropriate. SOC 2 evaluates a service organization's controls against the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) and is a detailed, restricted-distribution report shared under NDA. SOC 1 addresses controls relevant to customers' financial statements, which does not match this data-protection need.
- A cloud vendor wants a general-use document it can post publicly on its website to demonstrate that its controls meet the Trust Services Criteria, without disclosing sensitive control details. Which report meets this goal?
- A SOC 3 report
- A SOC 1 Type II report
- A SOC 2 Type II report
- An internal vulnerability assessment summary
Correct answer: A SOC 3 report
A SOC 3 report meets this goal. SOC 3 covers the same Trust Services Criteria as SOC 2 but is a short, general-use report intended for public distribution and marketing, omitting the detailed descriptions of tests and results. SOC 2 reports contain that sensitive detail and are restricted to authorized parties under NDA.
- A customer requests evidence that a service provider's controls were not only designed appropriately but operated effectively over the past twelve months. Which report meets this requirement?
- A SOC 3 short-form report
- A Type I report
- A Type II report
- A point-in-time gap assessment
Correct answer: A Type II report
A Type II report meets this requirement. A Type II report evaluates both the suitability of control design and the operating effectiveness of those controls over a stated period (commonly 3 to 12 months). A Type I report only assesses design suitability at a single point in time and therefore cannot attest to operating effectiveness over a period.
- An auditor notes that the organization's servers, firewalls, and applications each timestamp their logs using their own local clocks, which drift apart. What is the MOST important reason to synchronize these clocks to a common time source?
- To compress logs more efficiently during archival
- To satisfy software licensing requirements
- To enable accurate correlation and reconstruction of event sequences across systems
- To reduce the storage space consumed by log files
Correct answer: To enable accurate correlation and reconstruction of event sequences across systems
The most important reason is to enable accurate correlation and reconstruction of event sequences across systems. When all systems share a synchronized, authoritative time source (such as NTP), analysts and auditors can reliably order events during incident investigation and log review. Unsynchronized clocks make it impossible to trust the sequence of events across devices, undermining forensic and audit value.
- During a security audit, the reviewer finds that audit logs are generated but never examined unless an incident is already suspected. Which classic audit-record management problem does this represent?
- Logs are encrypted and therefore unreadable
- Logs are retained for an excessively long period
- Logs lack any timestamp information
- Logs are not reviewed on a regular and timely basis
Correct answer: Logs are not reviewed on a regular and timely basis
This represents the problem that logs are not reviewed on a regular and timely basis. A recognized weakness in audit-record management is collecting logs but failing to review them routinely, which means malicious activity can go undetected until much later. Regular, often automated, log review is what turns raw audit data into a useful detective control.
- A security manager wants to detect malicious or unauthorized activity in near-real time by automatically analyzing the massive volume of audit logs produced across the enterprise. Which capability BEST supports this objective?
- Disabling verbose logging to reduce noise
- Aggregating logs into a SIEM that performs automated correlation and alerting
- Storing logs only on the originating host
- Manually printing logs and filing them weekly
Correct answer: Aggregating logs into a SIEM that performs automated correlation and alerting
Aggregating logs into a SIEM that performs automated correlation and alerting best supports this objective. A SIEM centralizes audit logs from many sources and applies correlation rules and analytics to surface anomalies and threats far faster than manual review. Keeping logs only on the originating host or printing them prevents timely, enterprise-wide analysis.
- A team wants source code analyzed for security flaws automatically as part of the build pipeline, examining the code without executing it. Which form of code review is MOST appropriate?
- A user acceptance test executed by business stakeholders
- Manual penetration testing of production
- Dynamic black box scanning of the running application
- Automated static application security testing (SAST)
Correct answer: Automated static application security testing (SAST)
Automated static application security testing (SAST) is most appropriate. SAST tools analyze source code, bytecode, or binaries without running the program, making them ideal for integration into a build pipeline to catch flaws early. Dynamic scanning and penetration testing require a running application and occur later in the lifecycle, so they do not satisfy the request to review code as it is built.
- An organization wants to maximize the security value of its peer code reviews. Which practice MOST improves the effectiveness of manual security-focused code review?
