QuestionsLes 125 questions
1 · D1/D3A cloud vendor stores customer PII. The contract is silent on encryption and breach notice. What should the CISO do FIRST?
- Terminate the contract
- Perform a risk assessment and require contractual security and notification clauses
- Encrypt the vendor's servers
- Ignore it until an incident
2 · D7A responder finds active exfiltration. After activating the IR plan, what is the NEXT step?
- Lessons learned
- Mitigation (containment)
- Recovery
- Remediation
3 · D3/D8An app must compute on sensitive data without ever exposing plaintext in memory. Which approach fits BEST?
- Full disk encryption
- Homomorphic encryption or a trusted execution environment
- TLS 1.3
- Hashing the data
4 · D5After a merger, an audit finds active accounts of departed staff. What is the MOST important corrective action?
- Extend password expiry
- Implement deprovisioning and periodic access reviews
- Add more firewalls
- Increase logging only
5 · D1A risk has an ALE of $200,000. Control A costs $50,000/year (residual $40,000); control B costs $120,000/year (residual $10,000). Which is BEST?
- Control A (value +$110,000)
- Control B (value +$70,000)
- Both
- Neither; accept the risk
6 · D4/D6A pentest report shows a critical CVSS 9.8 flaw on an Internet-facing server. What should drive remediation priority?
- Alphabetical order of systems
- Risk: severity, exposure, and asset value
- The easiest fix first
- The newest system first
7 · D3A subject cleared Secret must not read Top Secret. Which model and property enforce this?
- Biba, no write up
- Bell-LaPadula, simple security property (no read up)
- Clark-Wilson, access triple
- Brewer-Nash, dynamic separation
8 · D2A decommissioned cloud tenant must have its data rendered unrecoverable. What is MOST practical?
- Physical destruction of the provider's disks
- Cryptographic erasure of the keys
- Degaussing the arrays
- Trusting default deletion
9 · D5A developer wants to prove user identity using OAuth 2.0 alone. What is the correct guidance?
- OAuth alone authenticates users
- Use OIDC on top of OAuth for authentication
- Use SAML tokens inside OAuth
- Use RADIUS instead
10 · D7A datacenter loses power. The UPS holds for minutes. What is required for a prolonged outage?
- A surge protector
- A generator
- A line conditioner
- More UPS units only
11 · D1/D7During an internal investigation, criminal charges become likely. What must the team ensure?
- Collect evidence informally to save time
- Apply the strictest evidence standards from the start
- Wait for police before touching anything, including RAM
- Downgrade to administrative standards
12 · D3Which combination best protects data in all three states?
- AES at rest, TLS in transit, enclave in use
- Hashing for all states
- ECB mode everywhere
- Plaintext with a firewall
13 · D4A branch office needs uniform cloud-delivered security for remote staff without backhauling traffic. Which architecture?
- A single hardware firewall at HQ
- SASE
- A cold site
- A honeypot
14 · D6A SaaS vendor offers only a SOC 2 Type I. Why might a customer want Type II instead?
- Type II covers financial statements
- Type II proves controls operated effectively over 6–12 months
- Type II is public
- Type I is more rigorous
15 · D8A web app reflects user input into pages unescaped. Which flaw and fix apply?
- SQL injection; parameterized queries
- XSS; output encoding and CSP
- CSRF; anti-CSRF tokens
- Buffer overflow; ASLR
15b · D5A high-security vault reader is tuned to minimize intruders getting in, accepting more legitimate rejections. This lowers which rate?
- FRR
- FAR
- CER only
- Throughput
16 · D1Which is the FIRST security action when acquiring another company?
- Merge the networks
- Perform security due diligence on the target
- Deploy your tools on their systems
- Cancel their vendor contracts
17 · D3Which best distinguishes certification from accreditation?
- Certification is a management decision; accreditation is technical
- Certification is technical evaluation; accreditation is management's risk acceptance
- They are identical
- Accreditation applies only to cloud
18 · D7Which DR test validates the alternate site while production keeps running?
- Checklist
- Tabletop
- Parallel
- Full interruption
19 · D2Analytics needs realistic data without exposing real customers. What is BEST?
- Copy production as-is
- Provide masked or pseudonymized data
- Grant read access to production
- Email extracts to the team
20 · D4A subnet NACL allows inbound but blocks return traffic intermittently. Why?
- NACLs are stateless; return rules must be explicit
- NACLs are stateful
- Security groups block everything
- The subnet is too small
21 · D5Service accounts with weak passwords are being cracked offline via service tickets. Which attack, and fix?
