CISSP · Réussir du premier coup

Chapitre 26
Examen blanc
n° 2

125 questions calibrées « zone haute » du CAT : scénarios, multi-domaines, pièges fins — le test le plus proche de l'épreuve.

Durée cible
2 h 30 · conditions réelles strictes
Difficulté
85 % scénarios · questions multi-domaines
Seuil
≥ 80 % global et ≥ 70 % par domaine
Mode d'emploi
  • Aucune question réutilisée du chapitre 25 ni des quiz. Difficulté volontairement supérieure.
  • Beaucoup de « BEST/FIRST/MOST » et de scénarios croisant plusieurs domaines — lisez le mot-clé, gardez le réflexe du manager.
  • Traitez d'affilée, chronomètre lancé, sans notes ni corrigé.
  • Seuil de confiance avant de réserver : ≥ 80 % global et ≥ 70 % par domaine.

QuestionsLes 125 questions

1 · D1/D3

A cloud vendor stores customer PII. The contract is silent on encryption and breach notice. What should the CISO do FIRST?

  1. Terminate the contract
  2. Perform a risk assessment and require contractual security and notification clauses
  3. Encrypt the vendor's servers
  4. Ignore it until an incident
2 · D7

A responder finds active exfiltration. After activating the IR plan, what is the NEXT step?

  1. Lessons learned
  2. Mitigation (containment)
  3. Recovery
  4. Remediation
3 · D3/D8

An app must compute on sensitive data without ever exposing plaintext in memory. Which approach fits BEST?

  1. Full disk encryption
  2. Homomorphic encryption or a trusted execution environment
  3. TLS 1.3
  4. Hashing the data
4 · D5

After a merger, an audit finds active accounts of departed staff. What is the MOST important corrective action?

  1. Extend password expiry
  2. Implement deprovisioning and periodic access reviews
  3. Add more firewalls
  4. Increase logging only
5 · D1

A risk has an ALE of $200,000. Control A costs $50,000/year (residual $40,000); control B costs $120,000/year (residual $10,000). Which is BEST?

  1. Control A (value +$110,000)
  2. Control B (value +$70,000)
  3. Both
  4. Neither; accept the risk
6 · D4/D6

A pentest report shows a critical CVSS 9.8 flaw on an Internet-facing server. What should drive remediation priority?

  1. Alphabetical order of systems
  2. Risk: severity, exposure, and asset value
  3. The easiest fix first
  4. The newest system first
7 · D3

A subject cleared Secret must not read Top Secret. Which model and property enforce this?

  1. Biba, no write up
  2. Bell-LaPadula, simple security property (no read up)
  3. Clark-Wilson, access triple
  4. Brewer-Nash, dynamic separation
8 · D2

A decommissioned cloud tenant must have its data rendered unrecoverable. What is MOST practical?

  1. Physical destruction of the provider's disks
  2. Cryptographic erasure of the keys
  3. Degaussing the arrays
  4. Trusting default deletion
9 · D5

A developer wants to prove user identity using OAuth 2.0 alone. What is the correct guidance?

  1. OAuth alone authenticates users
  2. Use OIDC on top of OAuth for authentication
  3. Use SAML tokens inside OAuth
  4. Use RADIUS instead
10 · D7

A datacenter loses power. The UPS holds for minutes. What is required for a prolonged outage?

  1. A surge protector
  2. A generator
  3. A line conditioner
  4. More UPS units only
11 · D1/D7

During an internal investigation, criminal charges become likely. What must the team ensure?

  1. Collect evidence informally to save time
  2. Apply the strictest evidence standards from the start
  3. Wait for police before touching anything, including RAM
  4. Downgrade to administrative standards
12 · D3

Which combination best protects data in all three states?

  1. AES at rest, TLS in transit, enclave in use
  2. Hashing for all states
  3. ECB mode everywhere
  4. Plaintext with a firewall
13 · D4

A branch office needs uniform cloud-delivered security for remote staff without backhauling traffic. Which architecture?

  1. A single hardware firewall at HQ
  2. SASE
  3. A cold site
  4. A honeypot
14 · D6

A SaaS vendor offers only a SOC 2 Type I. Why might a customer want Type II instead?

  1. Type II covers financial statements
  2. Type II proves controls operated effectively over 6–12 months
  3. Type II is public
  4. Type I is more rigorous
15 · D8

A web app reflects user input into pages unescaped. Which flaw and fix apply?