- Having the original author review only their own code in isolation
- Limiting reviews to changes larger than 1,000 lines at once
- Using a structured checklist of common vulnerability patterns and secure-coding standards
- Reviewing only code that has already passed all functional tests
Correct answer: Using a structured checklist of common vulnerability patterns and secure-coding standards
Using a structured checklist of common vulnerability patterns and secure-coding standards most improves effectiveness. Checklists guide reviewers to consistently look for known issues such as injection, improper input validation, and weak authentication, reducing reliance on memory. Self-review by the author and very large change sets both tend to reduce defect-detection rates rather than improve them.
- A penetration tester completes the scanning phase and now attempts to actually leverage a discovered flaw to gain a foothold on the target. Which penetration testing phase is the tester performing?
- Reporting
- Exploitation
- Reconnaissance
- Discovery
Correct answer: Exploitation
The tester is performing the exploitation phase. Exploitation is the stage where the tester actively attempts to take advantage of identified vulnerabilities to compromise the system, which distinguishes a penetration test from a non-intrusive vulnerability scan. Reconnaissance and discovery precede this by gathering information, and reporting follows after testing concludes.
- Management asks why a quarterly authenticated vulnerability scan cannot simply replace the annual penetration test. What is the BEST explanation of the difference?
- Vulnerability scanning requires manual analysts, while penetration testing is fully automated
- They are identical activities with different names used by different vendors
- Vulnerability scanning identifies and reports potential weaknesses, while penetration testing attempts to exploit them to demonstrate real-world impact
- Vulnerability scanning exploits flaws to prove impact, while penetration testing only lists them
Correct answer: Vulnerability scanning identifies and reports potential weaknesses, while penetration testing attempts to exploit them to demonstrate real-world impact
The best explanation is that vulnerability scanning identifies and reports potential weaknesses, while penetration testing attempts to exploit them to demonstrate real-world impact. Scanning is broad and largely automated, producing a prioritized list of possible exposures, but it does not prove exploitability or chain weaknesses together. Penetration testing validates which findings are genuinely exploitable and what an attacker could achieve, which scanning alone cannot show.
- As part of an account management review, an auditor compares the list of active system accounts against current HR records. Which finding is the auditor PRIMARILY trying to detect?
- Whether passwords meet the minimum complexity policy
- Whether logs are stored for the required retention period
- Whether dormant or orphaned accounts belonging to terminated or transferred users still exist
- Whether the network uses encryption in transit
Correct answer: Whether dormant or orphaned accounts belonging to terminated or transferred users still exist
The auditor is primarily trying to detect dormant or orphaned accounts belonging to terminated or transferred users that still exist. Reconciling active accounts against authoritative HR data reveals accounts that should have been disabled, a common source of unauthorized access. Password complexity, encryption, and log retention are separate controls evaluated by other tests.
- A security team deploys tooling that continuously and safely emulates known adversary techniques against production defenses to verify that detection and prevention controls actually fire. This automated, ongoing validation approach is BEST described as:
- A one-time vulnerability assessment
- Breach and attack simulation (BAS)
- User acceptance testing
- Static code analysis
Correct answer: Breach and attack simulation (BAS)
This is best described as breach and attack simulation (BAS). BAS platforms repeatedly and safely launch emulated attack techniques to confirm that controls such as EDR, firewalls, and SIEM alerts respond as intended, providing continuous assurance between formal tests. A one-time vulnerability assessment and static analysis are point-in-time activities that do not continuously validate detection-and-response effectiveness.
- An assessor reviews a requirements traceability matrix (RTM) during a security control assessment. What is the PRIMARY purpose of consulting the RTM?
- To schedule the maintenance window for patching
- To confirm that each defined security requirement maps to a control and to a test that verifies it
- To measure the CPU performance of the application under load
- To encrypt the test data used during assessment
Correct answer: To confirm that each defined security requirement maps to a control and to a test that verifies it
The primary purpose is to confirm that each defined security requirement maps to a control and to a test that verifies it. A requirements traceability matrix links requirements to their implementing controls and to the test cases proving they were met, helping assessors ensure nothing is left untested. It is not a performance, encryption, or scheduling tool.
- Executives want a small set of measurements that signal whether security risk is trending toward an unacceptable level so they can act before an incident occurs. Which type of metric BEST serves this forward-looking purpose?