- Pass the hash; disable NTLM
- Kerberoasting; strong service-account passwords and rotation
- Golden ticket; reset KRBTGT
- Spraying; lockout
22 · D1Which most accurately describes residual risk?
- Risk before controls
- Risk remaining after controls, accepted by senior management
- Risk transferred to insurers
- Maximum absorbable risk
23 · D3Why must fire-rated exit doors fail-safe (unlock) on power loss when occupied?
- To protect the servers
- To protect human life and allow evacuation
- To save energy
- To trigger suppression
24 · D6Which testing feeds malformed inputs to trigger crashes?
- Regression testing
- Fuzzing
- Synthetic transactions
- Benchmarking
25 · D8A CI/CD pipeline is compromised and injects code into builds. This is an example of what?
- A DoS attack
- A supply-chain attack
- A phishing campaign
- A rainbow table
26 · D4Which protocol provides authenticity/integrity of DNS responses but not confidentiality?
- DoH
- DNSSEC
- DoT
- DNS over VPN
27 · D7Which incident concept distinguishes an event from an incident?
- Every event is an incident
- An incident harms or threatens security; an event is merely observable
- They are the same
- An event needs police
28 · D1A company must comply with a rule imposed by payment card brands. Which type of requirement is this?
- Legal/regulatory
- Contractual
- Industry standard only
- Voluntary
29 · D5Which access model best fits "a finance manager, on a managed device, during business hours, under $10,000"?
- DAC
- MAC
- RBAC
- ABAC
30 · D3Which cryptographic service does a shared symmetric key NOT provide?
- Confidentiality
- Speed
- Nonrepudiation
- Bulk encryption
31 · D6A researcher finds a flaw in a product. The ethical action is to:
- Publish full exploit details immediately
- Notify the vendor and allow time to fix before disclosure
- Sell it
- Say nothing
32 · D7Which replication achieves an RPO near zero?
- Electronic vaulting
- Remote journaling
- Remote mirroring
- Weekly tapes
33 · D2An unlabeled tape is found in a Confidential storage area. How should it be treated?
- As Public
- At the highest classification until verified
- Destroyed immediately
- Reformatted
34 · D4Which endpoint approach is more secure: allow-listing or deny-listing, and why?
- Deny-listing; it blocks all known good
- Allow-listing; only approved software runs, everything else blocked
- They are equal
- Neither works offline
35 · D1Which is the correct order of NIST RMF steps after "Select"?
- Categorize
- Implement
- Authorize
- Monitor
36 · D3Which best describes a bastion host?
- An ordinary internal server
- A deliberately exposed, hardened host with minimal services
- A wireless AP
- A backup device
37 · D5Which BEST mitigates the "keys to the kingdom" risk of SSO?
- Disable lockout
- Require MFA at the SSO entry point
- Shorten passwords
- Share SSO accounts
38 · D7Which malware lives only in memory to evade file-based AV?
- Macro virus
- Fileless malware
- Adware
- Trojan
39 · D6Which KRI would warn of rising risk?
- % of systems patched last quarter
- Growing number of dormant privileged accounts
- Total incidents last year
- Firewall throughput
40 · D8Which database property ensures concurrent transactions don't interfere?
- Atomicity
- Isolation
- Durability
- Consistency
41 · D4Which is TRUE of a Type 1 hypervisor?
- It runs on a host OS
- It runs on bare metal with a smaller attack surface
- It is used only on laptops
- It inherits host OS vulnerabilities
42 · D1Which intellectual property protection best fits a secret algorithm the company won't disclose?
- Patent
- Copyright
- Trademark
- Trade secret
43 · D3Which attack recovers keys via electromagnetic emissions?
- Known plaintext
- Side-channel (TEMPEST)
- Birthday
- Downgrade
44 · D5Which is a capability, as opposed to an ACL?
- A file's permission list
- A Kerberos ticket listing what a subject may access
- A firewall rule
- A classification label
45 · D7During evacuation, which objective ensures personnel accountability?
- Backing up servers
- Head counts at assembly points
- Testing the firewall
- Rotating tapes
46 · D6Which is the difference between synthetic transactions and RUM?
- Synthetic uses real user traffic; RUM is scripted
- Synthetic is scripted and proactive; RUM observes real traffic
- They are identical
- Neither monitors availability
47 · D2Which lifecycle milestone is most critical for security patching decisions?
- End of life (no longer sold)
- End of support (no more patches)
- General availability
- First release
48 · D4Which best prevents switch-spoofing VLAN hopping?
- Enable DTP everywhere
- Disable trunk negotiation and force access mode
- Use the native VLAN for data
- Broadcast the SSID
49 · D1Which describes the ISC2 ethics canons order?
