ISC CISSP Certified Information Systems Security Professional Exam Dumps and Practice Test Questions Set 2 Q16-30

Visit here for our full ISC CISSP exam dumps and practice test questions.

Question 16:

 Which principle ensures that users are granted only the minimum level of access necessary to perform their job functions?

A) Separation of Duties
B) Need-to-Know
C) Least Privilege
D) Role-Based Access Control

Answer: C

Explanation:

 Separation of duties is designed to reduce the risk of fraud or error by dividing responsibilities among multiple individuals. While it contributes to security by preventing a single person from having unchecked control, it does not directly define the amount of access granted based on job necessity. Instead, its value lies in creating accountability and ensuring that no individual can complete a sensitive process from start to finish without oversight. For example, one employee might initiate a financial transaction while another approves it, greatly reducing the chance of intentional wrongdoing or accidental mistakes. However, this principle focuses on procedural control rather than granular access control to systems or data.

Need-to-know restricts access to information so that users can only view sensitive data if it is essential for their work. This principle applies mainly to information disclosure rather than system permissions or resource access. Need-to-know is commonly used in environments dealing with classified, confidential, or proprietary information, where exposure of data—even accidentally—could pose a serious risk. Although it is an important security mechanism, it does not dictate how permissions within an operating system or network should be assigned, nor does it define what level of access is technically necessary for a user to perform their tasks.

Role-Based Access Control (RBAC) organizes permissions according to roles within the organization, allowing access management to be scalable and consistent. This model groups users by responsibilities—such as administrator, analyst, or manager—and assigns permissions based on those categories. Although RBAC helps implement least privilege, it does not inherently enforce the minimum level of access without careful role definition. Poorly defined roles can easily lead to excessive permissions, undermining security.

Least Privilege directly ensures that users, processes, and systems receive only the access rights required to complete their duties and no more. Reducing unnecessary access limits the potential for misuse, accidental damage, or exploitation of privileges. This principle is applied across operating systems, applications, and networks, and is used to configure firewall rules, user accounts, and administrative tools. It is a foundational principle in access control, system hardening, and risk mitigation, making it the correct choice. When properly implemented, least privilege helps organizations significantly lower their attack surface, control insider threats, and maintain strong operational security.

Question 17:

 Which type of firewall examines the content of packets to determine if they should be allowed based on rules and application-level information?

A) Packet-Filtering Firewall
B) Stateful Firewall
C) Proxy Firewall
D) Circuit-Level Gateway

Answer: C

Explanation:

Packet-Filtering Firewalls examine packets at the network layer, checking source and destination IP addresses, ports, and protocols. While effective at basic filtering, they cannot inspect the payload or application-level content. Their simple rule-based mechanism makes them fast and efficient, which is why they are commonly used as the first line of defense in many networks. However, their limitations become clear in environments where threats often hide within application-layer data, making packet filters inadequate for more advanced security needs. They also lack contextual awareness, meaning they cannot distinguish between legitimate packets that are part of an established session and packets crafted by attackers attempting to gain unauthorized access.

Stateful Firewalls maintain information about active connections and session state, allowing them to filter packets based on context, such as established TCP sessions. This added intelligence enables them to identify whether a packet is part of a legitimate flow or a suspicious attempt to create a new connection. Although stateful inspection significantly improves security compared to simple packet filtering, these firewalls still primarily operate at the transport and network layers. They do not analyze the actual application content, making them ineffective at detecting threats embedded within HTTP headers, database queries, email attachments, or other application-level payloads. Their contextual awareness helps prevent spoofing and certain types of reconnaissance, but it does not address vulnerabilities that rely on manipulating application-layer data.

Circuit-Level Gateways operate at the session layer and monitor TCP handshakes, ensuring that connections are legitimate but without inspecting packet content or application-level data. They are often used in scenarios where anonymity or internal client protection is desired because they hide the internal network structure from external servers. However, because they only verify session establishment and do not examine what is transmitted during the session, they cannot identify malicious scripts, exploit payloads, or unauthorized commands embedded within application traffic. Their role is primarily to validate the integrity of connections rather than to enforce detailed content-based security rules.

