#2: CC Exam Preparation (100) Practice Test – 99 Free Exam Questions with Answers

#2: CC Exam Preparation (100)

99 questions · instant answer feedback · concise explanations · free

  1. Question 1 of 99What does the double colon (::) in an IPv6 address notation represent?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. One or more groups of consecutive zeros

    In IPv6 notation, the double colon represents one or more consecutive groups of sixteen-bit hexadecimal zeros. This shorthand rule can only be used once in an address to simplify long strings and improve overall readability without creating ambiguity.

  2. Question 2 of 99Which of these is an example of a privacy breach?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Access of private information by an unauthorized person

    A privacy breach specifically involves the unauthorized access or exposure of personally identifiable information. Unavailable critical systems represent an availability loss, and general system occurrences or potential exposures do not inherently indicate a privacy compromise.

  3. Question 3 of 99Which type of attack attempts to mislead the user into exposing personal information by sending fraudulent emails?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Phishing

    Phishing uses fraudulent emails to trick recipients into disclosing sensitive personal information. Cross-site scripting targets website code, while denial-of-service attacks disrupt availability, eliminating those options.

  4. Question 4 of 99A security professional should report violations of a company's security policy to:

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Company management

    Company policy violations must be reported internally to company management for proper handling. Reporting to external authorities or courts is reserved for legal violations, while ethics committees handle individual professional misconduct.

  5. Question 5 of 99A poster reminding users of best password management practices is an example of which type of learning activity?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Awareness

    Security awareness aims to capture attention and remind users of best practices, which a poster accomplishes perfectly. Training builds specific skills, while education focuses on deeper conceptual understanding.

  6. Question 6 of 99When looking for cybersecurity insurance, which of these is the most important objective?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Risk transference

    Risk transference is the primary objective of cybersecurity insurance because it shifts the financial burden of a potential loss to a third party. Mitigation reduces risk, while avoidance and acceptance do not involve purchasing insurance.

  7. Question 7 of 99What does redundancy mean in the context of cybersecurity?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Conceiving systems with duplicate components so that, if a failure occurs, there will be a backup

    Redundancy involves implementing duplicate system components to ensure continuous operation during a failure. Options describing reduced attack surfaces or robust single components focus on system hardening rather than fault tolerance.

  8. Question 8 of 99Which type of attack PRIMARILY aims to consume all the available resources, thereby making an organization's service inaccessible to its intended users?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Denial of Service

    A denial of service attack overwhelms a target with illegitimate traffic to exhaust its resources and disrupt service availability. Trojans and cross site scripting target system integrity or theft rather than resource exhaustion.

  9. Question 9 of 99Which of these types of layers is NOT part of the TCP/IP model?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Physical

    The standard four layer TCP IP model consists of Application, Transport, Internet, and Network Interface. The Physical layer is explicitly defined in the seven layer OSI model rather than the TCP IP suite.

  10. Question 10 of 99Which of these is an example of an exploit?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. A sequence of commands to take advantage of a bug

    An exploit is a specific sequence of commands or code designed to take advantage of a vulnerability. Options describing exposure or unauthorized access define risks and impacts rather than the exploit mechanism itself.

  11. Question 11 of 99Which of these access control models is commonly used in the military?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Mandatory Access Control (MAC)

    Mandatory Access Control uses strict centralized classification labels and user clearances, making it ideal for military environments. Discretionary and role based models allow decentralized or broad access that lacks this rigid structure.

  12. Question 12 of 99Which of these types of documents is usually THE LEAST formal?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Guidelines

    Guidelines offer flexible recommendations and represent the least formal layer of security documentation. Regulations and policies are mandatory rules, while standards enforce strict technical requirements, making them significantly more formal.

  13. Question 13 of 99Which of these pairs does NOT constitute Multi-Factor Authentication (MFA)?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Password and username

    Multifactor authentication requires combining two or more distinct validation categories. A username and password are both something you know, so they only provide single-factor authentication rather than meeting multifactor requirements.

