ISC CC Dumps

Data remanence refers to the residual representation of data that remains on storage media even after attempts have been made to delete or erase it. When files are deleted, the operating system typically removes references to the data rather than overwriting the actual bits on the disk. As a result, the data may still be recoverable using forensic tools.

Remanence is especially relevant for magnetic storage, solid-state drives, and backup media. Because of this risk, security standards recommend proper media sanitization techniques such as overwriting, degaussing, or physical destruction. NIST SP 800-88 specifically addresses media sanitization methods to mitigate remanence risks.

This concept is critical when disposing of or repurposing storage devices, particularly those that previously contained sensitive or regulated data.

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records to ensure authenticity and integrity. It prevents attacks such as DNS spoofing and cache poisoning.

DNSSEC allows clients to verify that DNS responses have not been altered. It is the industry-standard solution recommended by security frameworks for protecting DNS infrastructure.

DR planning includes technical controls, operational checklists, and security solutions to support recovery of IT systems after a disruption.

Two-Person Integrityensures no single individual can complete a sensitive action alone, reducing fraud and insider threats.

These areType 1 (bare-metal) hypervisors, running directly on hardware without a host operating system, offering higher performance and security.

The principle of least privilege ensures users have only the minimum permissions necessary to perform their tasks. This limits damage from compromised accounts and insider threats.

It is foundational to access control, IAM, and zero trust architectures and is recommended by all major security frameworks.

255.255.255.0is a commonly usedsubnet mask, indicating that the first 24 bits represent the network portion of an IPv4 address. Subnet masks define how IP addresses are divided into network and host portions, enabling efficient routing and segmentation.

ABusiness Continuity Plan (BCP)ensures critical business functions continue or are restored during and after disruptions.

Load balancing improves availability by distributing traffic across multiple systems, preventing overload and downtime.

Business Continuity Plans (BCP) focus on sustaining operations using alternative processes and resources during disruptions.

Adequate securitymeans applying controls proportional to risk and potential impact, a core concept in NIST frameworks.

Human safety always takes precedence over systems, data, and business operations.

Multitenancy allows shared infrastructure while maintaining logical isolation between customers.

Impact measures the severity of consequences if a security event occurs. It is a key component of risk calculations along with likelihood.

IPSec (Internet Protocol Security) operates atLayer 3 – the Network Layerof the OSI model. IPSec is designed to secure IP communications by authenticating and encrypting each IP packet in a data stream. Because it works directly with IP packets, it naturally fits at the network layer.

Operating at Layer 3 gives IPSec a major advantage: it can protectall network traffic, regardless of the application or transport protocol being used. This means IPSec can secure TCP, UDP, and ICMP traffic transparently without requiring changes to applications. IPSec is commonly used to implementVirtual Private Networks (VPNs), including site-to-site and remote-access VPNs.

IPSec uses protocols such asAuthentication Header (AH)andEncapsulating Security Payload (ESP)to provide confidentiality, integrity, authentication, and anti-replay protection. Key management is typically handled by IKE (Internet Key Exchange).

Although IPSec may appear in some diagrams as interacting with other layers, standards bodies such as NIST and IETF clearly define IPSec as aLayer 3 (Network Layer)security protocol.

A Virtual Private Network (VPN) creates an encrypted tunnel between a user’s device and a remote network or server. This tunnel protects data confidentiality and integrity by encrypting all traffic passing through it, even when using untrusted networks such as public Wi-Fi.

HTTPS encrypts only web traffic, antivirus detects malware, and IDS monitors for suspicious activity. Only a VPN provides full-tunnel encryption for all network communications. VPNs are commonly implemented using protocols such as IPSec or SSL/TLS and are widely recommended for secure remote access.

Cryptography provides confidentiality by encrypting data so only authorized parties can read it. Hashing ensures integrity, and encoding is reversible and not secure.

An IP address is a logical identifier used to locate and route traffic to devices on a network.

Role-Based Access Control (RBAC) assigns permissions based on job roles, making it scalable and efficient for large organizations. It simplifies access management and supports least privilege.