Proxy Firewalls act as intermediaries between clients and servers, examining the content of traffic at the application layer. They enforce rules based on application protocols, commands, or payloads, allowing granular control over what is allowed. By fully terminating client connections and establishing new ones to external servers, proxies can mask internal IP addresses, prevent direct exposure, and significantly enhance anonymity. By inspecting application-level data, proxies can block malicious content, enforce authentication, detect improper protocol usage, and provide content filtering. This deep inspection allows administrators to enforce strict policies, such as blocking certain websites, scanning files for malware, filtering email attachments, or preventing SQL injection attempts. Because they can understand and analyze the context and structure of application protocols like HTTP, FTP, SMTP, and DNS, proxy firewalls offer advanced functionality beyond what packet-filtering, stateful, or circuit-level gateways can provide. This makes a proxy firewall the correct choice for content-aware traffic control, especially in environments requiring strong protection against sophisticated application-layer threats.

Question 18:

 Which disaster recovery strategy involves a fully equipped offsite facility that can be activated immediately in the event of a disaster?

A) Cold Site
B) Warm Site
C) Hot Site
D) Mobile Site

Answer: C

Explanation:

A Cold Site is an off-site location with basic infrastructure, such as power and networking, but no preinstalled systems or data. It requires significant time and effort to make operational, making it slower to resume business operations. Organizations must transport hardware, install operating systems, restore data from backups, and configure applications before work can continue. This process can take days or even weeks, depending on the scale of the systems and the availability of technicians. Cold sites are the least expensive option, but are suitable only for businesses that can tolerate lengthy downtime and slower recovery times during disasters.

A Warm Site is partially equipped with hardware and possibly some data backups. While faster than a cold site, it still requires configuration, data restoration, and application setup. Warm sites often contain servers, storage systems, and network equipment ready to be powered on, but they may not have up-to-date data or fully configured applications. Organizations using warm sites often rely on periodic data transfers rather than real-time replication. This makes the recovery time objective (RTO) shorter than that of a cold site but still insufficient for mission-critical operations that demand immediate continuity.

Hot Sites are fully equipped, operational off-site facilities with hardware, software, network connectivity, and often live data replication. They can be activated immediately, minimizing downtime and ensuring near-continuous business operations. Hot sites generally mirror the primary environment and maintain up-to-date copies of production systems, allowing employees to resume work almost instantly after a disaster. Because of this near-seamless transition, hot sites are essential for industries such as finance, healthcare, government, and e-commerce, where downtime can result in massive financial losses, regulatory violations, or safety risks. Although hot sites are the most expensive option, they offer the highest level of protection and the fastest recovery.

Mobile Sites are transportable facilities, such as trailers or temporary setups, that can be deployed to a location in case of a disaster. They offer flexibility but require physical movement and setup. These sites may come equipped with hardware and networking capabilities, but still need time to reach their destination and be fully configured. For organizations that cannot secure a permanent secondary facility, mobile sites provide a practical alternative, though not an immediate one.

Question 19:

 Which attack technique involves intercepting and modifying communication between two parties without their knowledge?

A) Replay Attack
B) Man-in-the-Middle Attack
C) Dictionary Attack
D) Phishing Attack

Answer: B

Explanation:

A Replay Attack captures valid communication and retransmits it to gain unauthorized access or cause actions to be repeated. It does not involve altering the original communication. Instead, it relies on the idea that the system will accept the repeated message as legitimate, which can occur when proper session validation or timestamping is not implemented. Replay attacks often target authentication tokens, session IDs, or digital signatures in order to impersonate a user or duplicate a valid action. However, they lack the ability to view or modify the contents of the communication being replayed, making them distinct from more complex interception-based attacks.

Dictionary Attacks attempt to crack passwords by trying every word in a predefined list, focusing on brute-force authentication attacks rather than intercepting communication. These attacks rely on the likelihood that users choose weak or common passwords. Although dangerous, dictionary attacks are fundamentally offline or authentication-based and do not exploit communication channels or intercept data in transit.

Phishing Attacks use deception to trick users into revealing sensitive information or executing malicious actions, often through email or fake websites, but they do not intercept communication in transit. They rely heavily on social engineering techniques rather than direct manipulation of network traffic. While effective, phishing attacks do not provide attackers with the ability to alter ongoing exchanges between legitimate parties.