  14. Question 14 of 99What is the PRIMARY purpose of IPSec?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. To secure IP communications at the network layer

    Internet Protocol Security operates at the network layer to secure communications. The protocol encrypts and authenticates data packets rather than handling user authentication or protecting data stored locally on disk.

  15. Question 15 of 99Which of these technologies is the LEAST effective means of preventing shared accounts?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Password complexity requirements

    Requiring complex passwords does not stop someone from sharing that password with others. Multifactor methods like biometrics or one-time passwords are far more effective at preventing shared accounts because they require physical presence or dynamic codes.

  16. Question 16 of 99When a company collects PII, which policy is required?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Privacy Policy

    Organizations must publish a privacy policy detailing how personal information is collected and handled. Acceptable use and remote access policies govern employee behavior, while regulations like GDPR provide legal compliance frameworks.

  17. Question 17 of 99Which of these types of credentials is NOT used in multi-factor authentication?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Something you trust

    Valid authentication factors are strictly categorized as something you know, something you have, or something you are. Something you trust is not an authentication factor and is merely a distractor designed to confuse test takers.

  18. Question 18 of 99Which of these is a COMMON mistake made when implementing record retention policies?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Applying the longest retention periods to the information

    A common mistake in records retention is keeping all data for the longest possible period. Over-retention increases storage costs and legal liabilities, which is why organizations must categorize data and apply specific retention schedules.

  19. Question 19 of 99A backup that captures the changes made since the latest full backup is an example of:

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. A differential backup

    A differential backup specifically captures all changes made since the last full backup. An incremental backup is the trap here, as it only captures changes made since the most recent backup of any type, not just the full backup.

  20. Question 20 of 99After an administrator logs into a secure server, the system automatically captures and stores information about the session, including who accessed the system, when access occurred, and what actions were performed. This information is later used to investigate security incidents. Which of the following security concepts BEST applies to this process?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Auditing

    Auditing is the process of capturing, logging, and preserving security-relevant events to support investigations. Authentication verifies identity, and authorization determines access rights, but neither inherently records the session activities for later review.

  21. Question 21 of 99Which of these is NOT a feature of a SIEM (Security Information and Event Management)?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Log generation

    A Security Information and Event Management system collects, retains, and correlates logs generated by other systems. Log generation is the responsibility of the individual endpoints and network devices, not the SIEM itself.

  22. Question 22 of 99Which of these techniques will ensure the property of non-repudiation?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Digital signatures

    Digital signatures provide non-repudiation by using the sender's private key to guarantee the message origin. Encryption and virtual private networks primarily provide confidentiality, while passwords only provide authentication.

  23. Question 23 of 99Which of these enables point-to-point online communication over an untrusted network?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. VPN

    A Virtual Private Network creates an encrypted tunnel to secure point-to-point communication across untrusted networks. Routers and firewalls manage traffic, but they do not inherently encrypt the data payload to protect it from eavesdropping.

  24. Question 24 of 99Which of these is included in an SLA document?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Instructions on data ownership and destruction

    A service level agreement typically includes data ownership and destruction procedures to ensure compliance. Business continuity, disaster recovery, and incident response are separate operational plans that focus on resilience and security strategies rather than vendor service commitments.

  25. Question 25 of 99An organization needs a network security tool that detects and acts in the event of malicious activity. Which of these tools will BEST meet their needs?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. IPS

    An intrusion prevention system monitors network traffic and takes automatic action to block or drop malicious activity. An intrusion detection system only alerts on suspicious traffic, while a firewall strictly enforces predetermined rule sets without deep packet inspection.

  26. Question 26 of 99Which part of the CIA Triad will be PRIMARILY jeopardized in a Distributed Denial Of Service (DDOS) attack?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Availability

    Distributed denial of service attacks primarily jeopardize availability by overwhelming a target with malicious traffic until it collapses. Confidentiality and integrity are usually not the direct targets of this specific attack method.