- Act, Protect, Provide, Advance
- Protect society; Act honorably; Provide service; Advance the profession
- Provide, Protect, Act, Advance
- Protect, Provide, Act, Advance
50 · D3Which fire class involves energized electrical equipment?
- Class A
- Class B
- Class C
- Class K
51 · D5Which is a detective control against fraud by having someone else fill a role?
- Encryption
- Mandatory vacations and job rotation
- A firewall
- MFA
52 · D7Which is the correct order of DR tests by increasing risk?
- Full interruption, parallel, simulation, tabletop, checklist
- Checklist, tabletop, simulation, parallel, full interruption
- Tabletop, checklist, parallel, simulation, full interruption
- Simulation, checklist, tabletop, parallel, full interruption
53 · D8Which is a strong secure-coding practice?
- Deny-list input filtering only
- Allow-list input validation and output encoding
- Verbose error messages to users
- Hard-coded secrets
54 · D4Which fiber is best for a 20 km EMI-immune link?
- Cat6
- Coaxial
- Single-mode fiber
- Cat8
55 · D6Which is required before any security testing?
- A new firewall
- Management approval of scope
- A press release
- A public bounty
56 · D1Which best captures the MTD/RTO/WRT relationship?
- RTO + WRT must not exceed MTD
- RTO must exceed MTD
- WRT equals RPO
- MTD equals RPO
57 · D3Which best distinguishes a TPM from an HSM?
- TPM is a networked module for high-volume keys
- HSM is a dedicated, tamper-resistant module; TPM is a chip on the motherboard
- They are identical
- TPM handles only payments
58 · D5Under current NIST guidance, forced periodic password changes should be:
- Every 30 days
- Avoided unless compromise is evidenced
- Weekly
- Never allowed at all
59 · D7Which is the salvage team's role?
- Recover at the alternate site
- Restore the primary site
- Run the SOC
- Manage backups only
60 · D2Which role determines the purposes and means of processing under GDPR?
- Data processor
- Data controller
- Data subject
- Data custodian
61 · D4Which attack sends forged deauth frames to capture a handshake?
- Evil twin
- Deauthentication attack
- Wardriving
- Jamming
62 · D3Which best defends against a birthday attack?
- Longer hash outputs (collision resistance)
- Shorter keys
- Using ECB mode
- Disabling salting
63 · D6Which team defends and responds during an exercise?
- Red
- Blue
- White
- Purple
64 · D1Which best describes the Delphi technique?
- Quantitative loss calculation
- Anonymous expert consensus over rounds
- A code review method
- A backup rotation
65 · D5Which is the correct Kerberos sequence?
- Service ticket then TGT
- AS issues TGT; then TGS issues service ticket
- TGS issues TGT; then AS issues service ticket
- Password sent to each service
66 · D7Which best justifies out-of-band communications during a disaster?
- They are cheaper
- The normal network may be down
- They are faster in all cases
- They replace the plan
67 · D8Which flaw lets an attacker force the server to request internal resources?
- XSS
- SSRF
- CSRF
- Aggregation
68 · D3Which best explains why patents are sometimes avoided in favor of trade secrets?
- Patents are free
- Patents require public disclosure of the invention
- Trade secrets expire in 20 years
- Patents last forever
69 · D4Which best describes RADIUS vs TACACS+?
- RADIUS uses TCP and encrypts all; TACACS+ uses UDP
- RADIUS uses UDP and encrypts only the password; TACACS+ uses TCP, encrypts all, separates AAA
- Both use UDP
- TACACS+ combines AAA
70 · D6Which report is restricted and covers security under Trust Services Criteria?
- SOC 1
- SOC 2
- SOC 3
- A pentest report
71 · D1Which best describes the difference between a policy and a standard?
- Policy names technologies; standard is high-level
- Policy is high-level intent; standard is a specific mandatory requirement
- Both are optional
- Standard is signed by senior management, policy is not
72 · D3Which best mitigates VM escape risk?
- Run all VMs as root
- Patch the hypervisor and avoid mixing very different sensitivities on one host
- Disable snapshots forever
- Use a single large VM
73 · D5Which best fits federated identity where the IdP is compromised?
- Only one service is affected
- All federated services are exposed
- Nothing happens
- Only logging is affected
74 · D7Which best describes virtual patching?
- Modifying the vulnerable system directly
- Blocking exploitation with an IPS/WAF without changing the system
- Reinstalling the OS
- Deleting the application
75 · D2Which best distinguishes tokenization from encryption?
- Tokens are derived from the value with a key
- Tokens are random substitutes with no mathematical link, resolved via a vault
- Tokenization is reversible by anyone
- They are identical
76 · D4Which is the fundamental principle of zero trust?
