CC Sample Questions Answers

Input validation ensures user inputs are sanitized and conform to expected formats, preventing injection attacks such as SQL injection and command injection.

SSH operates at the Application layer (Layer 7). IP, ICMP, and IGMP are Layer 3 protocols responsible for routing and control messaging.

AService Level Agreement (SLA)defines availability, performance, responsibilities, security controls, and incident response expectations between cloud providers and customers.

TheBusiness Continuity Planincludes immediate response actions, communication plans, and leadership guidance.

Modern firewalls operate at Layers 3, 4, and 7, supporting packet filtering, stateful inspection, and application-layer filtering.

Backups are recovery controls because they restore data and systems after failures, attacks, or disasters.

ISC2’s Code of Ethics requires candidates to report violations through proper channels to preserve exam integrity.

Operating system logs are the most relevant source of information for detecting and investigating privilege escalation attacks. These logs record authentication events, privilege changes, process executions, and system-level actions.

Because the attacker already had authorized access, firewall and IDS logs may show little or no suspicious activity. Database logs focus on database-level operations, not OS privilege changes.

OS logs provide the best visibility into actions such as sudo usage, kernel exploits, and unauthorized permission changes. They are essential for forensic analysis and incident response involving insider threats.

The primary goal of Identity and Access Management (IAM) is to ensuresecure and controlled accessto organizational resources. IAM systems manage user identities, authenticate users, and authorize access based on roles, policies, and least privilege principles.

IAM does not guarantee complete protection against all threats, as no system can provide 100% security. It also does not eliminate authentication or focus on network performance monitoring. Instead, IAM ensures that theright usershave theright accessto theright resourcesat theright time.

Core IAM capabilities include identity provisioning, authentication, authorization, access reviews, and auditing. IAM is foundational to zero trust architectures and is emphasized by NIST, ISO/IEC 27001, and CIS as a critical security control for preventing unauthorized access and reducing insider threat risk.

A Security Information and Event Management (SIEM) system is designed tocollect, correlate, analyze, and alert on security eventsgenerated across an organization’s IT environment. SIEM platforms aggregate logs from diverse sources such as servers, firewalls, endpoints, applications, and cloud services, providing centralized visibility into security activity.

The core value of a SIEM lies inevent correlation and contextual analysis. By correlating events across systems and over time, a SIEM can detect suspicious patterns that individual logs alone would not reveal—such as lateral movement, privilege escalation, or coordinated attacks. SIEMs also support real-time alerting, dashboards, querying, and incident investigation, enabling security teams to respond faster and more effectively.

SIEM systems donotencrypt files (that’s cryptography), block websites directly (that’s firewalls or secure web gateways), or manage passwords (that’s IAM). Instead, they serve as thecentral nervous system of a Security Operations Center (SOC), supporting monitoring, detection, compliance reporting, and incident response workflows as recommended by NIST and other security frameworks.

High availability (HA) refers to system designs that ensure continuous operation by minimizing downtime in the event of component failures. Adding a backup firewall that automatically takes over when the primary firewall fails is a classic example of high availability.

HA solutions often use failover mechanisms, heartbeat monitoring, and redundancy to ensure seamless service continuity. The goal is to maintain availability, which is a core pillar of the CIA triad.

Component redundancy describes duplicated parts, but high availability focuses on the operational outcome—continued service. Load balancing distributes traffic, not failover. Clustering involves multiple systems working together, but HA specifically emphasizes fault tolerance and uptime.

High availability is critical for security infrastructure such as firewalls, authentication servers, and monitoring tools. NIST and ISO frameworks stress HA as essential for business continuity, disaster recovery, and resilient security operations.

Spoofing involves falsifying identity information such as IP or MAC addresses to bypass security controls.

Technical (logical) controls are implemented using technology to enforce security policies. A GPS tracking system is a technical control because it relies on electronic systems and software to monitor and record vehicle location.

Security guards and door locks are physical controls. Technical controls include firewalls, encryption, intrusion detection systems, access control systems, and monitoring tools.

Technical controls play a major role in preventing, detecting, and responding to cyber threats and are emphasized heavily in modern cybersecurity frameworks.

GRC (Governance, Risk, and Compliance) integrates business objectives with risk management and regulatory compliance.

These areType 1 (bare-metal) hypervisors, running directly on hardware without a host operating system, offering higher performance and security.

Cryptography provides confidentiality by encrypting data so only authorized parties can read it. Hashing ensures integrity, and encoding is reversible and not secure.