  27. Question 27 of 99Which of these cloud deployment models is a combination of public and private cloud storage?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Hybrid

    A hybrid cloud deployment model combines public and private cloud storage to meet specific organizational needs. Public models share infrastructure openly, whereas private models restrict access to a single organization.

  28. Question 28 of 99What is the PRIMARY objective of a rollback in the context of the change management process?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Restore the system to its last state before the change was made

    The primary objective of a rollback during change management is to restore a system to its previous known good state. This helps resolve unexpected issues quickly if a deployment fails or causes unintended network disruptions.

  29. Question 29 of 99Which cloud service model provides the most suitable environment for customers who want to install their custom operating system?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. IaaS

    Infrastructure as a Service is the most suitable cloud model for customers needing custom operating systems because it provides deep control over virtualized resources. Software and Platform as a Service models limit user access to the underlying operating system layer.

  30. Question 30 of 99Which of these is an attack that encrypts the organization's information, and then demands payment for the decryption code?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Ransomware

    Ransomware is an attack that encrypts an organization's information and demands payment for the decryption key. The other options represent different attacks, such as denial of service or social engineering, which do not typically involve encrypting data for ransom.

  31. Question 31 of 99Which of these techniques is PRIMARILY used to ensure data integrity?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Message Digest

    Message digesting uses cryptographic hash functions to ensure data integrity by detecting any unauthorized changes to the data. Content encryption primarily provides confidentiality, backups offer recovery, and labeling is used for data classification.

  32. Question 32 of 99An IT company is planning a new data analytics project that would provide enhanced tracking capabilities, but it conflicts with data protection principles. Senior management pressures the Data Protection Officer (DPO) to approve the project without changes, claiming that it is critical for the company. How should the DPO act in this situation?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Provide independent advice based on data protection law

    A Data Protection Officer must act independently and provide expert advice based on data protection law rather than business objectives. The officer advises on legal risks but does not have the authority to approve or deny projects, making the other options violations of independence.

  33. Question 33 of 99Which of these devices has the PRIMARY objective of determining the most efficient path for the traffic to flow across networks?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Routers

    A router operates at layer three and determines the most efficient path for traffic to flow across networks. Switches and hubs operate within a local network to connect devices, while firewalls are designed primarily to block unauthorized traffic based on security rules.

  34. Question 34 of 99In an incident response process, which phase uses indicators of compromise and log analysis as part of a review of events?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Identification

    The identification phase of incident response uses indicators of compromise and log analysis to detect and validate that a security incident has occurred. Preparation involves getting ready beforehand, while containment and eradication handle limiting and removing the threat after identification.

  35. Question 35 of 99Which kind of document outlines the procedures ensuring that vital company systems keep running during business-disrupting events?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Business Continuity Plan

    A Business Continuity Plan outlines the procedures to sustain critical business operations during and after a disruptive event. A Disaster Recovery Plan focuses on restoring IT infrastructure, while a Business Impact Analysis assesses the potential effects of an outage.

  36. Question 36 of 99In the event of non-compliance, which of these can have considerable financial consequences for an organization?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Regulations

    Regulations are legal requirements established by government bodies, and failing to comply with them can result in severe financial penalties. Standards are usually voluntary, guidelines are advisory, and policies are internal rules that lead to disciplinary rather than legal action.

  37. Question 37 of 99An organization that uses a layered approach when designing its security architecture is using which of these security approaches?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Defense in depth

    Defense in depth is a security strategy that uses multiple layers of controls to protect assets. If one layer fails, others remain to stop the threat. Zero trust, network access control, and network layers describe different concepts and do not define this layered architectural approach.

  38. Question 38 of 99Which of these is a type of corrective security control?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Patches

    Patches are corrective controls because they fix vulnerabilities after an issue is discovered. Encryption acts as a preventive control, intrusion detection systems are detective controls, and guidelines are administrative controls that direct behavior.