- Lines of code reviewed per sprint
- Key risk indicators (KRIs)
- Total number of log entries generated
- Mean time between server reboots
Correct answer: Key risk indicators (KRIs)
Key risk indicators (KRIs) best serve this forward-looking purpose. KRIs are predictive metrics with defined thresholds that warn management when risk exposure is rising toward unacceptable levels, enabling proactive decisions. Counts of log entries, code lines, or reboots are operational data points that do not, by themselves, signal changing risk to leadership.
- A security operations team complains that its SIEM generates thousands of alerts daily and analysts cannot keep up with manual triage of repetitive cases. Which capability, when added on top of the SIEM, would MOST directly reduce analyst workload by automatically executing predefined response playbooks?
- A network access control (NAC) appliance
- Security orchestration, automation, and response (SOAR)
- A full-disk encryption deployment
- A second SIEM correlation engine
Correct answer: Security orchestration, automation, and response (SOAR)
Security orchestration, automation, and response (SOAR) is correct because SOAR platforms ingest SIEM alerts and run automated, codified playbooks that enrich, triage, and remediate common cases without analyst intervention, reducing repetitive manual effort. Adding another correlation engine would only produce more alerts, not automate their handling. NAC controls device admission to the network, and full-disk encryption protects data at rest; neither automates incident response.
- During a forensic investigation, an analyst must preserve volatile data before powering down a compromised server. According to accepted forensic practice, which data should be collected FIRST based on the order of volatility?
- Data written to a remote logging server
- Contents of CPU registers, cache, and the routing/ARP table
- Files archived on offline backup tapes
- The system's installed operating system files on disk
Correct answer: Contents of CPU registers, cache, and the routing/ARP table
The contents of CPU registers, cache, and the routing/ARP table should be collected first because the order of volatility dictates that the most ephemeral data, which disappears soonest when power or state changes, must be captured before more durable data. Registers and cache vanish almost immediately, so they take priority over disk files, remote logs, and offline backup media, which persist far longer and can be acquired later.
- An investigator seizes a laptop and documents every person who takes possession of it, the date and time of each transfer, and the reason for handling, from collection through courtroom presentation. What is this documented record called, and why does it matter?
- A service-level agreement, because it defines handling responsibilities
- A risk register, because it tracks the likelihood of evidence loss
- Chain of custody, because it proves evidence integrity and admissibility by showing it was not altered or tampered with
- A baseline configuration, because it records the approved state of the device
Correct answer: Chain of custody, because it proves evidence integrity and admissibility by showing it was not altered or tampered with
This is the chain of custody, which is the chronological documentation showing who handled evidence, when, and why, from seizure to court. It matters because it demonstrates the evidence was protected from alteration or substitution, supporting its integrity and legal admissibility. A baseline configuration records an approved system state, an SLA defines service obligations, and a risk register tracks risks, none of which establish evidentiary integrity.
- A company's business impact analysis determines that an order-processing system has a maximum tolerable downtime (MTD) of 8 hours. The recovery time objective is set to 5 hours. Approximately how much work recovery time (WRT) is available to validate and restore the business process to normal operations?
- About 3 hours, because MTD equals RTO plus WRT
- About 13 hours, because MTD is added to the RTO
- About 5 hours, because WRT always equals the RTO
- About 8 hours, because WRT equals the full MTD
Correct answer: About 3 hours, because MTD equals RTO plus WRT
About 3 hours is correct because maximum tolerable downtime equals recovery time objective plus work recovery time (MTD = RTO + WRT), so WRT = 8 - 5 = 3 hours. RTO is the time to restore systems and infrastructure, while WRT is the additional time to validate, configure, and return the business process to dependable operation, and the two together cannot exceed the MTD.
- An organization wants storage that combines striping for performance with mirroring for redundancy, using at least four drives so that the array tolerates a drive failure while delivering high throughput. Which RAID level BEST fits this requirement?
- JBOD, which concatenates disks without redundancy
- RAID 5, which uses single distributed parity
- RAID 0, which stripes data with no redundancy
- RAID 10 (1+0), which mirrors then stripes the mirrored sets
Correct answer: RAID 10 (1+0), which mirrors then stripes the mirrored sets
RAID 10 (1+0) is correct because it first mirrors pairs of disks and then stripes across the mirrored sets, delivering both high performance from striping and fault tolerance from mirroring, requiring a minimum of four drives. RAID 0 provides striping but no redundancy, RAID 5 uses parity rather than mirroring and rebuilds more slowly, and JBOD offers no fault tolerance at all.