Criticality reflects how essential an asset or system is to business success or mission accomplishment. It is commonly determined during a Business Impact Analysis (BIA) and influences recovery priorities.

The final phase in the data security lifecycle isdestruction. After data is no longer required for business, legal, or regulatory purposes, it must be securely destroyed to prevent unauthorized recovery or misuse.

Encryption, backup, and archival are all earlier phases focused on protecting data during use, storage, and retention. Destruction ensures data is permanently removed through secure wiping, degaussing, or physical destruction of media.

Improper data disposal can lead to data breaches through remanence. NIST SP 800-88 provides detailed guidance on secure media sanitization and destruction methods. Secure destruction is especially critical for sensitive and regulated data such as PII, PHI, and financial records.

A security assessment evaluates the effectiveness of security controls and verifies whether they meet security requirements. It differs from risk assessments, which focus on identifying threats and vulnerabilities.

The Disaster Recovery Plan (DRP) contains step-by-step technical procedures to restore IT systems, data, and infrastructure after a disruptive event. While the BCP focuses on maintaining operations, the DRP focuses onrestoration.

Type 1 authentication refers tosomething you know, such as passwords or PINs. While widely used, this authentication method has several inherent weaknesses. Users may share credentials intentionally or unintentionally, reuse weak passwords across systems, or forget them altogether. Passwords can also be intercepted through phishing, keylogging, shoulder surfing, or man-in-the-middle attacks.

Because of these weaknesses, Type 1 authentication alone provides limited security assurance. Modern security frameworks strongly recommend supplementing knowledge-based authentication with additional factors, such as something you have (tokens) or something you are (biometrics), to form Multi-Factor Authentication (MFA).

While managementparticipatesin BCP, “management” alone is not a documented component. The other options represent formal, documented BCP elements.

Cloud orchestration coordinates automated tasks, workflows, and resource provisioning across cloud environments to improve efficiency and consistency.

MAC enforces access based on classification labels and user clearances, commonly used in military and government systems.

IPSec uses sequence numbers in AH and ESP headers to detect and reject duplicate packets. This prevents attackers from capturing and replaying valid packets. Anti-replay protection is a core IPSec security feature defined by the IETF.

AVirtual Private Network (VPN)creates an encrypted tunnel across untrusted networks such as the Internet. VPNs protect confidentiality and integrity by encrypting authentication credentials and data traffic.

Buffer overflow attacks target applications, exploiting improper memory handling. Applications operate atLayer 7 (Application Layer), making it the primary target.

In anasymmetric cryptography system, each user is assigned akey pairconsisting ofone public key and one private key. These two keys are mathematically related but serve different purposes: the public key is shared openly for encryption or verification, while the private key is kept secret for decryption or signing.

To support50 users, each user must have2 keys:

1 public key

1 private key

Therefore, the total number of keys required is:

50 users × 2 keys per user = 100 keys

This is one of the major advantages of asymmetric cryptography over symmetric cryptography. In symmetric systems, the number of required keys grows rapidly as the number of users increases (n(n−1)/2), making key management complex. Asymmetric cryptography scales much more efficiently because each user manages only their own key pair.

Asymmetric encryption is widely used in secure communications such as TLS, digital signatures, and PKI-based authentication. Standards bodies like NIST and ISO/IEC rely heavily on asymmetric cryptography for scalable and secure key management.

Risk Avoidanceeliminates risk by discontinuing activities that expose the organization to unacceptable threats.

Backups are one of the most critical components of any disaster recovery (DR) strategy. Disaster recovery focuses on restoring systems, data, and operations after a disruptive event such as a cyberattack, natural disaster, hardware failure, or human error. Without reliable backups, recovery may be impossible or severely delayed.

Backups ensure that critical data can be restored to a known good state, minimizing data loss and downtime. Industry frameworks such as NIST SP 800-34 and ISO/IEC 27031 emphasize backups as a foundational DR control. They support recovery time objectives (RTOs) and recovery point objectives (RPOs), which define how quickly systems must be restored and how much data loss isacceptable.

While routers, laptops, and firewalls are important infrastructure components, they can typically be replaced or reconfigured. Lost or corrupted data, however, may be irreplaceable without backups. Best practices include maintaining regular, automated backups, storing them offsite or in the cloud, and protecting them from ransomware using immutable or offline storage. Testing backups regularly is also essential to ensure they are usable during an actual disaster.

Multi-factor authentication (MFA) requires two or more authentication factors from different categories: something you know, something you have, and something you are.