  39. Question 39 of 99Which kind of physical access control is LESS effective at preventing unauthorized individual access to a data center?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Bollards

    Bollards are physical barriers designed to stop vehicles, making them ineffective at preventing individual pedestrian access to a data center. Turnstiles, fences, and standard barriers actively restrict or slow down people trying to enter a facility.

  40. Question 40 of 99The name, age, location and job title of a person are all examples of:

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Attributes

    Attributes are specific pieces of descriptive data about a user, such as their name, age, location, or job title. Identity and biometric factors are used strictly for verification, while account permissions determine what a user can access.

  41. Question 41 of 99What is the PRIMARY goal of a Change Management Policy?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. To guarantee that system changes are performed without negatively affecting business operations

    A change management policy ensures that system modifications occur smoothly without negatively affecting business operations. Options describing network usage, system creation, or patching confuse this process with acceptable use, system development, or patch management policies.

  42. Question 42 of 99Which of the following is NOT typically installed as a result of an infection?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Logic Bomb

    A logic bomb is malicious code intentionally inserted into software by an insider, rather than being installed remotely through an external infection. Trojans, keyloggers, and backdoors are typical malware payloads delivered through standard infection vectors like phishing.

  43. Question 43 of 99Which of these terms refers to threats with unusually high technical and operational sophistication, spanning months or even years?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. APT

    An advanced persistent threat describes a highly sophisticated, stealthy attack that maintains unauthorized access for extended periods. The other options represent specific attack techniques or malware types rather than long-term operational campaigns.

  44. Question 44 of 99Which protocol is responsible for negotiating security associations and cryptographic keys in IPSec?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. IKE

    Internet Key Exchange handles security association and cryptographic key negotiations for IPsec VPN tunnels. Diffie-Hellman is just one cryptographic algorithm used within IKE, while SSL and TLS secure application-level traffic instead.

  45. Question 45 of 99Which of the following is NOT a part of risk assessment?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Risk mitigation

    Risk mitigation is the subsequent step where controls are implemented, rather than being part of the assessment phase. Risk identification, evaluation, and prioritization are the core analytical components used to understand threats before treatment.

  46. Question 46 of 99Requiring a specific user role to access resources is an example of which access control model?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Role-Based Access Control (RBAC)

    Role-based access control assigns permissions based on the user's organizational role or job function. Mandatory and discretionary models rely on data labels or owner discretion, while attribute-based uses complex rules involving multiple factors.

  47. Question 47 of 99Which of these is NOT a best practice in access management?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Trust but verify

    Trust but verify is an outdated concept replaced by the zero trust model, which requires continuous verification and never grants implicit trust. Granting minimal permissions, requiring justifications, and periodic reviews remain standard practices.

  48. Question 48 of 99An organization with affiliates around the world wants to transfer clients personal data from Country A (EU) to Country B (US). What must the organization ensure before transferring the data?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. An appropriate legal transfer mechanism is in place

    Cross-border data transfers require an appropriate legal safeguard, such as Standard Contractual Clauses or Binding Corporate Rules. The trap is choosing technical controls like encryption, which do not provide a legal basis for international data transfer.

  49. Question 49 of 99Which of these CANNOT be a corrective security control?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Bollards

    Corrective controls restore operations after an incident, making backups, patches, and recovery plans prime examples. Physical barriers like bollards are preventive controls designed to stop incidents before they occur.

  50. Question 50 of 99Which method is COMMONLY used to map live hosts in the network?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Ping sweep

    A ping sweep is a network scanning technique used to identify which hosts are actively responding on a network. Traceroute and Wireshark map topology and analyze traffic, whereas a ping sweep specifically finds live hosts.

  51. Question 51 of 99Which of these documents is a non-binding agreement that outlines the intentions and terms of cooperation between parties?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. MOU

    A Memorandum of Understanding is a non-binding agreement documenting the intentions of cooperating parties. Watch out for the MOA trap, which serves a similar purpose but is typically a legally binding contract.