Man-in-the-Middle (MitM) attacks intercept communication between two parties, allowing the attacker to eavesdrop, modify messages, or inject malicious content without the knowledge of either party. This enables credential theft, data manipulation, unauthorized transactions, and session hijacking. Attackers may use techniques such as ARP spoofing, DNS poisoning, rogue access points, or SSL stripping to position themselves between the victim and the intended server. Because MitM attacks directly target the confidentiality and integrity of data in transit, they pose a significant threat in insecure or poorly encrypted environments.

The technique specifically involving interception and modification of communications is a Man-in-the-Middle attack, making it the correct answer.

Question 20:

 Which authentication factor relies on something a user knows?

A) Token
B) Password
C) Biometric
D) Smart Card

Answer: B

Explanation:

Tokens are physical devices that generate time-based or challenge-response codes, representing something the user possesses rather than something they know. Examples include hardware tokens, key fobs, and one-time password generators. They enhance security by adding a possession factor to authentication, but do not rely on knowledge alone. Biometric authentication uses unique biological traits, such as fingerprints, iris patterns, facial recognition, or voice patterns, representing something inherent to the user. Biometrics provide strong identity verification but are inherently “something you are” and cannot be changed easily if compromised. Smart Cards are physical credentials that store cryptographic keys or certificates, representing another possession-based factor, and often require PINs to activate, combining “something you have” with “something you know.”

Passwords, however, rely entirely on knowledge that only the user is expected to know. This may include strings of characters, phrases, or answers to personal questions. Knowledge-based authentication depends on memorization, secrecy, and complexity to resist guessing or brute-force attacks. It forms one of the three primary authentication factors in security: something you know, something you have, and something you are. Combining passwords with additional factors—such as tokens or biometrics—creates multi-factor authentication (MFA), significantly increasing security.

In practice, passwords are widely used due to their simplicity and compatibility with most systems. They are often paired with policies enforcing complexity, expiration, and reuse restrictions. While passwords are vulnerable to attacks like phishing, keylogging, and brute-force, they remain the cornerstone of knowledge-based authentication. Therefore, the authentication factor that relies solely on information known by the user is the password, making it the correct answer. Proper password management, along with MFA, ensures robust protection against unauthorized access.

Question 21:

 Which type of attack exploits a system by sending malformed input to cause unexpected behavior or system crashes?

A) Phishing Attack
B) Buffer Overflow
C) Cross-Site Scripting
D) SQL Injection

Answer: B

Explanation:

Phishing attacks rely on social engineering to trick users into revealing sensitive information or executing malicious actions. While dangerous, phishing does not exploit programming vulnerabilities or system memory. Instead, it targets human behavior, manipulating trust through deceptive emails, websites, or messages. Phishing campaigns can lead to credential theft, malware installation, or financial fraud, but they do not directly interfere with how applications handle memory or process data internally.

Cross-Site Scripting (XSS) targets web applications by injecting malicious scripts into web pages, typically affecting end users rather than directly crashing the system. XSS is often used to steal cookies, hijack sessions, deface websites, or redirect users to malicious sites. Although disruptive, XSS generally operates within the confines of the victim’s browser and does not corrupt memory in a way that destabilizes the underlying system. Its primary focus is on manipulating client-side scripts rather than compromising server memory or application buffers.

SQL Injection attacks manipulate database queries by inserting malicious SQL code into input fields, potentially exposing data but not necessarily causing system crashes through memory manipulation. SQL Injection allows attackers to access, modify, or delete database records, escalate privileges, or bypass authentication mechanisms. However, despite its severity, SQLi typically compromises the logic of database queries rather than exploiting memory allocation errors. Its impact is data-centric rather than system-crash-centric.

Buffer Overflow attacks occur when a program receives input that exceeds the allocated memory buffer, overwriting adjacent memory locations. This can cause unexpected behavior, program crashes, or allow execution of arbitrary code. Attackers may craft carefully designed payloads that overwrite return addresses or function pointers, redirecting execution flow to malicious code. Classic buffer overflows often target low-level languages like C and C++, which lack built-in bounds checking. As a result, buffer overflows have historically been one of the most dangerous and widely exploited vulnerabilities in system-level software.