Standards such as ISO, NIST, and CIS are commonly developed by third-party organizations and provide best practices and compliance guidance. They are not laws unless mandated.

Athreatis any actor or condition capable of exploiting a vulnerability to cause harm.

Microsegmentation enables fine-grained, software-defined security controls, limiting lateral movement within networks.

Spoofing involves falsifying identity information such as IP or MAC addresses to bypass security controls.

Electromagnetic eavesdropping (TEMPEST attacks) exploits signal leakage. EMI shielding blocks emissions, screened rooms prevent signal escape, and white noise generators mask signals. Together, these controls provide comprehensive protection.

Cryptographic hash functions areone-wayfunctions and are intentionallynot reversible. Given a hash value, it should be computationally infeasible to recover the original input.

Hash functions are deterministic (same input produces the same output), designed to minimize collisions (unique in practice), and useful for integrity verification, password storage, and digital signatures. Reversibility would completely undermine their security purpose.

Password Authentication Protocol (PAP) is the least secure option because it transmits credentials in clear text over the network. This makes PAP highly vulnerable to eavesdropping and credential theft.

CHAP improves security by using challenge-response mechanisms. EAP supports strong authentication methods, including certificates and MFA. IPsec provides encrypted and authenticated network communication.

Because PAP lacks encryption and protection mechanisms, it is generally discouraged and considered obsolete. Modern security standards strongly advise against its use in favor of encrypted authentication protocols.

Defense in depth begins by identifying assets, followed by administrative controls (policies), technical controls (logical), and physical controls to protect systems at multiple layers.

Zero Trust assumes no implicit trust and requires continuous verification of every access request. Microsegmentation is a core Zero Trust technique that limits lateral movement.

A threat actor is the individual or group responsible for carrying out attacks. Threat vectors describe methods, not entities.

IPv6 allows removal of leading zeros and compression of consecutive zero blocks using “::”, making option A correct.

SSH key-based authentication is ideal for automated system-to-system communication. It allows secure, passwordless authentication using cryptographic key pairs.

Biometrics and smart cards require human interaction, and hard-coded passwords are insecure and difficult to rotate. SSH keys provide strong authentication, automation support, and secure key management.

This approach is widely recommended for scripts, automation, and DevOps pipelines.

An intranet is a private network that uses internet technologies (such as TCP/IP and web browsers) but is accessible only to an organization’s internal users. It mirrors the structure and functionality of the internet while remaining private.

An extranet extends limited access to external partners. A VLAN is a logical network segmentation technique. A VPN is a secure communication tunnel, not a network architecture.

Intranets are commonly used for internal portals, documentation, collaboration tools, and internal services. From a security standpoint, intranets require strong authentication, segmentation, and access controls.

BCP requires input from all business units to identify dependencies and ensure continuity of critical functions.

TheBusiness Continuity Planincludes immediate response actions, communication plans, and leadership guidance.

In e-commerce,non-repudiationensures accountability by preventing buyers or sellers from denying transactions they actually performed. This is essential for trust, legal enforcement, and dispute resolution in digital commerce.

By using digital signatures, certificates, and secure transaction logs, organizations can prove that a specific user authorized a transaction. This protects merchants from fraudulent chargebacks and customers from transaction tampering.

Without non-repudiation, online commerce would lack trust and legal enforceability, undermining digital economies.

Carbon dioxide (CO₂) systems suppress fire without leaving residue or damaging electronic equipment. While they pose risks to people, they are effective for protecting electronics compared to water or foam.

Microsegmentationdivides networks into granular zones protected by internal firewalls or policy enforcement points. It limits lateral movement and is a core Zero Trust principle.

Token-based authentication relies on encrypted, machine-generated tokens to verify a user’s identity. After successful authentication, the system issues a token (often a JSON Web Token or OAuth token) that represents the user’s session or authorization claims. This token is then presented with each request instead of repeatedly transmitting credentials.

Unlike basic or form-based authentication, token-based methods reduce exposure of usernames and passwords, improve scalability, and support modern distributed architectures such as APIs, cloud services, and mobile applications. Tokens can also include expiration times and scopes, improving security control.