  52. Question 52 of 99Which of these entities is responsible for signing an organization's policies?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Senior management

    Senior management holds ultimate liability and is responsible for signing organizational security policies. While security engineers or HR may draft the documents, executive sign-off demonstrates required management commitment.

  53. Question 53 of 99What is the most important difference between Mandatory Access Control (MAC) and Discretionary Access Control (DAC)?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. In MAC, security administrators assign access permissions; in DAC, access permissions are set at the object owner's discretion

    Mandatory Access Control relies on administrators enforcing strict security labels, while Discretionary Access Control allows object owners to decide access permissions. The core difference is who holds the decision-making power.

  54. Question 54 of 99Which of the following types of malware self-replicates without the need for human intervention?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Worm

    A worm is malware that self-replicates and spreads across networks without requiring any user interaction. A virus typically requires a human action to trigger it, whereas Trojans disguise themselves as legitimate software, and rootkits are designed to hide malicious activity.

  55. Question 55 of 99The primary objective of a Business Continuity Plan (BCP) is:

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. To sustain business operations while recovering from a disruption

    A Business Continuity Plan ensures that critical business operations continue during and after a disruption. Restoring infrastructure to a previous state is the goal of Disaster Recovery, which is a subset of broader continuity efforts, eliminating the distractors.

  56. Question 56 of 99Which IPsec mode is commonly used to establish site-to-site VPNs?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Tunnel mode

    IPsec tunnel mode encapsulates the entire original packet and adds a new header, making it ideal for securing traffic between two networks. Transport mode only encrypts the payload and is used for host-to-host communication, which weakens the distractors.

  57. Question 57 of 99Which of the following is NOT a type of malware?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Spoofing

    Spoofing is a deceptive attack technique used to falsify an identity, not a standalone malicious software program. Trojans, rootkits, and worms are all distinct categories of malware, which quickly eliminates them from consideration.

  58. Question 58 of 99Which of these is NOT an effective way to protect an organization from cybercriminals?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Using out-dated anti-malware software

    Using outdated anti-malware software fails to protect an organization because it lacks the latest threat definitions. The other options represent standard security controls, making them clearly incorrect for this negative question.

  59. Question 59 of 99A high-level executive of an organization receives a malicious email that tries to trick them. Which attack is the perpetrator using?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Whaling

    A whaling attack is a targeted phishing attempt aimed specifically at high-level executives or influential individuals. Spear phishing is less precise, and a distributed denial-of-service attack targets system availability rather than people.

  60. Question 60 of 99Which of these is a type of detective access control?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Movement Sensors

    Movement sensors act as detective controls by alerting security personnel to physical intrusions after they occur. Firewalls are technical preventative controls, while bollards and turnstiles prevent physical access.

  61. Question 61 of 99Which of these is not a common goal of a threat actor?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Allocation

    Allocation is not a standard threat actor goal, as malicious actors typically focus on disclosure, alteration, or denial of service. Allocation is a routine administrative task, which helps eliminate the other options.

  62. Question 62 of 99Data stored on a USB drive being passed around an office is an example of:

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Data at rest

    Data at rest refers to information residing on storage media, such as a USB drive sitting on a desk. Data in transit applies to data actively moving across a network, which rules out the network options.

  63. Question 63 of 99When an incident occurs, which of the following is NOT a primary responsibility of an organization's incident response team?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Communicating with top management regarding the circumstances of the cybersecurity event

    Incident response teams focus on technical containment, assessing damage, and restoring secure operations. Executive communication is typically handled by designated management or public relations roles, rather than the technical responders.