  1. SQL injection; parameterized queries
  2. XSS; output encoding and CSP
  3. CSRF; anti-CSRF tokens
  4. Buffer overflow; ASLR
15b · D5

A high-security vault reader is tuned to minimize intruders getting in, accepting more legitimate rejections. This lowers which rate?

  1. FRR
  2. FAR
  3. CER only
  4. Throughput
16 · D1

Which is the FIRST security action when acquiring another company?

  1. Merge the networks
  2. Perform security due diligence on the target
  3. Deploy your tools on their systems
  4. Cancel their vendor contracts
17 · D3

Which best distinguishes certification from accreditation?

  1. Certification is a management decision; accreditation is technical
  2. Certification is technical evaluation; accreditation is management's risk acceptance
  3. They are identical
  4. Accreditation applies only to cloud
18 · D7

Which DR test validates the alternate site while production keeps running?

  1. Checklist
  2. Tabletop
  3. Parallel
  4. Full interruption
19 · D2

Analytics needs realistic data without exposing real customers. What is BEST?

  1. Copy production as-is
  2. Provide masked or pseudonymized data
  3. Grant read access to production
  4. Email extracts to the team
20 · D4

A subnet NACL allows inbound but blocks return traffic intermittently. Why?

  1. NACLs are stateless; return rules must be explicit
  2. NACLs are stateful
  3. Security groups block everything
  4. The subnet is too small
21 · D5

Service accounts with weak passwords are being cracked offline via service tickets. Which attack, and fix?

  1. Pass the hash; disable NTLM
  2. Kerberoasting; strong service-account passwords and rotation
  3. Golden ticket; reset KRBTGT
  4. Spraying; lockout
22 · D1

Which most accurately describes residual risk?

  1. Risk before controls
  2. Risk remaining after controls, accepted by senior management
  3. Risk transferred to insurers
  4. Maximum absorbable risk
23 · D3

Why must fire-rated exit doors fail-safe (unlock) on power loss when occupied?

  1. To protect the servers
  2. To protect human life and allow evacuation
  3. To save energy
  4. To trigger suppression
24 · D6

Which testing feeds malformed inputs to trigger crashes?

  1. Regression testing
  2. Fuzzing
  3. Synthetic transactions
  4. Benchmarking
25 · D8

A CI/CD pipeline is compromised and injects code into builds. This is an example of what?

  1. A DoS attack
  2. A supply-chain attack
  3. A phishing campaign
  4. A rainbow table
26 · D4

Which protocol provides authenticity/integrity of DNS responses but not confidentiality?

  1. DoH
  2. DNSSEC
  3. DoT
  4. DNS over VPN
27 · D7

Which incident concept distinguishes an event from an incident?

  1. Every event is an incident
  2. An incident harms or threatens security; an event is merely observable
  3. They are the same
  4. An event needs police
28 · D1

A company must comply with a rule imposed by payment card brands. Which type of requirement is this?

  1. Legal/regulatory
  2. Contractual
  3. Industry standard only
  4. Voluntary
29 · D5

Which access model best fits "a finance manager, on a managed device, during business hours, under $10,000"?

  1. DAC
  2. MAC
  3. RBAC
  4. ABAC
30 · D3

Which cryptographic service does a shared symmetric key NOT provide?

  1. Confidentiality
  2. Speed
  3. Nonrepudiation
  4. Bulk encryption
31 · D6

A researcher finds a flaw in a product. The ethical action is to:

  1. Publish full exploit details immediately
  2. Notify the vendor and allow time to fix before disclosure
  3. Sell it
  4. Say nothing
32 · D7

Which replication achieves an RPO near zero?

  1. Electronic vaulting
  2. Remote journaling
  3. Remote mirroring
  4. Weekly tapes
33 · D2

An unlabeled tape is found in a Confidential storage area. How should it be treated?

  1. As Public
  2. At the highest classification until verified
  3. Destroyed immediately
  4. Reformatted
34 · D4

Which endpoint approach is more secure: allow-listing or deny-listing, and why?

  1. Deny-listing; it blocks all known good
  2. Allow-listing; only approved software runs, everything else blocked
  3. They are equal
  4. Neither works offline
35 · D1

Which is the correct order of NIST RMF steps after "Select"?