- Trust the internal network by default
- Verify every request regardless of location
- A strong perimeter suffices
- Trust after first authentication
77 · D6Which is the most dangerous scan error?
- False positive
- False negative
- True positive
- True negative
78 · D1Which best describes the "prudent person rule"?
- It measures whether management exercised due care
- It measures evidence admissibility
- It measures patent novelty
- It measures background checks
79 · D3Which best describes OCSP stapling?
- A client downloads a full CRL
- The server presents a recent signed proof of non-revocation
- The CA pins a certificate
- Two PKIs cross-certify
80 · D5Which best describes a break-glass account?
- A daily admin account
- A protected emergency account whose every use triggers an alert
- A guest account
- A backup service account
81 · D7Which best mitigates tailgating into a datacenter?
- A longer password policy
- A mantrap and awareness training
- Encryption at rest
- A firewall rule
82 · D8Which risk is most associated with citizen developers on low-code platforms?
- Too much documentation
- Apps bypassing standard security controls and review
- Slow compilation
- No data access
83 · D4Which OSI PDU exists at Layer 3?
- Bits
- Frames
- Packets
- Segments
84 · D1Which is the correct copyright duration for an individual author?
- 20 years from filing
- Life of the author + 70 years
- 10 years renewable
- Forever
85 · D3Which best describes the Chinese Wall (Brewer-Nash) model?
- Static confidentiality labels
- Access rights change dynamically based on prior access to prevent conflicts of interest
- Integrity via transactions
- Eight rules for rights
86 · D5Which is the primary purpose of identity proofing?
- Encrypting traffic
- Verifying a real-world identity before issuing credentials
- Assigning IPs
- Rotating passwords
87 · D7Which best describes a golden ticket attack?
- Forging a service ticket
- Forging a TGT with the KRBTGT hash for near-unlimited domain access
- Reusing an NTLM hash
- Spraying passwords
88 · D6Which SCAP component defines security checklists?
- OVAL
- XCCDF
- CPE
- CCE
89 · D2Which best describes the difference between scoping and tailoring?
- Scoping adapts; tailoring removes
- Scoping removes inapplicable controls; tailoring adapts the baseline (including scoping)
- They are identical
- Both add new controls only
90 · D4Which best describes an evil twin attack?
- A rogue AP planted internally
- A fake AP mimicking a legitimate SSID to lure clients
- Radio jamming
- Mapping networks while driving
91 · D1Which best describes supply chain risk illustrated by SolarWinds?
- Physical theft
- A trusted software update delivering a backdoor
- A weak password
- An insider selling data
92 · D3Which best describes measured boot vs secure boot?
- Secure boot measures; measured boot blocks
- Secure boot blocks unsigned components; measured boot records measurements for attestation
- They are identical
- Neither uses the TPM
93 · D5Which best mitigates MFA fatigue (push bombing)?
- More push prompts
- Number matching
- Disabling MFA
- Shared accounts
94 · D7Which best describes the business records exception?
- All hearsay is inadmissible
- Automatically generated logs are admissible despite the hearsay rule
- Only originals are admissible
- Copies are always preferred
95 · D8Which best describes the Log4j lesson?
- Hardware can be counterfeited
- Dependencies inherit vulnerabilities; use SCA and SBOM
- Passwords must rotate
- Firewalls stop everything
96 · D4Which best describes the purpose of a WAF?
- Routing between VLANs
- Protecting web applications from injection and XSS at Layer 7
- Encrypting disks
- Load balancing only
97 · D6Which best describes a bug bounty?
- A formal six-step code review
- Paying external researchers per valid vulnerability found
- A compliance audit
- A synthetic transaction
98 · D1Which best describes the goal of security governance?
- Security drives business strategy
- Security aligns with and supports business strategy
- Technical teams set priorities
- Auditors govern security
99 · D3Which best describes the difference between aggregation and inference?
- They are identical
- Aggregation adds up benign data; inference deduces restricted data from authorized queries
- Inference adds up; aggregation deduces
- Both require SQL injection
100 · D5Which best describes rule-based vs role-based access control?
- Role-based applies global rules; rule-based uses roles
- Role-based assigns by job role; rule-based applies global rules to all
- They are identical
- Rule-based uses labels
101 · D7Which best justifies not unplugging a suspect machine immediately?
- It voids warranty
- It destroys volatile RAM evidence
- It corrupts the disk
- It emails the attacker
102 · D2Which best describes a data steward's role?