  64. Question 64 of 99An authorized employee swipes their badge to unlock the door to a secure research facility. A second individual, who appears to be an employee but does not present a badge, catches the door before it closes and walks in directly behind the first person. Once inside the facility, the two individuals do not speak and immediately walk down separate hallways to different departments. Which security violation is applicable to this scenario?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Tailgating

    Tailgating is an unauthorized person following an authorized user through a secure door without their consent. Distinguishing this from piggybacking relies on whether the authorized user knowingly held the door, which can be highly subjective.

  65. Question 65 of 99What does the term 'data remanence' refer to?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Data left over after routine removal and deletion

    Data remanence refers to the residual data left on storage media after standard deletion methods are used. Because deletion often only marks space as available, forensic tools can recover this remanent data without proper sanitization.

  66. Question 66 of 99What is the primary objective of degaussing?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Erasing the data on a disk

    Degaussing exposes magnetic storage media to a powerful magnetic field to securely erase data and prevent recovery. Options mentioning noise reduction or side channel attacks describe unrelated concepts that do not support secure sanitization.

  67. Question 67 of 99At which of the OSI layers do TCP and UDP work?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Transport Layer

    TCP and UDP are core protocols that operate at the transport layer of the OSI model. The other layers listed handle different functions, such as raw data transmission at the physical layer or application services at the application layer.

  68. Question 68 of 99Which of these is an example of a MAC address?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. 00-51-02-1F-58-F6

    A Media Access Control address is a hardware identifier formatted as six groups of two hexadecimal digits. The other options represent an IPv6 address, an IPv4 address, and an invalid short string.

  69. Question 69 of 99As an (ISC)² member, you are expected to perform with due care. What does 'due care' specifically mean?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Do what is right in each situation you encounter on the job

    Due care is the prudent person rule, meaning you must take reasonable steps to protect organizational assets. While patching and research are important tasks, the core concept is simply doing what is right in any given professional situation.

  70. Question 70 of 99Which of these is NOT a characteristic of the cloud?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Zero Customer Responsibility

    Cloud computing operates on a shared responsibility model, meaning the customer always retains some accountability. Rapid elasticity, measured service, and broad network access are all essential cloud characteristics defined by the ISC2 study guide.

  71. Question 71 of 99Which of these attacks take advantage of inadequate input validation on websites?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Cross-Site Scripting

    Cross-Site Scripting exploits vulnerabilities where a website fails to sanitize user input before displaying it. Phishing, Trojans, and rootkits rely on social engineering or system compromise rather than direct web input validation flaws.

  72. Question 72 of 99Which of these is NOT one of the ISC2 ethics canons?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Consider the social consequences of the systems you are designing

    Considering social consequences is a good practice, but it is not one of the four official ISC2 ethics canons. The actual canons mandate protecting society, acting honorably, providing diligent service, and advancing the profession.

  73. Question 73 of 99Which of the following threat-to-location pairings is correct?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Ransomware → File Server

    Ransomware most logically targets a file server because it stores shared documents and critical data. The other options are mismatched physical threats, such as a blizzard impacting a data center rather than a reception desk.

  74. Question 74 of 99Which of these is an attack whose PRIMARY goal is to gain access to a target system through falsified identity?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Spoofing

    Spoofing is an attack whose primary goal is to gain unauthorized access by falsifying identity. The other attack types listed have different primary goals, such as overwhelming a target to disrupt operations in a distributed denial of service attack.

  75. Question 75 of 99Which of these terms refers to a collection of fixes?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Service Pack

    A service pack comprises a collection of updates, fixes, or enhancements delivered as a single installable package. A patch or hotfix is typically an individual quick-repair job for a specific software issue, rather than a comprehensive cumulative bundle.

  76. Question 76 of 99In an Access Control List (ACL), the element that determines what permissions you have is:

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. The rule

    An Access Control List consists of rules that specify the permissions granted or denied to a subject for a particular object. Firmware is irrelevant here, while the subject and object represent the user and the resource rather than the permissions themselves.