- A retailer needs its e-commerce platform restored and running within 2 hours of an outage and can lose no more than 5 minutes of transactions. The most cost-justified recovery site choice provides fully redundant equipment with near-real-time data replication. Which type of disaster recovery site BEST satisfies these aggressive RTO and RPO targets?
- A hot site, which has fully configured, operational systems with current data ready to take over quickly
- A cold site, which provides only space, power, and HVAC
- A mobile site delivered after the disaster is declared
- A warm site, which has hardware but not current data
Correct answer: A hot site, which has fully configured, operational systems with current data ready to take over quickly
A hot site is correct because it maintains fully configured, running systems with near-current replicated data, enabling recovery within minutes to a couple of hours and minimal data loss, which matches the strict RTO and RPO. A cold site has no equipment or data and takes the longest to bring online, a warm site has hardware but stale or no data requiring restoration time, and a mobile site introduces delivery delay incompatible with a 2-hour RTO.
- A backup administrator runs a full backup every Sunday and a differential backup every other night. The array fails Thursday afternoon. To fully restore, which backup sets must be applied?
- The last full backup plus every incremental backup since Sunday
- The last full backup plus only the most recent differential backup
- Only the most recent differential backup
- The last full backup plus every differential taken since Sunday
Correct answer: The last full backup plus only the most recent differential backup
Restoring requires the last full backup plus only the most recent differential backup, because a differential captures all data changed since the last full backup, so the newest differential already contains every change. This makes differential restores faster than incremental restores, which would require the full backup plus every incremental in sequence. A single differential alone is insufficient because it does not contain unchanged baseline data.
- A new analyst is learning the standard incident response lifecycle. Which sequence correctly orders the phases as commonly described in security operations guidance?
- Detection; preparation; recovery; containment; lessons learned
- Preparation; detection and analysis; containment, eradication, and recovery; post-incident activity
- Preparation; recovery; detection; containment; eradication
- Containment; preparation; detection; eradication; recovery
Correct answer: Preparation; detection and analysis; containment, eradication, and recovery; post-incident activity
The correct order is preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity, mirroring the widely used NIST-style incident response lifecycle. Preparation establishes capability before an incident, detection and analysis identifies and scopes it, the combined containment/eradication/recovery phase stops and removes the threat and restores operations, and post-incident activity captures lessons learned. The other sequences place reactive phases before preparation or detection, which is illogical.
- After a confirmed malware outbreak has been contained, the response team rebuilds affected hosts from known-good images, removes malicious artifacts, and patches the exploited vulnerability before reconnecting systems. Which incident response activity does this BEST describe?
- Preparation, which builds capability before an incident occurs
- Eradication, which removes the cause and artifacts of the incident before recovery
- Detection, which identifies that an incident has occurred
- Containment, which limits the spread of the incident
Correct answer: Eradication, which removes the cause and artifacts of the incident before recovery
This describes eradication, which removes the root cause and all malicious artifacts, including by rebuilding from clean images and closing the exploited vulnerability, so the threat is gone before systems are recovered. Containment merely limits spread without removing the cause, detection identifies the incident, and preparation occurs before any incident. Eradication precedes recovery, which validates and returns systems to production.
- A CISO must explain to executives why the organization needs both a business continuity plan and a disaster recovery plan. Which statement BEST captures the difference in scope between them?
- The business continuity plan keeps critical business functions operating across people, processes, and facilities, while the disaster recovery plan focuses on restoring IT systems and data
- The disaster recovery plan is broader and includes the business continuity plan as a subset
- Both plans address only IT infrastructure and differ only in activation timing
- The business continuity plan applies only to natural disasters, while the disaster recovery plan applies only to cyberattacks
Correct answer: The business continuity plan keeps critical business functions operating across people, processes, and facilities, while the disaster recovery plan focuses on restoring IT systems and data
The business continuity plan keeps critical business functions operating across people, processes, supply chains, and facilities, while the disaster recovery plan is the narrower IT-focused effort to restore systems and data. Disaster recovery is therefore a component of the broader business continuity program, not the other way around. Both are informed by the business impact analysis and are not limited to specific threat types.