Buffer overflow vulnerabilities are often exploited by attackers to gain control of systems, escalate privileges, or bypass security mechanisms. The consequences can range from simple denial-of-service crashes to full remote code execution, depending on how the overflow affects program memory. Prevention requires secure coding practices such as proper input validation, bounds checking, compiler-level protections (like stack canaries), and modern mitigations including ASLR and DEP.

The attack specifically involving malformed input to cause system crashes or unpredictable behavior is the buffer overflow, making it the correct answer. Understanding buffer overflows is critical for secure coding practices, input validation, and system hardening in security-critical environments.

Question 22:

 Which cloud service model abstracts the underlying infrastructure and provides a platform for deploying applications without managing servers?

A) Infrastructure as a Service (IaaS)
B) Platform as a Service (PaaS)
C) Software as a Service (SaaS)
D) Function as a Service (FaaS)

Answer: B

Explanation:

Infrastructure as a Service (IaaS) provides virtualized computing resources, such as virtual machines, storage, and networks, where users manage operating systems, applications, and configurations. While offering high control, it requires management of servers, middleware, updates, and security hardening. This level of responsibility is suitable for organizations that need customization and flexibility but are willing to handle system administration tasks. IaaS essentially replicates a traditional data center in the cloud, shifting hardware maintenance to the provider while leaving environment configuration to the customer.

Software as a Service (SaaS) delivers fully managed applications accessed through web interfaces or APIs. Users have minimal control, typically limited to settings within the software, and do not manage infrastructure or platforms. SaaS is ideal for organizations seeking convenience, predictable costs, and instant availability without needing dedicated technical staff for maintenance. However, the trade-off is limited customization compared to other service models.

Function as a Service (FaaS) allows event-driven code execution without managing servers, abstracting nearly all administrative responsibilities to the provider, focusing solely on function deployment. FaaS is highly efficient for microservices, automation tasks, or workloads that run intermittently, but it is not designed to provide a full application development environment.

Platform as a Service (PaaS) provides an environment to develop, deploy, and manage applications without handling underlying servers, operating systems, or middleware. Users focus on coding and configuration, while the provider handles infrastructure, runtime, patching, scaling, and security. PaaS accelerates the development lifecycle by removing operational burdens and enabling developers to concentrate on innovation rather than system maintenance. It is particularly beneficial for organizations building custom applications that require scalability, integration capabilities, and rapid deployment cycles. PaaS offers scalability, rapid development, and reduced operational overhead, making it the correct answer for scenarios where infrastructure management is abstracted and the platform for application deployment is provided.

Question 23:

 Which type of malware self-replicates and spreads across systems without user interaction?

A) Virus
B) Trojan
C) Worm
D) Spyware

Answer: C

Explanation:

Viruses attach to files and require execution of the host file to propagate, often relying on user action to spread. They typically infect executable programs, documents with macros, or system files, and once activated, they can modify data, damage systems, or spread to other files. Because viruses depend on a host file and user interaction, their spread is usually slower and more localized compared to more automated threats. Traditional antivirus tools are designed to detect these file-based infections through signature or behavior analysis.

Trojans disguise themselves as legitimate software and require user execution, using social engineering for infection. They do not self-replicate, but instead trick users into installing them, often by appearing as useful tools, games, or attachments. Once executed, a Trojan may create backdoors, steal information, install additional malware, or give attackers remote control of the infected system. Since they rely heavily on deception, Trojans are often used in targeted attacks where user trust is exploited.

Spyware is designed to monitor user activity and exfiltrate information, often installed through other malware or downloads. It operates covertly, collecting data such as keystrokes, browsing habits, credentials, and system information. Spyware may accompany Trojans, viruses, or malicious advertising (malvertising), and it can severely compromise privacy and security. Although it is intrusive and harmful, spyware typically does not spread autonomously.

Worms, however, are self-replicating programs capable of spreading across networks and systems autonomously, without requiring user interaction. They exploit vulnerabilities, weak configurations, or network protocols to propagate rapidly. This independence makes worms uniquely dangerous, as they can move from system to system at high speed once inside a network. Notable incidents like the WannaCry and SQL Slammer outbreaks demonstrated how worms can cripple organizations within minutes, causing system failures, network congestion, data corruption, and widespread outages.