  77. Question 77 of 99Which of these tools is MOST likely to detect an XSS vulnerability?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Web application vulnerability scanner

    A web application vulnerability scanner interacts dynamically with a web application to identify runtime flaws like cross-site scripting. Network scanners and intrusion detection systems focus on network infrastructure and traffic, while static testing examines source code without executing it.

  78. Question 78 of 99What does the term LAN refer to?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. A network on a building or limited geographical area

    A Local Area Network connects devices within a limited geographical area, such as a single building. Wide area networks cover large geographical distances, while the other options describe networking hardware like switches or security appliances like firewalls.

  79. Question 79 of 99Which of these is NOT a typical component of a comprehensive Business Continuity Plan (BCP)?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. A cost prediction of the immediate response procedures

    A business continuity plan focuses on restoring operations and includes team lists, response checklists, and notification call trees. Predicting the immediate response costs is a financial exercise, not a standard operational component of a continuity plan during a disaster.

  80. Question 80 of 99During a strategic planning meeting, an organization's leadership discusses how much risk the business can reasonably accept while pursuing its goals. The leadership team agrees on a specific level of potential data or financial loss that would be acceptable without triggering immediate corrective action. This agreed-upon limit defines the amount of risk the organization is willing to accept. Which concept best describes this limit?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Risk Threshold

    Risk tolerance is the acceptable level of variance an organization is willing to accept around its broader risk appetite. The wording describing an agreed limit blurs the line between tolerance and threshold, making tolerance a highly defensible answer on certification exams.

  81. Question 81 of 99Which video recording technology is MOST LIKELY to use less storage space?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Motion detection

    Motion detection records only when movement occurs, drastically reducing storage requirements. Biometric recognition technologies like facial, retina, and gait recognition require continuous capture and high-resolution imagery, which consumes significantly more data.

  82. Question 82 of 99When analyzing risks, which of these activities is required?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Determining the likelihood of occurrence of a set of risks

    Determining the likelihood of occurrence is a fundamental requirement of risk analysis to estimate potential impact. Selecting controls happens later during mitigation, and accepting all risks violates standard security policies.

  83. Question 83 of 99Which of these is NOT a security principle?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Security Awareness Training

    Security awareness training is an administrative control, whereas least privilege, separation of duties, and zero trust are foundational security principles. The key trap is confusing human-focused educational controls with core design principles.

  84. Question 84 of 99Which of the following is one of the canons of the (ISC)² Code of Ethics?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Advance and protect the profession

    The four canons of the ISC2 Code of Ethics require members to protect society, act honorably, provide competent service, and advance the profession. The other options are subtle distractors that mix in client interests and generic security tasks instead of stating the actual canons.

  85. Question 85 of 99Which port number corresponds to the Simple Mail Transfer Protocol (SMTP)?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. 25

    Simple Mail Transfer Protocol, or SMTP, uses port 25 to route email messages between servers. For the exam, remember the core networking ports like 22 for SSH, 69 for TFTP, and 161 for SNMP to quickly eliminate the distractors.

  86. Question 86 of 99Which of the following is NOT a characteristic of a Managed Service Provider (MSP) implementation?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Mediate, execute and decide top-level decisions

    A Managed Service Provider handles day-to-day IT infrastructure, monitoring, and technical support, but does not make high-level strategic business decisions. Executive authority remains with the client's leadership, eliminating the other operational and technical duties.

  87. Question 87 of 99Which type of exercise goes through a sample of an incident step-by-step, validating what each person will do?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. A walk-through exercise

    A walk-through exercise methodically reviews incident response steps so every participant understands their specific role. Tabletop exercises are more informal discussion-based scenarios, while simulations actively mimic real conditions to test technical response.

  88. Question 88 of 99In the context of risk management, what does Annualized Loss Expectancy (ALE) represent?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. The expected cost per year of not performing a given risk-mitigating action

    Annualized Loss Expectancy calculates the expected financial cost of a specific risk over the course of a year. It is derived by multiplying the Single Loss Expectancy by the Annualized Rate of Occurrence, making the probability distractors incorrect.