  1. Categorize
  2. Implement
  3. Authorize
  4. Monitor
36 · D3

Which best describes a bastion host?

  1. An ordinary internal server
  2. A deliberately exposed, hardened host with minimal services
  3. A wireless AP
  4. A backup device
37 · D5

Which BEST mitigates the "keys to the kingdom" risk of SSO?

  1. Disable lockout
  2. Require MFA at the SSO entry point
  3. Shorten passwords
  4. Share SSO accounts
38 · D7

Which malware lives only in memory to evade file-based AV?

  1. Macro virus
  2. Fileless malware
  3. Adware
  4. Trojan
39 · D6

Which KRI would warn of rising risk?

  1. % of systems patched last quarter
  2. Growing number of dormant privileged accounts
  3. Total incidents last year
  4. Firewall throughput
40 · D8

Which database property ensures concurrent transactions don't interfere?

  1. Atomicity
  2. Isolation
  3. Durability
  4. Consistency
41 · D4

Which is TRUE of a Type 1 hypervisor?

  1. It runs on a host OS
  2. It runs on bare metal with a smaller attack surface
  3. It is used only on laptops
  4. It inherits host OS vulnerabilities
42 · D1

Which intellectual property protection best fits a secret algorithm the company won't disclose?

  1. Patent
  2. Copyright
  3. Trademark
  4. Trade secret
43 · D3

Which attack recovers keys via electromagnetic emissions?

  1. Known plaintext
  2. Side-channel (TEMPEST)
  3. Birthday
  4. Downgrade
44 · D5

Which is a capability, as opposed to an ACL?

  1. A file's permission list
  2. A Kerberos ticket listing what a subject may access
  3. A firewall rule
  4. A classification label
45 · D7

During evacuation, which objective ensures personnel accountability?

  1. Backing up servers
  2. Head counts at assembly points
  3. Testing the firewall
  4. Rotating tapes
46 · D6

Which is the difference between synthetic transactions and RUM?

  1. Synthetic uses real user traffic; RUM is scripted
  2. Synthetic is scripted and proactive; RUM observes real traffic
  3. They are identical
  4. Neither monitors availability
47 · D2

Which lifecycle milestone is most critical for security patching decisions?

  1. End of life (no longer sold)
  2. End of support (no more patches)
  3. General availability
  4. First release
48 · D4

Which best prevents switch-spoofing VLAN hopping?

  1. Enable DTP everywhere
  2. Disable trunk negotiation and force access mode
  3. Use the native VLAN for data
  4. Broadcast the SSID
49 · D1

Which describes the ISC2 ethics canons order?

  1. Act, Protect, Provide, Advance
  2. Protect society; Act honorably; Provide service; Advance the profession
  3. Provide, Protect, Act, Advance
  4. Protect, Provide, Act, Advance
50 · D3

Which fire class involves energized electrical equipment?

  1. Class A
  2. Class B
  3. Class C
  4. Class K
51 · D5

Which is a detective control against fraud by having someone else fill a role?

  1. Encryption
  2. Mandatory vacations and job rotation
  3. A firewall
  4. MFA
52 · D7

Which is the correct order of DR tests by increasing risk?

  1. Full interruption, parallel, simulation, tabletop, checklist
  2. Checklist, tabletop, simulation, parallel, full interruption
  3. Tabletop, checklist, parallel, simulation, full interruption
  4. Simulation, checklist, tabletop, parallel, full interruption
53 · D8

Which is a strong secure-coding practice?

  1. Deny-list input filtering only
  2. Allow-list input validation and output encoding
  3. Verbose error messages to users
  4. Hard-coded secrets
54 · D4

Which fiber is best for a 20 km EMI-immune link?

  1. Cat6
  2. Coaxial
  3. Single-mode fiber
  4. Cat8
55 · D6

Which is required before any security testing?

  1. A new firewall
  2. Management approval of scope
  3. A press release
  4. A public bounty
56 · D1

Which best captures the MTD/RTO/WRT relationship?

  1. RTO + WRT must not exceed MTD
  2. RTO must exceed MTD
  3. WRT equals RPO
  4. MTD equals RPO
57 · D3

Which best distinguishes a TPM from an HSM?