Worms may also deliver secondary payloads, such as ransomware, rootkits, or backdoors, amplifying their destructive potential. Because they require no user involvement and do not rely on host files, worms thrive in environments with poor patch management, weak segmentation, or outdated security policies. Preventing worm outbreaks requires strong intrusion prevention systems, strict network hygiene, timely patching, and the use of secure communication protocols.

Unlike viruses or Trojans, worms are independent of host files and act automatically, making them particularly dangerous in unpatched or highly connected environments. The malware type that spreads autonomously without user interaction is the worm, making it the correct answer. Understanding worms is critical for network security, patch management, and intrusion prevention strategies.

Question 24:

 Which cryptographic attack involves using precomputed hash-value pairs to reverse hashed passwords?

A) Brute-Force Attack
B) Rainbow Table Attack
C) Man-in-the-Middle Attack
D) Replay Attack

Answer: B

Explanation:

Brute-Force Attacks systematically attempt every possible password combination to gain access, without leveraging precomputed data. This approach is computationally intensive, especially for long or complex passwords, because it relies entirely on trying each possible permutation until the correct one is discovered. While effective against weak passwords, brute-force attacks become impractical when strong complexity requirements, long password lengths, or account lockout policies are in place. Brute-force attacks are time-consuming and resource-heavy, often making them a last resort for attackers unless password requirements are very weak.

Man-in-the-Middle Attacks intercept and potentially alter communications between two parties, focusing on confidentiality and integrity of data in transit rather than reversing hashed passwords. These attacks occur when an attacker positions themselves between two communicating systems, enabling them to observe, modify, or inject malicious content. While MitM attacks may capture credentials during login processes, they do not attempt to reverse hashes or use precomputed values to guess passwords. Their primary target is live communication, not stored authentication data.

Replay Attacks capture valid transmissions and retransmit them to gain unauthorized access, again unrelated to reversing hashed credentials. These attacks succeed when systems fail to validate timestamps, session tokens, or authentication freshness. Although replay attacks can impersonate a user temporarily, they still do not involve cracking hashed passwords or comparing captured hashes to known values.

Rainbow Table Attacks exploit precomputed tables of plaintext and corresponding hash values to efficiently reverse hashed passwords. These tables dramatically reduce the time required to crack a hash because the attacker does not need to compute hashes for every guess—the work has already been done. When an attacker captures a hashed password, they can quickly compare it to the table and find the original input, bypassing time-intensive brute-force attempts. Rainbow tables are especially powerful against older or weaker hashing algorithms like MD5 or SHA-1, particularly when passwords are short or lack complexity.

This technique is highly effective against unsalted hashes but can be mitigated using salting, key stretching, or strong hash algorithms. Salting adds random data to each password before hashing, making precomputed tables useless. Key-stretching techniques such as PBKDF2, bcrypt, scrypt, and Argon2 further slow hashing operations to reduce the feasibility of large-scale attacks.

The attack specifically using precomputed hash tables to reverse password hashes is the rainbow table attack, making it the correct answer.

Question 25:

 Which disaster recovery plan document defines procedures and roles to restore operations after a major incident?

A) Business Continuity Plan (BCP)
B) Disaster Recovery Plan (DRP)
C) Incident Response Plan (IRP)
D) Service Level Agreement (SLA)

Answer: B

Explanation:

A Business Continuity Plan (BCP) provides a high-level strategy to continue essential operations during and after a disruption, focusing on business processes. It addresses how an organization as a whole will maintain critical functions when normal operations are interrupted. While the BCP identifies essential business activities, acceptable downtime, and organizational priorities, it does not provide the step-by-step technical procedures needed to restore IT systems.

An Incident Response Plan (IRP) addresses the detection, containment, and remediation of security incidents but does not typically include full operational restoration steps. The IRP is concerned with identifying threats, minimizing damage, gathering forensic evidence, and restoring security. Although it may initiate recovery steps, it stops short of detailing the complete infrastructure rebuild or system restoration processes required after a major disaster.

Service Level Agreements (SLAs) define performance and availability expectations between a service provider and client, without detailing procedures for recovery. They specify uptime guarantees, response times, maintenance schedules, and support obligations, but they are contractual guidelines rather than operational recovery documents.