When a mail server sends email to another mail server, it acts as anSMTP client. In the Simple Mail Transfer Protocol (SMTP), roles are defined by behavior, not by the system’s primary function.

The sending system initiates the connection and issues SMTP commands, which makes it the client for that transaction. The receiving mail server listens for incoming connections and acts as the SMTP server.

Mail servers routinely switch roles depending on the direction of communication. A single system may act as an SMTP server when receiving mail and as an SMTP client when sending mail.

Understanding SMTP roles is important for configuring mail security controls such as firewalls, TLS enforcement, spam filtering, and authentication. Security professionals must recognize that “client” and “server” are session-based roles, not permanent system identities.

Secure Shell (SSH) is the secure alternative to Telnet. Telnet transmits data, including credentials, in clear text, making it vulnerable to interception. SSH encrypts all communications, providing confidentiality, integrity, and authentication.

HTTPS secures web traffic, SFTP is used for file transfer, and LDAPS secures directory services—not remote terminal access. SSH is the industry-standard replacement for Telnet.

Defense in depth uses multiple layers of controls—administrative, technical, and physical—so that failure of one layer does not compromise security.

Emergency exit doors are a critical physical control designed to ensure safe and rapid evacuation during emergencies such as fires or earthquakes. These doors are typically clearly marked, unobstructed, and may include panic bars to allow easy exit without special knowledge or tools.

Fire alarms alert occupants, exit signs provide direction, and emergency lighting improves visibility, but none of these physically enable evacuation. Exit doors directly support life safety by allowing people to leave the building quickly and safely. Life safety is the highest priority in physical security design, and exit doors are mandatory under building and fire safety codes.

Authorization determines what actions a user is allowed to perform after their identity has been authenticated. Identification claims an identity, authentication verifies it, and authorization grants permissions.

Laws and regulations are legally enforceable and can impose fines or penalties. Standards and policies are not legally binding unless mandated by regulation.

HTTPS (Hypertext Transfer Protocol Secure) is the most suitable protocol for secure communication between clients and servers. HTTPS uses TLS to encrypt data in transit, ensuring confidentiality, integrity, and authentication. This prevents attackers from eavesdropping, tampering, or impersonating servers.

HTTP and FTP transmit data in clear text, making them vulnerable to interception. SMTP is used for email delivery, not client-server web communication. Modern security standards mandate HTTPS for all production web applications.

Clear roles ensure fast, coordinated response, reduce confusion, and prevent duplicated or missed actions during incidents.

Operating system logs are the most relevant source of information for detecting and investigating privilege escalation attacks. These logs record authentication events, privilege changes, process executions, and system-level actions.

Because the attacker already had authorized access, firewall and IDS logs may show little or no suspicious activity. Database logs focus on database-level operations, not OS privilege changes.

OS logs provide the best visibility into actions such as sudo usage, kernel exploits, and unauthorized permission changes. They are essential for forensic analysis and incident response involving insider threats.

Unauthorized access that compromises confidentiality constitutes abreach. Intrusions become breaches when access is successful.

Distributed Denial of Service (DDoS) attacks primarily impactavailability, one of the three pillars of the CIA triad. DDoS attacks overwhelm systems, networks, or applications with massive volumes of traffic, exhausting resources such as bandwidth, CPU, or memory and preventing legitimate users from accessing services.

The goal of a DDoS attack is not to steal data, alter information, or deny accountability, but rather todisrupt access. Confidentiality and integrity may remain intact, but users are unable to reach the system, resulting in service outages, financial loss, and reputational damage.

Availability is a critical security objective for public-facing services such as websites, APIs, and online platforms. Defenses against DDoS attacks include traffic filtering, rate limiting, content delivery networks (CDNs), scrubbing services, and redundant architectures.

Security frameworks such as NIST and ISO/IEC explicitly associate denial-of-service attacks with availability risks, making availability the most directly affected cybersecurity principle.

Disaster Recovery (DR)focuses specifically on restoring IT systems and communications following outages.