  1. TPM is a networked module for high-volume keys
  2. HSM is a dedicated, tamper-resistant module; TPM is a chip on the motherboard
  3. They are identical
  4. TPM handles only payments
58 · D5

Under current NIST guidance, forced periodic password changes should be:

  1. Every 30 days
  2. Avoided unless compromise is evidenced
  3. Weekly
  4. Never allowed at all
59 · D7

Which is the salvage team's role?

  1. Recover at the alternate site
  2. Restore the primary site
  3. Run the SOC
  4. Manage backups only
60 · D2

Which role determines the purposes and means of processing under GDPR?

  1. Data processor
  2. Data controller
  3. Data subject
  4. Data custodian
61 · D4

Which attack sends forged deauth frames to capture a handshake?

  1. Evil twin
  2. Deauthentication attack
  3. Wardriving
  4. Jamming
62 · D3

Which best defends against a birthday attack?

  1. Longer hash outputs (collision resistance)
  2. Shorter keys
  3. Using ECB mode
  4. Disabling salting
63 · D6

Which team defends and responds during an exercise?

  1. Red
  2. Blue
  3. White
  4. Purple
64 · D1

Which best describes the Delphi technique?

  1. Quantitative loss calculation
  2. Anonymous expert consensus over rounds
  3. A code review method
  4. A backup rotation
65 · D5

Which is the correct Kerberos sequence?

  1. Service ticket then TGT
  2. AS issues TGT; then TGS issues service ticket
  3. TGS issues TGT; then AS issues service ticket
  4. Password sent to each service
66 · D7

Which best justifies out-of-band communications during a disaster?

  1. They are cheaper
  2. The normal network may be down
  3. They are faster in all cases
  4. They replace the plan
67 · D8

Which flaw lets an attacker force the server to request internal resources?

  1. XSS
  2. SSRF
  3. CSRF
  4. Aggregation
68 · D3

Which best explains why patents are sometimes avoided in favor of trade secrets?

  1. Patents are free
  2. Patents require public disclosure of the invention
  3. Trade secrets expire in 20 years
  4. Patents last forever
69 · D4

Which best describes RADIUS vs TACACS+?

  1. RADIUS uses TCP and encrypts all; TACACS+ uses UDP
  2. RADIUS uses UDP and encrypts only the password; TACACS+ uses TCP, encrypts all, separates AAA
  3. Both use UDP
  4. TACACS+ combines AAA
70 · D6

Which report is restricted and covers security under Trust Services Criteria?

  1. SOC 1
  2. SOC 2
  3. SOC 3
  4. A pentest report
71 · D1

Which best describes the difference between a policy and a standard?

  1. Policy names technologies; standard is high-level
  2. Policy is high-level intent; standard is a specific mandatory requirement
  3. Both are optional
  4. Standard is signed by senior management, policy is not
72 · D3

Which best mitigates VM escape risk?

  1. Run all VMs as root
  2. Patch the hypervisor and avoid mixing very different sensitivities on one host
  3. Disable snapshots forever
  4. Use a single large VM
73 · D5

Which best fits federated identity where the IdP is compromised?

  1. Only one service is affected
  2. All federated services are exposed
  3. Nothing happens
  4. Only logging is affected
74 · D7

Which best describes virtual patching?

  1. Modifying the vulnerable system directly
  2. Blocking exploitation with an IPS/WAF without changing the system
  3. Reinstalling the OS
  4. Deleting the application
75 · D2

Which best distinguishes tokenization from encryption?

  1. Tokens are derived from the value with a key
  2. Tokens are random substitutes with no mathematical link, resolved via a vault
  3. Tokenization is reversible by anyone
  4. They are identical
76 · D4

Which is the fundamental principle of zero trust?

  1. Trust the internal network by default
  2. Verify every request regardless of location
  3. A strong perimeter suffices
  4. Trust after first authentication
77 · D6

Which is the most dangerous scan error?

  1. False positive
  2. False negative
  3. True positive
  4. True negative
78 · D1

Which best describes the "prudent person rule"?

  1. It measures whether management exercised due care
  2. It measures evidence admissibility
  3. It measures patent novelty
  4. It measures background checks
79 · D3

Which best describes OCSP stapling?

  1. A client downloads a full CRL
  2. The server presents a recent signed proof of non-revocation
  3. The CA pins a certificate
  4. Two PKIs cross-certify
80 · D5

Which best describes a break-glass account?