Disaster Recovery Plans (DRP) provide detailed procedures, responsibilities, and resources required to restore IT systems, applications, and infrastructure following a major incident or disaster. DRPs outline restoration priorities, acceptable recovery times (RTO), recovery point objectives (RPO), communication protocols, hardware requirements, backup procedures, and team responsibilities. They serve as a technical blueprint for bringing systems back online in a structured and controlled manner.

Effective DRPs minimize downtime, reduce confusion, and ensure personnel know exactly what to do during high-pressure recovery situations. The document that defines roles, procedures, and steps to restore operations after a disaster is the DRP, making it the correct answer.

Question 26:

 Which type of attack exploits weaknesses in web applications to inject malicious scripts into web pages viewed by other users?

A) SQL Injection
B) Cross-Site Scripting (XSS)
C) Directory Traversal
D) Buffer Overflow

Answer: B

Explanation:

SQL Injection targets databases by inserting malicious SQL commands into input fields to manipulate queries and access sensitive data. While serious, it does not focus on executing scripts in users’ browsers. SQL Injection attacks typically aim to extract information, bypass authentication, modify records, or even delete entire databases. The attack’s impact is directed at the server-side database layer, not the client-side browser environment. Although devastating, SQL Injection does not allow attackers to run JavaScript or other browser-executable scripts on users’ machines.

Directory Traversal exploits insufficient input validation to access files outside the intended directory on a server, potentially exposing sensitive files but not executing scripts in a browser. This attack manipulates file paths using sequences like “../” to move up the directory structure, allowing access to system files, configuration data, or logs. While dangerous, directory traversal is limited to unauthorized file access and does not interact with or compromise client-side browser behavior.

Buffer Overflow attacks exploit memory handling flaws by sending oversized input, potentially allowing code execution or system crashes, but they do not target web page content or users directly. Buffer overflows are typically used to inject malicious machine code into vulnerable applications, gaining control over system processes or escalating privileges. Their impact is generally on low-level systems, not on browser-executed scripts or front-end web interactions.

Cross-Site Scripting (XSS) injects malicious scripts into web pages, which are then executed in the browsers of users who view the page. This can steal session cookies, redirect users, manipulate webpage content, or perform unauthorized actions on behalf of the user. XSS exploits the trust relationship between a user and a website by inserting attacker-controlled script content into pages served by a legitimate web application. Because these scripts run in the victim’s browser under the website’s domain, they can bypass same-origin protections and access sensitive session information.

XSS attacks leverage insufficient input validation and a lack of secure output encoding. They come in multiple forms—stored XSS, reflected XSS, and DOM-based XSS—each targeting different parts of the web application workflow. Stored XSS embeds malicious scripts directly in the server’s stored content, making every viewer vulnerable. Reflected XSS injects scripts through crafted URLs, while DOM-based XSS manipulates scripts already running in the browser.

Mitigation strategies include strict input validation, proper output encoding, sanitizing user-generated content, enabling Content Security Policies (CSP), and using secure frameworks. Understanding XSS is crucial for secure web development and protecting users from browser-based attacks. The attack specifically focused on injecting scripts into web pages to affect other users, which is Cross-Site Scripting, making it the correct answer.

Question 27:

 Which type of security control is implemented to prevent an incident from occurring?

A) Detective Control
B) Corrective Control
C) Preventive Control
D) Compensating Control

Answer: C

Explanation:

Detective Controls are designed to identify and alert organizations when incidents occur, enabling response but not prevention. Examples include intrusion detection systems (IDS), security information and event management (SIEM) tools, audit logs, and monitoring systems. These controls help organizations detect unauthorized activity, policy violations, or anomalous behavior, but they do not stop the event from happening. While critical for situational awareness and incident response, detective controls rely on timely detection and follow-up actions to mitigate impact.

Corrective Controls address incidents after they occur, restoring systems or mitigating damage, rather than preventing initial occurrence. They include processes like patch management, restoring backups, incident remediation, and updating firewall rules in response to a compromise. Corrective measures are reactive by nature, focusing on recovery and reducing the consequences of an incident. While they can limit damage, they cannot prevent the incident from occurring in the first place, making them complementary to preventive measures rather than a replacement.