At Layer 3 (Network Layer), data is encapsulated intopacketsfor routing across networks.

Hashing ensuresintegrityby allowing detection of unauthorized changes to data.

Microsoft SQL Server commonly uses TCP port 1433, which falls in the registered port range.

PAM solutions focus onjust-in-time (JIT) access, granting elevated privileges only when needed and revoking them afterward. This reduces standing privileges and minimizes attack surfaces.

Risk acceptance acknowledges the risk and chooses to proceed without additional controls, often due to cost or low impact.

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) operate at theTransport layer (Layer 4)of the OSI model. This layer is responsible for end-to-end communication, segmentation, flow control, and error handling.

TCP provides reliable, connection-oriented communication with acknowledgments and retransmissions. UDP provides connectionless communication optimized for speed and low latency.

The Session layer manages session establishment, and the Presentation layer handles formatting and encryption. Neither is responsible for transport-level data delivery.

Understanding protocol placement is essential for firewall rules, intrusion detection, and network troubleshooting. Most security controls rely heavily on Transport-layer awareness.

According to NIST SP 800-61, incident response consists of four core phases:Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. Option A best represents these core components.

In access control models, asubjectis an active entity that requests access to a resource. In this scenario, Derrick is the subject because he is the user initiating an action—logging into a system and attempting to read a file. Subjects can be users, processes, or systems acting on behalf of users.

Anobject, by contrast, is a passive entity that is being accessed, such as a file, database, printer, or network resource. The file Derrick wants to read is the object. Access control systems evaluate whether a subject has the appropriate permissions to perform an action (such as read, write, or execute) on an object.

This subject-object relationship is foundational to many security models, including discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC). Proper identification of subjects is essential for authentication, authorization, auditing, and accountability. By clearly defining who the subject is, organizations can enforce least privilege, track user actions, and maintain strong security governance across systems.

An Intrusion Detection System (IDS) consists of three fundamental functional components: information sources, analysis engines, and response mechanisms. Information sources collect data such as network packets, logs, or system events. Analysis engines evaluate this data to detect suspicious behavior. Response components generate alerts or notifications.

While IDS systems typically do not block traffic (unlike IPS), they still perform response actions such as logging, alerting, and triggering workflows.

All three components work together to detect and report security incidents. This architecture is well documented in NIST intrusion detection guidance and forms the basis of both host-based and network-based IDS solutions.

IPv6 was introduced primarily due toIPv4 address exhaustion, enabling vastly expanded address space.

Non-repudiationensures that a party involved in a transaction cannot later deny having performed an action, such as sending a message or authorizing a payment. This is a critical security property in digital communications and e-commerce environments.

Non-repudiation is typically achieved throughdigital signatures, cryptographic hashing, timestamps, and public key infrastructure (PKI). These mechanisms provide proof of origin and integrity, allowing actions to be traced back to the responsible party.

Authentication verifies identity, identification claims who a user is, and verification confirms correctness—but none of these alone prevent denial after the fact. Only non-repudiation provides legally and technically enforceable proof.

Federated authentication enables single identity across trusted organizations, supporting single sign-on (SSO) and eliminating repeated credential entry.

Confidentiality ensures information is accessible only to authorized individuals.

A Content Delivery Network (CDN) ensures low latency by caching content at geographically distributed edge locations close to end users. When customers access a website, content is served from the nearest CDN node rather than a centralized server.

This significantly reduces round-trip time, network congestion, and load on origin servers. CDNs are especially effective for static content such as images, scripts, and videos, which dominate e-commerce traffic.

Load balancing distributes traffic but does not reduce geographic distance. SaaS is a service model, not a latency solution. Decentralized data centers help but lack the optimized edge caching and routing capabilities of a CDN.

CDNs are a core performance and availability control for global online services and are widely used by large e-commerce platforms to improve customer experience and resilience.

Role-Based Access Control (RBAC) enforces least privilege by assigning permissions based on job roles rather than individuals. Users receive only the permissions necessary for their role, reducing excess access.