- Sets classification and is accountable
- Ensures data quality and business governance
- Applies backups and ACLs
- Is the person the data describes
103 · D4Which best describes micro-segmentation's purpose?
- Increasing Internet bandwidth
- Controlling east-west traffic and limiting lateral movement
- Replacing encryption
- Removing the perimeter firewall
104 · D1Which best describes the difference between BCP and DRP?
- Identical
- BCP maintains business functions; DRP restores IT
- DRP maintains functions; BCP restores IT
- Both cover only physical security
105 · D3Which best describes the difference between DAC and MAC?
- DAC is system-enforced; MAC is owner-decided
- DAC is owner-decided; MAC is system-enforced via labels
- They are identical
- MAC uses ACLs only
106 · D6Which best describes an exception in remediation?
- Silently ignoring a flaw
- A documented, signed acceptance of risk with compensating controls
- Deleting the finding
- Shutting down the business
107 · D5Which best describes the difference between TOTP and HOTP?
- TOTP is counter-based; HOTP is time-based
- TOTP is time-based; HOTP is counter-based
- They are identical
- Both are static
108 · D7Which best describes the difference between MTBF and MTTR?
- MTBF is repair time; MTTR is between failures
- MTBF is time between failures; MTTR is repair time
- They are identical
- Both measure uptime
109 · D8Which best describes a covert timing channel?
- Using a shared storage location
- Modulating timing to transmit information
- Encrypting data at rest
- A legitimate API call
110 · D4Which best describes the difference between hot and cold sites?
- Cold activates in minutes; hot in weeks
- Hot activates in minutes and costs the most; cold takes days and costs least
- They are identical
- Both are reciprocal agreements
111 · D1Which best describes the difference between qualitative and quantitative risk analysis?
- Qualitative uses monetary values; quantitative uses judgment
- Qualitative uses judgment (Delphi); quantitative uses monetary values (SLE, ALE)
- They are identical
- Both require exact data
112 · D3Which best describes the shared responsibility invariant?
- The provider always secures data
- The customer always secures its data and access
- Neither secures data
- The provider secures nothing
113 · D5Which best describes the difference between need-to-know and least privilege?
- Identical
- Need-to-know concerns information access; least privilege concerns action rights
- Least privilege concerns information only
- Need-to-know concerns physical access only
114 · D7Which best describes the difference between incremental and differential backups?
- Incremental restores 2 sets; differential restores N
- Incremental restores N sets and clears the archive bit; differential restores 2 and doesn't
- They are identical
- Both restore 1 set
115 · D6Which best describes the difference between an internal and third-party audit?
- Internal offers the most independence
- Third-party (independent) offers the most objectivity
- They are identical
- Internal is always unbiased
116 · D2Which best describes the risk of retaining data longer than needed?
- No risk if backed up
- Increased breach exposure, eDiscovery cost, and legal violations
- Only wasted storage
- Better analytics
117 · D4Which best describes the difference between full and split tunnel VPN?
- Full tunnel is faster and riskier
- Full tunnel routes all traffic through the enterprise (safer); split tunnel routes only corporate traffic (device can bridge)
- They are identical
- Split tunnel encrypts more
118 · D3Which best describes forward secrecy in TLS 1.3?
- A compromised session key exposes past sessions
- A compromised session key does not compromise past sessions
- It removes encryption
- It uses ECB mode
119 · D5Which best describes the difference between a data owner and a data custodian?
- Custodian classifies; owner applies backups
- Owner classifies and is accountable; custodian applies protection
- They are identical
- Owner is the IT department by default
120 · D7Which best describes the difference between allow-listing and deny-listing?
- Deny-listing only permits approved software
- Allow-listing permits only approved software (safer); deny-listing blocks known bad
- They are identical
- Both permit all software
121 · D1Which best describes the difference between an incident and a breach?
- Identical
- A breach is a successful bypass of controls (e.g., actual data exfiltration)
- An incident is always a breach
- A breach is only physical
122 · D8Which best describes the primary defense against CSRF?
- Output encoding
- Anti-CSRF tokens and SameSite cookies
- Parameterized queries
- ASLR
123 · D4Which best describes the difference between north-south and east-west traffic?
- North-south is server-to-server; east-west is client-to-datacenter
- North-south is external-to-datacenter; east-west is server-to-server internal
- They are identical
- Both are external
124 · D6Which best describes the difference between SAST and DAST?
- SAST tests the running app; DAST reads source code
- SAST analyzes source code statically; DAST tests the running application
- They are identical
- Both require production access
125 · D7A ransom note appears on a production server. What should the team do FIRST?
- Pay the ransom
- Activate the incident response plan
- Wipe and restore immediately
- Email all staff