- A bank replicates its production database synchronously to a second data center so that every committed transaction is written to both sites before acknowledgment. Which recovery metric does this design optimize, and what value can it achieve?
- Maximum tolerable downtime (MTD), eliminating downtime entirely
- Recovery point objective (RPO), achieving an RPO of effectively zero data loss
- Recovery time objective (RTO), achieving an RTO of effectively zero
- Mean time between failures (MTBF), increasing it indefinitely
Correct answer: Recovery point objective (RPO), achieving an RPO of effectively zero data loss
This optimizes the recovery point objective (RPO), driving it toward effectively zero because synchronous replication guarantees that no committed transaction is lost, since data exists at both sites before acknowledgment. RPO measures acceptable data loss in time, which is what replication frequency controls. RTO measures restoration time and is not guaranteed to be zero just because data loss is, and MTD and MTBF measure outage tolerance and failure intervals respectively.
- A security operations center wants to detect insider threats and compromised accounts by establishing a behavioral baseline for each user and flagging statistically significant deviations, such as a user suddenly accessing systems at unusual hours from an unfamiliar location. Which capability BEST provides this?
- A signature-based antivirus engine
- A static application security testing (SAST) tool
- A network time protocol (NTP) server
- User and entity behavior analytics (UEBA)
Correct answer: User and entity behavior analytics (UEBA)
User and entity behavior analytics (UEBA) is correct because it builds baselines of normal behavior for users and entities and uses analytics to flag anomalous activity that signature-based tools miss, making it well suited to insider threat and account-compromise detection. Signature-based antivirus only catches known malware patterns, SAST analyzes source code for flaws, and an NTP server synchronizes clocks; none model behavioral baselines.
- An administrator is granted standing domain-administrator rights used only a few times per quarter. To reduce the risk of these powerful credentials being abused or stolen, which control BEST limits exposure by granting elevated access only for a specific task and time window with full session logging?
- Disabling password complexity for the admin account
- Granting the rights to the user's everyday workstation login
- Privileged access management (PAM) with just-in-time elevation
- Permanently assigning the rights to a shared service account
Correct answer: Privileged access management (PAM) with just-in-time elevation
Privileged access management (PAM) with just-in-time elevation is correct because it issues elevated rights only for an approved task and limited time window, vaults and rotates credentials, and records the privileged session, sharply reducing standing-privilege risk. Sharing the account or attaching admin rights to a daily login expands exposure and breaks accountability, and weakening password rules increases risk rather than reducing it.
- A security policy requires that an administrator be able to read a file only if they have both the appropriate clearance and a demonstrated business reason to access that specific file for their current task. Which principle is being enforced?
- Need-to-know, which restricts access to the specific information required for a task even when clearance exists
- Defense in depth, which layers multiple controls
- Separation of duties, which splits a sensitive task among individuals
- Least privilege, which limits the actions a subject can perform
Correct answer: Need-to-know, which restricts access to the specific information required for a task even when clearance exists
Need-to-know is correct because it restricts access to the specific information an individual requires to perform a task, so even a user with sufficient clearance is denied data they have no current business reason to see. Least privilege governs the scope of permitted actions and rights more broadly, separation of duties divides a task among people to prevent fraud, and defense in depth layers controls; none captures the task-specific information restriction.
- A configuration management database (CMDB) shows that a production web server has drifted from its approved hardened baseline, with several unauthorized services enabled. From a security operations standpoint, what is the PRIMARY value of detecting and correcting this drift?
- It increases the server's raw processing performance
- It reduces the attack surface and ensures systems remain in a known, approved, and auditable secure state
- It eliminates the need for vulnerability scanning
- It guarantees compliance with every external regulation automatically
Correct answer: It reduces the attack surface and ensures systems remain in a known, approved, and auditable secure state
Detecting and correcting drift reduces the attack surface and keeps systems in a known, approved, and auditable secure state, which is the primary security value of configuration management. Unauthorized services expand the attack surface and undermine accountability. Correcting drift does not boost raw performance, replace vulnerability scanning, or by itself guarantee blanket regulatory compliance.
- A formal change management process requires that every proposed change be reviewed, approved, tested, and documented, with a defined rollback procedure, before deployment to production. From a security perspective, what is the PRIMARY benefit of this process?