RBAC is widely used in enterprises, cloud platforms, and operating systems due to its scalability and manageability.

Endpoints are user-facing devices such as laptops, desktops, and mobile devices.

Immediate response checklists ensure rapid communication and awareness when a BCP is enacted.

Business Continuity Plans ensure operations continue during long-term disruptions.

Website spoofing involves impersonating legitimate sites to deceive users. Phishing often uses spoofed sites but is the broader attack method.

Integrityis the primary factor in system and information reliability. Reliable systems must ensure that data is accurate, complete, and protected from unauthorized modification. If integrity is compromised, decisions based on the data become unreliable—even if systems are available or confidential. NIST and ISO frameworks emphasize integrity as essential to trustworthiness and operational reliability.

ABusiness Impact Analysis (BIA)identifies critical systems, dependencies, and acceptable downtime to prioritize recovery and continuity strategies.

The Data Link layer (Layer 2) handles MAC addressing and frame delivery within local networks.

Defense in depth requiresmultiple layers of security controls. None of the listed scenarios include layered controls, making “None” the correct answer.

Risk management is an ongoing process that identifies threats, evaluates risk, and applies controls to reduce risk to acceptable levels. It is foundational to cybersecurity governance.

Modern organizations depend on IT systems for communication, data processing, transactions, and service delivery. Without IT, critical business functions often cannot operate, making IT recovery essential to business continuity.

Cross-site scripting (XSS) attacks exploitinput validation vulnerabilitiesin web applications. These vulnerabilities occur when an application fails to properly validate, sanitize, or encode user-supplied input before including it in web pages. As a result, attackers can inject malicious scripts that are executed in the browsers of other users.

XSS attacks commonly occur through form fields, URL parameters, cookies, or HTTP headers. Once executed, malicious scripts can steal session cookies, capture keystrokes, redirect users to malicious sites, or perform actions on behalf of the victim.

ARP spoofing and DNS poisoning target network-level trust relationships, not application input validation. Pharming redirects users to fake websites by manipulating DNS or host files, again unrelated to input validation.

Preventing XSS relies heavily on strong input validation, output encoding, content security policies (CSP), and secure coding practices. OWASP and NIST explicitly identify XSS as a validation-related vulnerability and emphasize defensive coding as the primary mitigation.

Preparation includes asset identification, system classification, and readiness planning.

Policies created by leadership to define acceptable behavior and usage areadministrative (management) controls. They guide organizational behavior, define responsibilities, and establish governance expectations.

Technical controls enforce policies, while physical controls protect facilities. This scenario clearly describes governance and oversight, making it an administrative control.

Threat actors include insiders, external attackers, and automated technologies such as bots. Modern threat landscapes recognize non-human actors as valid threats due to automation and AI-driven attacks.

Anintrusionis an unauthorized attempt to access systems or networks. It may or may not succeed. Intrusions are more serious than simple events but may not rise to the level of a breach if controls prevent access.

Zero Trust is a security architecture that assumesno implicit trust—inside or outside the network perimeter. Every access request must be continuously verified based on identity, device health, context, and policy. Unlike traditional perimeter-based models, Zero Trust eliminates the concept of a “trusted internal network.”

Microsegmentation is a core Zero Trust technique that divides networks and workloads into highly granular security zones. Each zone enforces its own access controls, dramatically reducing lateral movement if an attacker gains access. This model aligns with NIST SP 800-207, which defines Zero Trust as a strategy to minimize attack surfaces and contain breaches.

HTTPS uses both asymmetric and symmetric encryption. Asymmetric encryption is used during the TLS handshake to securely exchange keys and authenticate the server. Once the secure session is established, symmetric encryption is used for data transmission because it is faster and more efficient.

This hybrid approach combines the strengths of both encryption types and is fundamental to secure web communication.

VLANslogically separate networks at Layer 2 while sharing the same physical infrastructure.

A Content Delivery Network (CDN) provides the greatest resilience against large-scale DDoS attacks by distributing traffic across a globally dispersed network of edge servers. CDNs absorb and filter malicious traffic before it reaches the origin infrastructure.