  1. A daily admin account
  2. A protected emergency account whose every use triggers an alert
  3. A guest account
  4. A backup service account
81 · D7

Which best mitigates tailgating into a datacenter?

  1. A longer password policy
  2. A mantrap and awareness training
  3. Encryption at rest
  4. A firewall rule
82 · D8

Which risk is most associated with citizen developers on low-code platforms?

  1. Too much documentation
  2. Apps bypassing standard security controls and review
  3. Slow compilation
  4. No data access
83 · D4

Which OSI PDU exists at Layer 3?

  1. Bits
  2. Frames
  3. Packets
  4. Segments
84 · D1

Which is the correct copyright duration for an individual author?

  1. 20 years from filing
  2. Life of the author + 70 years
  3. 10 years renewable
  4. Forever
85 · D3

Which best describes the Chinese Wall (Brewer-Nash) model?

  1. Static confidentiality labels
  2. Access rights change dynamically based on prior access to prevent conflicts of interest
  3. Integrity via transactions
  4. Eight rules for rights
86 · D5

Which is the primary purpose of identity proofing?

  1. Encrypting traffic
  2. Verifying a real-world identity before issuing credentials
  3. Assigning IPs
  4. Rotating passwords
87 · D7

Which best describes a golden ticket attack?

  1. Forging a service ticket
  2. Forging a TGT with the KRBTGT hash for near-unlimited domain access
  3. Reusing an NTLM hash
  4. Spraying passwords
88 · D6

Which SCAP component defines security checklists?

  1. OVAL
  2. XCCDF
  3. CPE
  4. CCE
89 · D2

Which best describes the difference between scoping and tailoring?

  1. Scoping adapts; tailoring removes
  2. Scoping removes inapplicable controls; tailoring adapts the baseline (including scoping)
  3. They are identical
  4. Both add new controls only
90 · D4

Which best describes an evil twin attack?

  1. A rogue AP planted internally
  2. A fake AP mimicking a legitimate SSID to lure clients
  3. Radio jamming
  4. Mapping networks while driving
91 · D1

Which best describes supply chain risk illustrated by SolarWinds?

  1. Physical theft
  2. A trusted software update delivering a backdoor
  3. A weak password
  4. An insider selling data
92 · D3

Which best describes measured boot vs secure boot?

  1. Secure boot measures; measured boot blocks
  2. Secure boot blocks unsigned components; measured boot records measurements for attestation
  3. They are identical
  4. Neither uses the TPM
93 · D5

Which best mitigates MFA fatigue (push bombing)?

  1. More push prompts
  2. Number matching
  3. Disabling MFA
  4. Shared accounts
94 · D7

Which best describes the business records exception?

  1. All hearsay is inadmissible
  2. Automatically generated logs are admissible despite the hearsay rule
  3. Only originals are admissible
  4. Copies are always preferred
95 · D8

Which best describes the Log4j lesson?

  1. Hardware can be counterfeited
  2. Dependencies inherit vulnerabilities; use SCA and SBOM
  3. Passwords must rotate
  4. Firewalls stop everything
96 · D4

Which best describes the purpose of a WAF?

  1. Routing between VLANs
  2. Protecting web applications from injection and XSS at Layer 7
  3. Encrypting disks
  4. Load balancing only
97 · D6

Which best describes a bug bounty?

  1. A formal six-step code review
  2. Paying external researchers per valid vulnerability found
  3. A compliance audit
  4. A synthetic transaction
98 · D1

Which best describes the goal of security governance?

  1. Security drives business strategy
  2. Security aligns with and supports business strategy
  3. Technical teams set priorities
  4. Auditors govern security
99 · D3

Which best describes the difference between aggregation and inference?

  1. They are identical
  2. Aggregation adds up benign data; inference deduces restricted data from authorized queries
  3. Inference adds up; aggregation deduces
  4. Both require SQL injection
100 · D5

Which best describes rule-based vs role-based access control?

  1. Role-based applies global rules; rule-based uses roles
  2. Role-based assigns by job role; rule-based applies global rules to all
  3. They are identical
  4. Rule-based uses labels
101 · D7

Which best justifies not unplugging a suspect machine immediately?

  1. It voids warranty
  2. It destroys volatile RAM evidence
  3. It corrupts the disk
  4. It emails the attacker
102 · D2

Which best describes a data steward's role?