Compensating Controls are alternative measures implemented when primary controls cannot be applied, often providing partial risk mitigation. These controls are temporary or supplementary, used to achieve similar security objectives when standard practices are impractical due to technical, operational, or financial constraints. Examples include implementing additional monitoring when multifactor authentication cannot be deployed, or using encrypted communication channels where network segmentation is not feasible. Although they help manage risk, compensating controls are not as robust as primary preventive measures.

Preventive Controls proactively reduce the likelihood or impact of a security incident. Examples include strong authentication mechanisms, role-based access controls (RBAC), encryption, firewalls, antivirus software, endpoint protection, employee security awareness training, and well-defined security policies. By addressing potential vulnerabilities before exploitation, preventive controls minimize the risk of unauthorized access, data breaches, malware infections, and operational failures. They form the first line of defense in a layered security strategy, complementing detective and corrective measures by stopping threats at their source.

Preventive controls are essential for enforcing organizational security policies, limiting access to sensitive resources, and ensuring that users follow best practices. They also help in regulatory compliance, reducing liability, and maintaining operational continuity. For instance, requiring strong passwords, restricting administrative privileges, and implementing network segmentation are all preventive measures that directly reduce exposure to threats. Organizations that prioritize preventive controls are better positioned to avoid costly incidents, maintain trust, and strengthen overall cybersecurity posture.

Because preventive controls are focused on proactively minimizing risk and preventing incidents from occurring, they are the correct answer. They act as the foundation of a robust security program, ensuring threats are mitigated before they can cause harm, rather than simply detecting or correcting them after the fact.

Question 28:

 Which principle ensures that security mechanisms remain effective even if all internal details are publicly known?

A) Security through Obscurity
B) Open Design
C) Defense in Depth
D) Least Privilege

Answer: B

Explanation:

Security through Obscurity relies on keeping internal system details hidden, assuming secrecy alone provides protection. The idea is that if attackers do not know the inner workings of a system, they cannot exploit it. This approach often focuses on concealing source code, algorithms, configurations, or system architecture. While obscurity can delay attacks, it is not a reliable or sustainable security measure. Once the hidden details are exposed—through leaks, reverse engineering, or insider knowledge—the system can be compromised immediately. Relying solely on obscurity is considered a weak security practice because it does not address underlying vulnerabilities or provide robust safeguards against sophisticated attackers.

Defense in Depth uses multiple layers of security, such as firewalls, antivirus, intrusion detection systems, encryption, and access controls, to provide redundancy and protect against a variety of attack vectors. By layering defenses, organizations reduce the likelihood that a single point of failure will lead to a complete compromise. However, Defense in Depth does not specifically guarantee that security holds if internal system details are fully disclosed. While it improves overall resilience, the approach is more about mitigation and redundancy rather than ensuring security is independent of knowledge of the system’s design.

Least Privilege restricts user or process permissions to the minimum required for completing tasks, limiting the potential for misuse or accidental damage. Enforcing minimal access rights reduces attack surfaces and helps contain the impact of compromised accounts. Although least privilege is essential for minimizing risk, it does not address transparency or disclosure of system design, nor does it ensure that knowing internal mechanisms cannot lead to a compromise.

Open Design, by contrast, emphasizes that security should depend on robust architecture, sound cryptography, and strong controls rather than secrecy. Systems adhering to this principle remain secure even if all internal mechanisms are fully disclosed. This approach encourages transparency, verifiability, and rigorous design, allowing security to be evaluated, tested, and strengthened openly. Open Design ensures that attackers cannot exploit knowledge of internal workings alone because the underlying security mechanisms are inherently resilient, well-tested, and resistant to compromise. It promotes trust, accountability, and maintainability in system development, encouraging organizations to focus on strong defenses rather than hiding details.

The principle that explicitly ensures security even when all internal details are known is Open Design, making it the correct answer. By embracing open design, organizations create systems where protection is not dependent on secrecy, and the strength of security measures can withstand exposure, scrutiny, or even deliberate testing by adversaries, ensuring long-term resilience and reliability.

Question 29:

Which backup method copies all files that have changed since the last full backup and resets the archive bit?