MFA significantly increases security by reducing reliance on any single factor. Even if one factor is compromised, attackers still cannot authenticate without the others.

MFA is widely recommended by NIST, CIS, and virtually all modern security frameworks, especially for privileged accounts and remote access.

Encryption ensures confidentiality by rendering data unreadable to unauthorized users, whether at rest or in transit.

Likelihood represents the probability that a threat will successfully exploit a vulnerability and is a core component of risk calculation.

HTTPS uses SSL/TLS to provide encryption, authentication, and integrity for web communications.

Aprocedureis a detailed, step-by-step set of instructions that explainshowto perform a task in compliance with policies and standards. Procedures translate high-level requirements into actionable guidance for staff.

Policies define what must be done, standards specify mandatory requirements, and procedures explain exactly how to carry them out. Laws are external legal mandates, not internal operational documents.

For example, a security policy may require access reviews, a standard may define review frequency, and a procedure will outline the exact steps to conduct the review. Procedures ensure consistency, reduce errors, and support compliance and auditing efforts.

Risk is calculated by evaluating the likelihood of a threat exploiting a vulnerability and the resulting impact.

Validating and sanitizing user input prevents malicious scripts from being injected and executed in a user’s browser. Input validation is the primary defense against XSS.

System security configuration management focuses on ensuring that systems are securely configured, consistently maintained, and properly tracked throughout their lifecycle. Core elements includebaselines,updates, andinventory. Baselines define the approved secure configuration for systems. Updates (such as patches and configuration changes) ensure systems remain secure over time. Inventory tracks hardware and software assets so organizations know what must be configured and maintained.

Audit logs, while extremely important for security monitoring, incident response, and compliance, arenot a core element of configuration management. Instead, audit logs fall under security operations, monitoring, and logging controls. Configuration management is concerned with how systems are built and maintained, not with recording activity after deployment.

Frameworks such as NIST SP 800-128 clearly distinguish configuration management from logging and auditing, even though both contribute to overall system security.

Zero Trust architectures rely on microsegmentation and continuous enforcement to limit lateral movement.

When a mail server sends email to another mail server, it acts as anSMTP client. In the Simple Mail Transfer Protocol (SMTP), roles are defined by behavior, not by the system’s primary function.

The sending system initiates the connection and issues SMTP commands, which makes it the client for that transaction. The receiving mail server listens for incoming connections and acts as the SMTP server.

Mail servers routinely switch roles depending on the direction of communication. A single system may act as an SMTP server when receiving mail and as an SMTP client when sending mail.

Understanding SMTP roles is important for configuring mail security controls such as firewalls, TLS enforcement, spam filtering, and authentication. Security professionals must recognize that “client” and “server” are session-based roles, not permanent system identities.

Replay attacks disrupt communication by resending captured packets, potentially causing session confusion or denial of service. IPSec mitigates this using sequence numbers.

MAC enforces centrally managed access controls. Users and data owners cannot modify permissions.

Azero-day vulnerabilityis typically not identifiable through a standard vulnerability assessment. Vulnerability scanners and routine assessments rely onknown vulnerability signatures, published advisories, and documented weaknesses. By definition, a zero-day vulnerability is unknown to vendors, defenders, and security tools at the time it exists or is exploited.

File permission issues, buffer overflows, and cross-site scripting (XSS) vulnerabilities are commonly detected through automated scans, configuration reviews, and application testing because they are well understood and documented classes of weaknesses. Scanners are specifically designed to identify these known issues.

Zero-day vulnerabilities, however, require alternative detection approaches such as behavioral monitoring, anomaly detection, threat intelligence, or post-exploitation forensics. This limitation is why vulnerability assessments alone are insufficient and must be complemented withdefense-in-depth, monitoring, and incident response capabilities.

Security frameworks consistently emphasize that organizations should not rely solely on vulnerability scanning, as it cannot detect unknown or newly emerging threats like zero-day vulnerabilities.

The four primary risk response strategies areaccept, avoid, mitigate (reduce), and transfer. Monitoring is an ongoing activity, not a formal risk treatment option.

Secure Shell (SSH) is the secure alternative to Telnet. Telnet transmits data, including credentials, in clear text, making it vulnerable to interception. SSH encrypts all communications, providing confidentiality, integrity, and authentication.

HTTPS secures web traffic, SFTP is used for file transfer, and LDAPS secures directory services—not remote terminal access. SSH is the industry-standard replacement for Telnet.