- It prevents unauthorized or untested changes from introducing vulnerabilities or instability into production
- It removes the need for separation of duties in operations
- It transfers all operational risk to the change requester
- It accelerates every change by skipping testing steps
Correct answer: It prevents unauthorized or untested changes from introducing vulnerabilities or instability into production
The primary benefit is that formal change management prevents unauthorized or untested changes from introducing vulnerabilities or outages into production by requiring review, approval, testing, and a documented rollback path. It complements rather than removes separation of duties, it deliberately includes testing instead of skipping it, and it manages risk through controls rather than transferring it to an individual.
- During disaster recovery planning, a team conducts a walkthrough in a conference room where participants talk through their roles and decisions for a simulated outage without touching production systems. Which type of DR test is this, and what is its main advantage?
- A parallel test, whose advantage is processing live transactions at the alternate site
- A simulation test, whose advantage is practicing recovery procedures in a test environment without impacting production
- A tabletop exercise, whose main advantage is validating plans and roles with minimal cost and no operational disruption
- A full interruption test, whose advantage is the highest realism
Correct answer: A tabletop exercise, whose main advantage is validating plans and roles with minimal cost and no operational disruption
This is a tabletop exercise, a discussion-based walkthrough whose main advantage is validating the plan, roles, and decisions at low cost without disrupting operations. A full-interruption test actually shuts down production for maximum realism and risk, and a parallel test brings up the alternate site alongside production but does not switch over live traffic; a simulation test exercises recovery procedures in a test environment, which is more hands-on than a tabletop but still avoids production impact.
- A security operations manager argues that, despite all preventive controls, the organization must invest in continuous log review, intrusion detection, and SIEM monitoring. Which control type do these monitoring measures primarily represent, and why are they essential?
- Corrective controls, because they restore systems after damage
- Compensating controls, because they replace a missing primary control
- Preventive controls, because they block attacks before they occur
- Detective controls, because they identify and alert on incidents that preventive controls fail to stop
Correct answer: Detective controls, because they identify and alert on incidents that preventive controls fail to stop
Log review, intrusion detection, and SIEM monitoring are detective controls because they identify and alert on suspicious or malicious activity that slipped past preventive measures, enabling timely response. They are essential because no preventive control is perfect, so detection limits dwell time and damage. They do not block attacks (preventive), restore systems (corrective), or stand in for a missing control (compensating).
- A development team is choosing a methodology for a project where regulatory requirements are fixed and fully known up front, documentation is heavily audited, and the customer will not be available for frequent feedback. Comparing waterfall and agile, which characteristic of the waterfall model makes it the better fit here?
- It welcomes changing requirements late in development without rework
- It progresses through sequential, gated phases with comprehensive documentation before moving forward
- It relies on daily stand-ups and continuous customer collaboration to set priorities
- It delivers a working increment at the end of every short iteration
Correct answer: It progresses through sequential, gated phases with comprehensive documentation before moving forward
Waterfall progresses through sequential, gated phases (requirements, design, implementation, testing, deployment, maintenance) with comprehensive documentation completed before the next phase begins, which suits fixed, well-understood requirements and heavy audit needs. Agile, by contrast, is built for evolving requirements, frequent iterative delivery, and continuous customer collaboration, so the iteration and late-change characteristics describe agile, not waterfall.
- During a code review, a security analyst finds a C function that copies a user-supplied string into a fixed 64-byte stack array using a function that performs no length checking. An attacker supplies 200 bytes. What is the MOST direct consequence the analyst should flag?
- A race condition between checking and using the array
- A buffer overflow that can overwrite adjacent memory, including the return address, and may allow code execution
- A SQL injection that lets the attacker read the database
- A cross-site scripting payload that runs in another user's browser
Correct answer: A buffer overflow that can overwrite adjacent memory, including the return address, and may allow code execution
A buffer overflow occurs because writing 200 bytes into a 64-byte buffer with no bounds checking spills into adjacent stack memory and can overwrite the saved return address, redirecting execution to attacker-controlled code. SQL injection and cross-site scripting are input-injection web flaws unrelated to fixed-size memory copies, and a race condition involves timing between a check and a use rather than an oversized write.
- A web application echoes a user's search term directly into the HTML response without encoding, and an attacker submits a term containing a script tag that then runs in other visitors' browsers. According to the most recent OWASP Top 10, this stored or reflected flaw falls under which category, and what is the MOST effective remediation?