Increasing servers or bandwidth helps only to a limited extent and can still be overwhelmed by volumetric attacks. IPS-based mitigation is effective for smaller attacks but is not designed to handle massive distributed floods. CDNs combine traffic absorption, rate limiting, caching, and threat filtering at scale.

Major CDNs operate with terabits of capacity and specialized DDoS defenses, making them highly effective against attacks that would cripple individual organizations.

For public-facing applications, CDNs are considered a best-practice defensive control against availability attacks.

Information security is fundamentally built on theCIA triad:Confidentiality, Integrity, and Availability. These three principles form the cornerstone of nearly all cybersecurity frameworks, including NIST, ISO/IEC 27001, and CIS controls.

Confidentialityensures that information is accessible only to authorized individuals and systems.

Integrityensures that data remains accurate, complete, and unaltered except by authorized actions.

Availabilityensures that systems and data are accessible to authorized users when needed.

Accessibility, while related to usability and system design, isnota core pillar of information security. In fact, security controls often intentionallylimitaccessibility to protect systems and data. Accessibility focuses on ensuring ease of access (often in the context of user experience or disability access), whereas security focuses oncontrolled access.

Confusing accessibility with availability is common, but they are not the same. Availability is about reliable access forauthorized users, while accessibility is about ease of access in general. Therefore, accessibility is not one of the foundational elements upon which information security is built.

This distinction is critical for understanding security architecture and governance.

Subnetting divides a large network into smaller, logical segments called subnets. One of the primary benefits of subnetting isreducing network congestion. In a flat network, broadcast traffic is sent to all devices, which can significantly degrade performance as the network grows. By creating subnets, broadcast domains are limited, ensuring that broadcast traffic stays within a specific segment instead of flooding the entire network.

While subnetting can indirectly improve security and management, its most direct and measurable benefit is performance improvement through reduced broadcast traffic. Smaller subnets result in fewer devices competing for bandwidth, which enhances efficiency and reliability.

Subnetting also supports scalability and fault isolation. Network issues in one subnet are less likely to impact others. This concept is foundational in enterprise networks and is heavily emphasized in network design standards and certifications such as Security+, CCNA, and CISSP.

Data Loss Prevention (DLP)systems monitor, detect, and block unauthorized data exfiltration across endpoints, networks, and cloud services.

Baselines allow organizations to detect unauthorized changes by comparing known-good configurations against current states.

A zero-day vulnerability is unknown to the vendor and security community and has no available patch. Because defenders have “zero days” to fix it, zero-day vulnerabilities are highly dangerous.

A zero-day vulnerability is one that is unknown to the vendor and has no available patch at the time it is exploited. Attackers take advantage of the fact that defenders have “zero days” to fix the issue.

Routine vulnerability scans cannot detect zero-days because scanners rely on known signatures. This is why defense-in-depth, monitoring, and anomaly detection are critical security strategies.

Attribute-Based Access Control (ABAC) grants access based on complex logical rules that evaluate attributes of the user, resource, action, and environment. Examples include user role, department, time of day, device type, and data sensitivity. These attributes are evaluated dynamically, allowing fine-grained and context-aware access decisions.

DAC allows owners to grant permissions, MAC uses labels and classifications, and RBAC assigns permissions based on roles. None of these provide the same level of flexibility as ABAC. Because ABAC supports complex, rule-based decisions, it is widely used in modern cloud environments and zero trust architectures.

Phishing uses deceptive messages—often emails or websites—to trick users into revealing sensitive information. Spoofing is often used as a technique within phishing attacks.

An IPSec replay attack occurs when an attacker captures legitimate encrypted packets and attempts to retransmit (replay) them to gain unauthorized access or disrupt communication. The attacker does not need to decrypt the packets; instead, they rely on resending previously valid packets within an existing session.

Without proper protections, replayed packets could be accepted as valid, allowing attackers to impersonate legitimate users or repeat sensitive actions. IPSec defends against replay attacks usingsequence numbers and sliding windows, which ensure packets are processed only once and in the correct order.