The IPv6 address rangefc00::/7, which includesfc00:: to fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, is reserved forUnique Local Addresses (ULAs). ULAs are the IPv6 equivalent of private IPv4 addresses (such as 10.0.0.0/8 or 192.168.0.0/16). These addresses are intended for internal communications within an organization and arenot routable on the public Internet.

ULAs allow organizations to design internal IPv6 networks without relying on globally routable addresses. This enhances security by reducing external exposure and simplifies internal network design. According to RFC 4193, ULAs are designed to be globally unique within private networks while remaining isolated from the public Internet.

A firewall is a network security device designed to monitor, filter, and control incoming and outgoing traffic based on predefined security rules. Firewalls act as a barrier between trusted internal networks and untrusted external networks, such as the internet.

Firewalls can operate at multiple layers of the OSI model and may inspect packet headers, session states, and even application-level data. Modern firewalls often include advanced features such as intrusion prevention, deep packet inspection, and threat intelligence integration.

Servers and endpoints generate or consume traffic but do not filter it by default. Ethernet is a networking standard, not a device. Firewalls are a foundational security control recommended by virtually all cybersecurity frameworks, including NIST and CIS Critical Security Controls.

By enforcing traffic filtering rules, firewalls help prevent unauthorized access, reduce attack surfaces, and protect systems from threats such as malware, scanning, and exploitation.

A complete BCP includes response procedures, communication plans, and management authority to ensure coordinated recovery.

Non-repudiation requires strong identity verification, message integrity, and tamper resistance, typically implemented using digital signatures and PKI.

Availabilityensures that authorized users can access information and systems when needed, a core element of the CIA triad.

An eavesdropping attack occurs when an attacker passively intercepts network communications to capture sensitive information such as credentials, session tokens, or authentication exchanges. This data can later be reused in impersonation or replay attacks.

CSRF and XSS are application-layer attacks, while ARP spoofing is an active network attack. Eavesdropping relies on unencrypted or weakly protected communications, highlighting the importance of TLS and secure authentication protocols.

Security policies are high-level, mandatory statements approved by management that define security objectives, principles, and rules. Procedures and standards support policies but do not establish overarching intent.

Hashing is the best control for detecting unauthorized changes to source code. By generating cryptographic hash values for approved versions of files, any modification—intentional or accidental—will result in a different hash, immediately indicating tampering.

Backups help recover data but do not prevent or detect unauthorized changes. File labels provide classification but do not ensure integrity. Security audits review compliance but do not continuously detect changes.

Hashing supports integrity assurance, which is a core security objective. Tools such as file integrity monitoring (FIM) systems rely on hashing to alert administrators when files are altered unexpectedly.

NIST and CIS controls emphasize hashing and integrity monitoring as essential for protecting code repositories, system files, and critical configurations, especially in DevOps and CI/CD environments.

A zero-day vulnerability is one that is unknown to the vendor and has no available patch at the time it is exploited. Attackers take advantage of the fact that defenders have “zero days” to fix the issue.

Routine vulnerability scans cannot detect zero-days because scanners rely on known signatures. This is why defense-in-depth, monitoring, and anomaly detection are critical security strategies.

Emergency exit doors are a critical physical control designed to ensure safe and rapid evacuation during emergencies such as fires or earthquakes. These doors are typically clearly marked, unobstructed, and may include panic bars to allow easy exit without special knowledge or tools.

Fire alarms alert occupants, exit signs provide direction, and emergency lighting improves visibility, but none of these physically enable evacuation. Exit doors directly support life safety by allowing people to leave the building quickly and safely. Life safety is the highest priority in physical security design, and exit doors are mandatory under building and fire safety codes.

Zenmap is the graphical front end for Nmap. It performs host discovery, port scanning, service enumeration, and OS fingerprinting.

During the detection and analysis phase, incidents are identified, triaged, categorized, and prioritized based on impact and urgency. This ensures resources are allocated appropriately.

Effective DLP solutions monitor all egress channels to prevent unauthorized data exfiltration, including web uploads, APIs, and removable media.

Data Loss Prevention (DLP) solutions are specifically designed to detect, monitor, and prevent the unauthorized storage, use, or transmission of sensitive data such as Social Security numbers, credit card data, and personal records. DLP tools can scan endpoint hard drives, servers, databases, and cloud storage to identify sensitive data based on patterns, classifications, or content inspection.

IDS and IPS focus on detecting or blocking network attacks, not improper data storage. TLS encrypts data in transit but does not detect where sensitive data resides. DLP solutions directly address Natalia’s concern by identifying policy violations related to sensitive data storage.