- Security misconfiguration, fixed by disabling directory listing
- Broken access control, fixed by adding role checks
- Cryptographic failures, fixed by enabling TLS
- Injection, fixed with context-aware output encoding of the data when it is rendered
Correct answer: Injection, fixed with context-aware output encoding of the data when it is rendered
Cross-site scripting is grouped under the Injection category in the current OWASP Top 10 (2021), and the most effective remediation is context-aware output encoding so the script tag is rendered as inert text rather than executed. Enabling TLS, disabling directory listing, or adding role checks address different OWASP categories and do not stop the malicious script from running in the browser.
- A penetration tester enters a single quote into a login field and the application returns a database syntax error, then crafts input that returns all user rows. Beyond using parameterized queries, which additional database-side practice MOST reduces the impact if a SQL injection flaw is later discovered?
- Running the application's database account with full administrative privileges
- Storing the database on the same server as the web application
- Increasing the maximum query timeout value
- Applying least privilege so the application account can only perform the operations it actually needs
Correct answer: Applying least privilege so the application account can only perform the operations it actually needs
Applying least privilege to the application's database account limits the damage of a successful SQL injection because a compromised query can only do what that constrained account is permitted to do. Granting full administrative rights maximizes the blast radius, and timeout values or server colocation do nothing to contain injection abuse.
- A team is mapping the Software Capability Maturity Model (CMM) to their development organization. Their processes are documented and consistent enough that successful results can be reliably repeated on similar projects, but they have not yet defined a single organization-wide standard process. Which CMM level BEST describes them?
- Level 3 - Defined
- Level 1 - Initial
- Level 5 - Optimizing
- Level 2 - Repeatable
Correct answer: Level 2 - Repeatable
The Repeatable level (Level 2) describes an organization with documented, established project-management processes whose successes can be repeated, but without a single organization-wide standard process. The Defined level (Level 3) is where that organization-wide standard process exists, Initial (Level 1) is ad hoc and chaotic, and Optimizing (Level 5) features continuous, measured process improvement.
- A security architect is writing secure coding standards and wants developers to handle untrusted input correctly. Which guidance reflects a recognized secure coding practice for input validation?
- Prefer allow-list (positive) validation that accepts only known-good values over deny-list filtering of known-bad values
- Validate input only on the client side to reduce server load
- Reject input only after it has been used in a database query
- Trust input from authenticated users without validation
Correct answer: Prefer allow-list (positive) validation that accepts only known-good values over deny-list filtering of known-bad values
A recognized secure coding practice is to prefer allow-list (positive) validation, which accepts only input matching a defined set of known-good formats, because deny-lists of known-bad patterns are easily bypassed by novel attacks. Client-side-only validation can be trivially bypassed, validating after use defeats the purpose, and authenticated users can still send malicious input, so their accounts must not be implicitly trusted.
- An organization wants security woven through its software development lifecycle rather than bolted on at the end. Which sequence of security activities correctly aligns to the SDLC phases from earliest to latest?
- Secure coding, then security requirements, then incident response, then design review
- Security requirements, then threat modeling and secure design, then secure coding and static analysis, then security testing before release
- Static analysis, then requirements gathering, then architecture review, then deployment
- Penetration testing, then threat modeling, then security requirements, then secure coding
Correct answer: Security requirements, then threat modeling and secure design, then secure coding and static analysis, then security testing before release
Security activities should follow the lifecycle order: define security requirements during requirements, perform threat modeling and secure design during design, apply secure coding and static analysis during implementation, and conduct security testing before release. Placing penetration testing or coding before requirements and design inverts the lifecycle and forces costly late rework, which is exactly what building security into the SDLC aims to prevent.
- Two concurrent processes on a shared system both check that a temporary file does not exist and then create it, but an attacker exploits the gap between the check and the creation to substitute a symbolic link to a sensitive file. Which secure coding measure BEST prevents this race condition?
- Increasing the application's memory allocation
- Using atomic operations or proper file locking so the check and the action cannot be separated
- Encrypting the temporary file after it is created
- Logging every file access for later review
Correct answer: Using atomic operations or proper file locking so the check and the action cannot be separated
Using atomic operations or proper file locking eliminates the time-of-check to time-of-use gap by making the check and the action a single uninterruptible step, so an attacker cannot swap the resource in between. Encryption, more memory, and after-the-fact logging do nothing to close the timing window that defines a race condition.