Packet modification, eavesdropping, and traffic flooding are different attack types and are not specifically replay attacks. Replay attacks are particularly dangerous in authentication and session-based protocols, which is why anti-replay protection is a mandatory IPSec feature defined by the IETF.

Common IRT models includededicated,leveraged, andhybridteams. In these models, response capabilities exist within the organization. While organizations mayusethird-party assistance, a fullyoutsourcedIRT is generally not considered a core internal IRT model because incident response requires immediate organizational authority, access, and accountability.

Digital signatures provideauthentication,integrity, andnon-repudiation, but they donot provide confidentiality. A digital signature verifies who sent the message and ensures it was not altered, but the content remains readable unless encryption is also applied.

Confidentiality requires encryption, typically using symmetric or asymmetric cryptography. Digital signatures are often combined with encryption (such as in TLS or secure email), but by themselves they do not hide message contents.

During the detection and analysis phase, incidents are identified, triaged, categorized, and prioritized based on impact and urgency. This ensures resources are allocated appropriately.

A BIA identifies critical systems, dependencies, and acceptable downtime to establish recovery priorities.

Backups are one of the most critical components of any disaster recovery (DR) strategy. Disaster recovery focuses on restoring systems, data, and operations after a disruptive event such as a cyberattack, natural disaster, hardware failure, or human error. Without reliable backups, recovery may be impossible or severely delayed.

Backups ensure that critical data can be restored to a known good state, minimizing data loss and downtime. Industry frameworks such as NIST SP 800-34 and ISO/IEC 27031 emphasize backups as a foundational DR control. They support recovery time objectives (RTOs) and recovery point objectives (RPOs), which define how quickly systems must be restored and how much data loss isacceptable.

While routers, laptops, and firewalls are important infrastructure components, they can typically be replaced or reconfigured. Lost or corrupted data, however, may be irreplaceable without backups. Best practices include maintaining regular, automated backups, storing them offsite or in the cloud, and protecting them from ransomware using immutable or offline storage. Testing backups regularly is also essential to ensure they are usable during an actual disaster.

Hashing is the best control for detecting unauthorized changes to source code. By generating cryptographic hash values for approved versions of files, any modification—intentional or accidental—will result in a different hash, immediately indicating tampering.

Backups help recover data but do not prevent or detect unauthorized changes. File labels provide classification but do not ensure integrity. Security audits review compliance but do not continuously detect changes.

Hashing supports integrity assurance, which is a core security objective. Tools such as file integrity monitoring (FIM) systems rely on hashing to alert administrators when files are altered unexpectedly.

NIST and CIS controls emphasize hashing and integrity monitoring as essential for protecting code repositories, system files, and critical configurations, especially in DevOps and CI/CD environments.

Type 1 authenticationrefers to “something you know,” such as a password, PIN, or passphrase. This is the most common and oldest form of authentication used in information systems.

Other authentication types include Type 2 (something you have, such as a smart card or token) and Type 3 (something you are, such as biometrics). Some models also define additional types, such as location-based or behavior-based authentication.

While easy to implement, Type 1 authentication is considered the weakest because secrets can be guessed, reused, stolen, or phished. For this reason, security best practices strongly recommend combining it with other authentication types using multi-factor authentication (MFA).

NIST and CIS guidelines consistently discourage reliance on single-factor, knowledge-based authentication for sensitive systems due to its susceptibility to compromise.

Theprimary purpose of security trainingis to reduce the likelihood and impact of attacks—especially human-centric threats such as phishing, social engineering, and credential theft. While training may also support compliance and efficiency, its most critical role is risk reduction.

Humans are often the weakest link in security. Awareness training helps users recognize threats, follow secure practices, and respond appropriately to suspicious activity, significantly lowering the organization’s attack surface.

Most VPNs (e.g., IPSec) operate atLayer 3 (Network layer), encapsulating IP packets to create secure tunnels.

Effective DLP solutions monitor all egress channels to prevent unauthorized data exfiltration, including web uploads, APIs, and removable media.