  1. Sets classification and is accountable
  2. Ensures data quality and business governance
  3. Applies backups and ACLs
  4. Is the person the data describes
103 · D4

Which best describes micro-segmentation's purpose?

  1. Increasing Internet bandwidth
  2. Controlling east-west traffic and limiting lateral movement
  3. Replacing encryption
  4. Removing the perimeter firewall
104 · D1

Which best describes the difference between BCP and DRP?

  1. Identical
  2. BCP maintains business functions; DRP restores IT
  3. DRP maintains functions; BCP restores IT
  4. Both cover only physical security
105 · D3

Which best describes the difference between DAC and MAC?

  1. DAC is system-enforced; MAC is owner-decided
  2. DAC is owner-decided; MAC is system-enforced via labels
  3. They are identical
  4. MAC uses ACLs only
106 · D6

Which best describes an exception in remediation?

  1. Silently ignoring a flaw
  2. A documented, signed acceptance of risk with compensating controls
  3. Deleting the finding
  4. Shutting down the business
107 · D5

Which best describes the difference between TOTP and HOTP?

  1. TOTP is counter-based; HOTP is time-based
  2. TOTP is time-based; HOTP is counter-based
  3. They are identical
  4. Both are static
108 · D7

Which best describes the difference between MTBF and MTTR?

  1. MTBF is repair time; MTTR is between failures
  2. MTBF is time between failures; MTTR is repair time
  3. They are identical
  4. Both measure uptime
109 · D8

Which best describes a covert timing channel?

  1. Using a shared storage location
  2. Modulating timing to transmit information
  3. Encrypting data at rest
  4. A legitimate API call
110 · D4

Which best describes the difference between hot and cold sites?

  1. Cold activates in minutes; hot in weeks
  2. Hot activates in minutes and costs the most; cold takes days and costs least
  3. They are identical
  4. Both are reciprocal agreements
111 · D1

Which best describes the difference between qualitative and quantitative risk analysis?

  1. Qualitative uses monetary values; quantitative uses judgment
  2. Qualitative uses judgment (Delphi); quantitative uses monetary values (SLE, ALE)
  3. They are identical
  4. Both require exact data
112 · D3

Which best describes the shared responsibility invariant?

  1. The provider always secures data
  2. The customer always secures its data and access
  3. Neither secures data
  4. The provider secures nothing
113 · D5

Which best describes the difference between need-to-know and least privilege?

  1. Identical
  2. Need-to-know concerns information access; least privilege concerns action rights
  3. Least privilege concerns information only
  4. Need-to-know concerns physical access only
114 · D7

Which best describes the difference between incremental and differential backups?

  1. Incremental restores 2 sets; differential restores N
  2. Incremental restores N sets and clears the archive bit; differential restores 2 and doesn't
  3. They are identical
  4. Both restore 1 set
115 · D6

Which best describes the difference between an internal and third-party audit?

  1. Internal offers the most independence
  2. Third-party (independent) offers the most objectivity
  3. They are identical
  4. Internal is always unbiased
116 · D2

Which best describes the risk of retaining data longer than needed?

  1. No risk if backed up
  2. Increased breach exposure, eDiscovery cost, and legal violations
  3. Only wasted storage
  4. Better analytics
117 · D4

Which best describes the difference between full and split tunnel VPN?

  1. Full tunnel is faster and riskier
  2. Full tunnel routes all traffic through the enterprise (safer); split tunnel routes only corporate traffic (device can bridge)
  3. They are identical
  4. Split tunnel encrypts more
118 · D3

Which best describes forward secrecy in TLS 1.3?

  1. A compromised session key exposes past sessions
  2. A compromised session key does not compromise past sessions
  3. It removes encryption
  4. It uses ECB mode
119 · D5

Which best describes the difference between a data owner and a data custodian?

  1. Custodian classifies; owner applies backups
  2. Owner classifies and is accountable; custodian applies protection
  3. They are identical
  4. Owner is the IT department by default
120 · D7

Which best describes the difference between allow-listing and deny-listing?

  1. Deny-listing only permits approved software
  2. Allow-listing permits only approved software (safer); deny-listing blocks known bad
  3. They are identical
  4. Both permit all software
121 · D1

Which best describes the difference between an incident and a breach?