  89. Question 89 of 99Which type of recovery site has some or most systems in place, but does not have the data needed to take over operations?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. A warm site

    A warm site has the necessary hardware and infrastructure pre-installed, but lacks current data, requiring backups to become fully operational. Hot sites and mirrored sites have real-time data ready immediately, whereas cold sites lack equipment entirely.

  90. Question 90 of 99Which of these is the primary objective of the PCI-DSS standard?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Secure Credit Cards Payments

    The PCI-DSS standard is specifically designed to secure credit card payments and protect cardholder data. Protected health information and change management belong to other frameworks, allowing you to eliminate them immediately.

  91. Question 91 of 99In a DAC policy scenario, which of these tasks can only be performed by the owner of the object?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Changing security attributes

    Discretionary access control gives object owners the authority to set permissions. Only the owner can change security attributes, while standard actions like read or modify are granted to users based on those assigned permissions.

  92. Question 92 of 99Which of these statements is true about cybersquatting?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. It is an illegal practice

    Cybersquatting is the practice of registering a domain name to profit from someone else's trademark. It is an illegal practice under laws like the Anticybersquatting Consumer Protection Act, which protects trademark owners from this deceptive behavior.

  93. Question 93 of 99Which department in a company is NOT typically involved in a Disaster Recovery Plan (DRP)?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. Financial

    A disaster recovery plan is primarily an IT-focused extension of business continuity, so the financial department is typically not a core operational responder. However, because financial loss is central to disaster recovery, a reasonable test-taker could defend their involvement, creating slight ambiguity.

  94. Question 94 of 99While performing background checks on new employees, which of these can NEVER be an attribute for discrimination?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: C. References, education, political affiliation, employment history

    Discriminating based on political affiliation is unacceptable, whereas credit, education, and employment history are legally reviewed depending on the role. Use the cue of protected personal beliefs to eliminate standard professional background factors.

  95. Question 95 of 99Acting ethically is mandatory for ISC2 members. Which of these is NOT considered unethical?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: D. Having fake social media profiles and accounts

    The ISC2 Code of Ethics explicitly prohibits actions like compromising privacy, seeking unauthorized access, and disrupting internet services. Having a fake social media profile is not inherently an ethics violation under the canons, unlike the other listed activities.

  96. Question 96 of 99Which of these social engineering attacks send emails to specific individuals who are not executives of the organization?

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: A. Spear phishing

    Spear phishing targets specific individuals using gathered intelligence. Whaling is the trap here, but it specifically targets high-level executives, whereas spear phishing can target any employee within an organization.

  97. Question 97 of 99Which of these properties is NOT guaranteed by a Message Authentication Code (MAC)?

    Select 2 answers.

    Show answer & explanation

    Correct answer: A. Anonymity · D. Non-repudiation

    A Message Authentication Code provides integrity and authenticity but does not provide non-repudiation because the symmetric key is shared. Non-repudiation requires asymmetric cryptography, like digital signatures, to prove origin uniquely.

  98. Question 98 of 99The PRIMARY objective of a security baseline is to establish a minimum understood and acceptable level of security requirements.

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. … a minimum understood and acceptable level of security requirements

    A security baseline establishes a minimum, agreed-upon level of security requirements for an organization. While baselines include configuration settings, their primary strategic goal is defining this acceptable minimum standard to ensure consistent protection across systems.

  99. Question 99 of 99The BEST defense method to stop a replay attack is to:

    Tap an answer — you get instant feedback and the reasoning.

    Show answer & explanation

    Correct answer: B. Use an IPSec VPN

    Using an IPsec VPN prevents replay attacks because the protocol tracks packet sequencing and drops captured packets that are resent. Message digesting alone cannot stop an attacker from resending a validly hashed message, making it an ineffective defense.

More free practice tests at certpunch.com and new video rounds on @CertPunch.

Scroll to Top