In information security, privacy refers to protecting personal and sensitive information from unauthorized access, use, or disclosure. Privacy focuses specifically on data related to individuals, such as PII, and ensuring it is handled according to legal, ethical, and regulatory requirements.

While privacy is closely related to confidentiality, it places greater emphasis on individual rights and consent. Ensuring privacy means limiting access to personal data and preventing misuse.

Integrity and availability address different aspects of the CIA triad, while option D is incomplete and incorrect. Security frameworks treat privacy as a critical objective, especially in environments handling personal data.

Internet of Things (IoT)devices include embedded systems such as sensors, smart appliances, cameras, and industrial controllers that connect to networks and exchange data. These devices often have limited security controls and are common attack targets, making them a significant cybersecurity concern.

ISC2’s Code of Ethics requires candidates to report violations through proper channels to preserve exam integrity.

The principle of least privilege states that users, systems, and processes should be granted only the minimum permissions required to perform their assigned tasks—nothing more. This principle reduces the attack surface and limits potential damage from compromised accounts or insider threats.

If an attacker gains access to a low-privilege account, the impact is significantly reduced compared to a highly privileged account. Least privilege also helps prevent accidental misuse of system resources.

Two-person control requires two individuals to approve an action. Job rotation reduces fraud by changing responsibilities. Separation of privileges ensures critical tasks require multiple permissions. While all are valid security concepts, least privilege directly addresses permission minimization.

This principle is foundational in access control models, identity and access management (IAM), and zero trust architectures. NIST and CIS explicitly recommend least privilege as a core security control for protecting systems and sensitive data.

Athreat vectoris the path or method used by a threat actor to exploit vulnerabilities, such as phishing, malware, or network attacks.

A Disaster Recovery Plan (DRP) provides procedures to restore IT systems, applications, and infrastructure after an outage.

ABusiness Continuity Plan (BCP)ensures critical operations continue during and after significant disruptions, regardless of the cause.

The ISC2 Code of Ethics prioritizesprotecting society and the public, including users, over employer interests.

Black box penetration testing requires the most effort because the testing team hasno prior knowledgeof the target system. Testers must perform reconnaissance, discovery, enumeration, vulnerability identification, and exploitation without any internal documentation or credentials.

In contrast, white box testing provides full knowledge of systems, source code, and configurations, significantly reducing discovery effort. Gray box testing provides partial information, offering a balance between realism and efficiency. “Blue box” is not a standard penetration testing category.

Black box testing closely simulates real-world external attackers, making it valuable for assessing perimeter defenses, but it is time-consuming and resource-intensive. Testers must identify attack surfaces from scratch and may miss internal vulnerabilities due to lack of access.

Security frameworks recognize black box testing as the most labor-intensive but also the most realistic external threat simulation.

Criticality reflects how essential an asset is to business operations or mission success. It influences prioritization, recovery planning, and protection strategies.

ABAC uses centralized policy engines (PDPs) to evaluate attributes and enforce fine-grained access control decisions dynamically.

A session token is used to maintain a user’s authenticated state after login. Once a user successfully authenticates, the server issues a session token that is stored by the client and sent with subsequent requests.

The server uses this token to identify the user without requiring reauthentication on every request. Session tokens must be protected against theft through secure cookies, encryption, and proper expiration.

CAPTCHAs prevent automated abuse, API keys authenticate applications, and CSRF tokens prevent request forgery. Only session tokens authenticate users across requests.

Proper session management is critical for web application security and is emphasized in OWASP and NIST guidance.

All listed protocols provide encrypted email communication using SSL/TLS for sending or retrieving email securely.

ARP poisoning manipulates ARP tables to intercept or redirect LAN traffic, often enabling man-in-the-middle attacks.

ADenial-of-Service (DoS)attack disrupts availability by overwhelming systems or resources, preventing legitimate access.

A security assessment evaluates the effectiveness of security controls and verifies whether they meet security requirements. It differs from risk assessments, which focus on identifying threats and vulnerabilities.

The Internet Engineering Task Force (IETF) develops and maintains Internet standards through RFCs.