A) Full Backup
B) Differential Backup
C) Incremental Backup
D) Synthetic Full Backup

Answer: C

Explanation:

A Full Backup copies all files regardless of changes since the last backup, ensuring a complete snapshot of the system at that point in time. This approach guarantees that every file is included, making restoration straightforward because only the full backup is required. However, full backups require significant time to complete and consume large amounts of storage space, especially for environments with substantial amounts of data. Frequent full backups can place heavy loads on network and storage resources, which is why many organizations schedule them less often, typically weekly or monthly, and supplement them with other backup types.

Differential Backup copies all files changed since the last full backup but does not reset the archive bit, causing each differential backup to grow cumulatively. This method reduces the storage requirements compared to full backups if used sparingly, but over time, differential backups can become nearly as large as a full backup. Restoring from differential backups requires the last full backup plus the latest differential backup, simplifying recovery compared to incremental backups but still consuming more storage over time.

Synthetic Full Backup combines previous full and incremental backups to create a new full backup without reading all source data directly. This reduces system load and backup window time, as it reconstructs a full backup from existing data stored in backup media rather than re-copying files from the live system. Although efficient, this method does not match the specific behavior described in the original scenario because it relies on combining multiple backups instead of capturing only recent changes.

Incremental Backup copies only files changed since the last backup of any type—whether full or incremental—and resets the archive bit after completion. This approach is highly efficient because it minimizes both the amount of data copied and the storage required. Incremental backups reduce network bandwidth usage and shorten backup windows, making them ideal for environments with frequent changes or large datasets. However, restoring from incremental backups requires the last full backup and all subsequent incremental backups in sequence. If any incremental backup in the chain is missing or corrupted, restoration can fail, highlighting the importance of careful management and monitoring of backup sets.

Incremental backups optimize efficiency and storage while ensuring that all changes are captured, making them the correct answer. By balancing speed, storage use, and completeness, incremental backups allow organizations to maintain regular data protection without overloading resources, ensuring that critical files and system changes are securely preserved for recovery.

Question 30:

 Which principle ensures that a system provides multiple layers of defense to mitigate failures or attacks?

A) Security through Obscurity
B) Defense in Depth
C) Least Privilege
D) Separation of Duties

Answer: B

Explanation:

Security through Obscurity relies on the secrecy of system details rather than layered protection. The assumption is that if attackers do not know internal mechanisms, the system will remain secure. While it may delay attacks, this approach is fragile because once the hidden details are exposed—through leaks, reverse engineering, or insider threats—the system can be compromised immediately. Security through Obscurity is therefore considered an unreliable standalone strategy and should never replace strong, tested defenses.

Least Privilege restricts access rights to reduce misuse or accidental damage by ensuring users and processes only have the permissions necessary to perform their tasks. While critical for limiting the potential impact of compromised accounts or insider threats, least privilege does not provide multiple layers of protection. It is a targeted control focused on minimizing risk from individual access, rather than a comprehensive framework for overall system security.

Separation of Duties distributes responsibilities among multiple individuals to prevent fraud, errors, or unauthorized actions, particularly in administrative or financial processes. By ensuring that no single individual has unchecked authority over critical functions, this principle reduces the chance of abuse. However, it primarily addresses administrative controls and organizational governance rather than technical security layers, meaning it cannot compensate for weaknesses in system architecture or cyber defenses.

Defense in Depth is a comprehensive strategy that implements multiple layers of security across technical, administrative, and physical domains. Examples of layered protections include firewalls, intrusion detection and prevention systems (IDS/IPS), antivirus and endpoint protection, access controls, monitoring, encryption, and secure coding practices. By layering protections, Defense in Depth ensures that the failure of one control does not automatically compromise the system. Each layer addresses different attack vectors and provides redundancy, increasing the difficulty for attackers to succeed.

This approach not only enhances detection capabilities and response but also strengthens overall resilience against diverse threats, including malware, insider attacks, network breaches, and human errors. Defense in Depth allows organizations to maintain continuity and protect sensitive data even when individual controls are bypassed or fail. It promotes a holistic security mindset, ensuring multiple checkpoints, redundancies, and safeguards are in place throughout the environment.

By combining these overlapping security measures, Defense in Depth maximizes protection, mitigates risks, and improves overall system reliability, making it the correct answer. It embodies the principle that security should not rely on a single control but rather on a coordinated, multi-layered strategy.