- A CISO reviewing the OWASP Top 10 wants to address the category that the latest edition ranks as the most prevalent risk. Which category occupies the top position in OWASP Top 10:2021, and what does it involve?
- Server-Side Request Forgery - coercing the server into making unintended requests
- Security Logging and Monitoring Failures - inability to detect breaches
- Cross-Site Scripting - injecting scripts that run in victims' browsers
- Broken Access Control - users acting outside their intended permissions, such as accessing other users' records or admin functions
Correct answer: Broken Access Control - users acting outside their intended permissions, such as accessing other users' records or admin functions
Broken Access Control sits at the top of the OWASP Top 10:2021 and involves failures that let users act outside their intended permissions, such as viewing another user's records, forcing access to privileged pages, or tampering with tokens to elevate privilege. The other listed items are real Top 10 categories but rank below Broken Access Control in the current edition.
- A software security program manager must demonstrate to leadership how a buffer overflow in a legacy C++ service is being mitigated without rewriting it immediately. Which combination of runtime defenses MOST directly reduces the exploitability of memory-corruption flaws?
- Mandatory access control labels and security clearances
- TLS 1.3 and certificate pinning
- Stronger password hashing and account lockout
- Address space layout randomization, non-executable stack/data execution prevention, and stack canaries
Correct answer: Address space layout randomization, non-executable stack/data execution prevention, and stack canaries
Address space layout randomization, non-executable memory protections such as data execution prevention, and stack canaries are runtime defenses that directly raise the difficulty of exploiting memory-corruption flaws like buffer overflows. Password hashing, access control labels, and transport encryption defend other areas entirely and do not interfere with overwriting a stack buffer.
- A development manager wants to formalize secure coding by adopting an authoritative, freely available set of language-agnostic guidance covering input handling, output encoding, authentication, and error handling. Which resource is the BEST fit?
- The NIST risk management framework for system authorization
- The OWASP Secure Coding Practices guidance
- The ISO 27001 statement of applicability
- The PCI DSS network segmentation requirements
Correct answer: The OWASP Secure Coding Practices guidance
The OWASP Secure Coding Practices guidance is a freely available, language-agnostic checklist of secure coding controls spanning input validation, output encoding, authentication, session management, and error handling, making it ideal for formalizing developer standards. The NIST authorization framework, ISO 27001 statement of applicability, and PCI DSS segmentation rules address governance and infrastructure rather than line-level coding practices.
- A team integrates an application security testing tool into the build pipeline that analyzes source code without executing it, flagging insecure functions and tainted data flows early. Which testing approach is described, and what is its key advantage?
- Penetration testing, which requires a fully deployed production environment
- Dynamic application security testing, which finds flaws only in the running application
- Static application security testing, which examines source code and can catch flaws before the application runs
- Fuzz testing, which sends random malformed inputs to a live endpoint
Correct answer: Static application security testing, which examines source code and can catch flaws before the application runs
Static application security testing examines source code (or binaries) without executing the program, so it can identify insecure functions and tainted data flows early in the build, supporting the shift-left goal of finding defects when they are cheapest to fix. Dynamic testing, fuzzing, and penetration testing all require a running or deployed application and therefore find issues later in the lifecycle.
- A web application accepts a JSON object that is deserialized into server-side objects, and the application also concatenates one of those string fields directly into an operating system command. Which pair of OWASP-recognized risks is present, and which single control addresses BOTH at the data-entry point?
- Injection and insecure deserialization, addressed by rigorous input validation and type/schema enforcement on incoming data
- Security misconfiguration and SSRF, addressed by disabling logging
- Broken authentication and cryptographic failure, addressed by multi-factor authentication
- Vulnerable components and broken access control, addressed by widening permissions
Correct answer: Injection and insecure deserialization, addressed by rigorous input validation and type/schema enforcement on incoming data
Injection (the unsanitized field reaching an OS command) and insecure deserialization (untrusted JSON turned into objects) are both present, and rigorous input validation with strict type and schema enforcement at the data-entry point reduces both by rejecting malformed or unexpected data before it is processed. Multi-factor authentication, disabling logging, or widening permissions do not validate untrusted input and leave both flaws exploitable.