  1. Identical
  2. A breach is a successful bypass of controls (e.g., actual data exfiltration)
  3. An incident is always a breach
  4. A breach is only physical
122 · D8

Which best describes the primary defense against CSRF?

  1. Output encoding
  2. Anti-CSRF tokens and SameSite cookies
  3. Parameterized queries
  4. ASLR
123 · D4

Which best describes the difference between north-south and east-west traffic?

  1. North-south is server-to-server; east-west is client-to-datacenter
  2. North-south is external-to-datacenter; east-west is server-to-server internal
  3. They are identical
  4. Both are external
124 · D6

Which best describes the difference between SAST and DAST?

  1. SAST tests the running app; DAST reads source code
  2. SAST analyzes source code statically; DAST tests the running application
  3. They are identical
  4. Both require production access
125 · D7

A ransom note appears on a production server. What should the team do FIRST?

  1. Pay the ransom
  2. Activate the incident response plan
  3. Wipe and restore immediately
  4. Email all staff

GrilleRéponses

1-B · 2-B · 3-B · 4-B · 5-A · 6-B · 7-B · 8-B · 9-B · 10-B · 11-B · 12-A · 13-B · 14-B · 15-B · 15b-B · 16-B · 17-B · 18-C · 19-B · 20-A · 21-B · 22-B · 23-B · 24-B · 25-B · 26-B · 27-B · 28-B · 29-D · 30-C · 31-B · 32-C · 33-B · 34-B · 35-B · 36-B · 37-B · 38-B · 39-B · 40-B · 41-B · 42-D · 43-B · 44-B · 45-B · 46-B · 47-B · 48-B · 49-B · 50-C · 51-B · 52-B · 53-B · 54-C · 55-B · 56-A · 57-B · 58-B · 59-B · 60-B · 61-B · 62-A · 63-B · 64-B · 65-B · 66-B · 67-B · 68-B · 69-B · 70-B · 71-B · 72-B · 73-B · 74-B · 75-B · 76-B · 77-B · 78-A · 79-B · 80-B · 81-B · 82-B · 83-C · 84-B · 85-B · 86-B · 87-B · 88-B · 89-B · 90-B · 91-B · 92-B · 93-B · 94-B · 95-B · 96-B · 97-B · 98-B · 99-B · 100-B · 101-B · 102-B · 103-B · 104-B · 105-B · 106-B · 107-B · 108-B · 109-B · 110-B · 111-B · 112-B · 113-B · 114-B · 115-B · 116-B · 117-B · 118-B · 119-B · 120-B · 121-B · 122-B · 123-B · 124-B · 125-B

CorrigéPoints de raisonnement

Ce blanc privilégie les scénarios et les distinctions à connaître du chapitre 24. Pour toute erreur, le domaine indiqué renvoie aux chapitres de cours. Quelques raisonnements clés :

Q1 · risque + contratB

Évaluer avant d'agir, puis contractualiser les exigences — jamais résilier ou « chiffrer leurs serveurs » d'emblée. Chapitres 3, 1.

Q5 · valeur du contrôleA

A = 200−40−50 = +110 000 ; B = 200−10−120 = +70 000. Le plus efficace n'est pas le plus rentable. Chapitre 3.

Q11 · pénal probableB

Standards de preuve stricts dès le départ ; ne pas attendre la police pour la RAM volatile. Chapitres 18, 2.

Q29 · ABACD

Rôle + appareil + horaire + montant = attributs multiples = ABAC. Chapitre 14.

Q56 · MTDA

RTO + WRT ≤ MTD, toujours. Chapitre 2.

Q125 · ransomwareB

Activer le plan d'abord ; ni payer, ni wiper, ni communiquer hors plan. Chapitres 0, 19.

BilanAuto-diagnostic

Verdict

≥ 80 % global (≥ 100/125) et ≥ 70 % dans chaque domaine : vous êtes prêt — réservez l'examen et passez au drill final (chapitre 27) et au protocole jour J (chapitre 28). Entre 70 et 80 % : re-drillez les domaines faibles (chapitre 29), refaites ce blanc dans une semaine. Sous 70 % : ne réservez pas encore ; reprenez le cours des domaines déficients. Comptez chaque domaine avec la même répartition qu'au chapitre 25 (D1 20 · D2 12 · D3 16 · D4 16 · D5 16 · D6 15 · D7 17 · D8 13, +1 question bonus 15b sur D5).