DLP is a critical control recommended by NIST and CIS for protecting regulated data and preventing data leakage across all data states.

Impact measures the severity of consequences if a security event occurs. It is a key component of risk calculations along with likelihood.

Platform as a Service (PaaS) provides customers with an environment tobuild, deploy, and manage applicationswithout managing underlying infrastructure. PaaS includes operating systems, middleware, runtime environments, and development tools.

SaaS delivers fully managed applications, while IaaS provides raw infrastructure. PaaS best balances flexibility and operational efficiency for software development.

Side-channel attacks exploit physical characteristics such as power usage, timing, or electromagnetic emissions to infer sensitive information like cryptographic keys.

All listed protocols provide encrypted email communication using SSL/TLS for sending or retrieving email securely.

Anexecutive summarygives leadership a concise overview of objectives, scope, and recovery strategies without technical detail.

Infrastructure as a Service (IaaS) provides security teams with the greatest access to forensic data because customers retain control over operating systems, logs, storage, and network configurations.

In SaaS and FaaS models, the provider controls most of the infrastructure, limiting visibility. PaaS provides partial access but still restricts OS-level forensics.

IaaS allows collection of disk images, memory dumps, system logs, and network traffic, which are essential for incident response and forensic investigations.

Security teams prefer IaaS for high-control environments where deep visibility is required.

Law enforcement is not typically part of an organization’s internal incident response team. Incident response teams usually consist of cybersecurity professionals, technical subject matter experts, IT staff, legal advisors, and management representatives.

Law enforcement may become involved after an incident, especially in cases involving criminal activity, regulatory requirements, or large-scale breaches. However, they are external stakeholders, not internal team members.

Management plays a key role in decision-making and communication, while technical and cybersecurity experts handle detection, containment, eradication, and recovery.

NIST incident response guidance emphasizes coordination with external entities but clearly distinguishes internal response teams from external authorities such as law enforcement.

Qualitative risk analysis evaluates risk using descriptive categories such aslow,medium, andhighinstead of numerical values. This approach relies on expert judgment, experience, and contextual understanding rather than precise financial or statistical calculations. According to NIST SP 800-30, qualitative analysis is especially useful when numerical data is unavailable or when rapid risk prioritization is required.

Unlike quantitative risk analysis, which assigns monetary values and probabilities, qualitative analysis focuses on relative severity and likelihood. It is commonly used during early stages of risk management, policy development, and executive decision-making. While less precise, qualitative risk analysis is easier to communicate to stakeholders and helps organizations focus resources on the most critical risks.

Identification is the act of claiming an identity (e.g., username). Authentication is the process of verifying that claim (e.g., password, biometrics). Authorization follows authentication.

Risk management is an ongoing process that identifies threats, evaluates risk, and applies controls to reduce risk to acceptable levels. It is foundational to cybersecurity governance.

Authorization determines what actions a user is allowed to perform after their identity has been authenticated. Identification claims an identity, authentication verifies it, and authorization grants permissions.

Disaster Recovery Planning focuses specifically on restoring IT infrastructure, systems, and communications.

Common IRT models includededicated,leveraged, andhybridteams. In these models, response capabilities exist within the organization. While organizations mayusethird-party assistance, a fullyoutsourcedIRT is generally not considered a core internal IRT model because incident response requires immediate organizational authority, access, and accountability.

Standards such as ISO, NIST, and CIS are commonly developed by third-party organizations and provide best practices and compliance guidance. They are not laws unless mandated.

Private or ephemeral ports (49152–65535) are dynamically assigned to client applications for temporary communication sessions.

Risk identification is the first step in the risk management process. Organizations must first identify assets, threats, and vulnerabilities before they can assess likelihood or impact. Without knowing what risks exist, meaningful assessment and mitigation are impossible.

Access control ensures that only authorized users can access specific resources. It includes authentication, authorization, and enforcement mechanisms.

Encryption protects data confidentiality, firewalls control network traffic, and antivirus detects malware. Only access control directly governs who can access sensitive information.

Disaster Recovery Planning focuses on restoringIT systems, infrastructure, and communicationsafter a disruption. Business Continuity Planning focuses onmaintaining critical business functionsduring and after incidents, often using alternative processes.

BCP is broader than DRP and includes people, processes, facilities, and third parties, while DRP is IT-centric. Both plans complement each other but serve different purposes.

Distributed Denial of Service (DDoS) attacks primarily impactavailability, one of the three pillars of the CIA triad. DDoS attacks overwhelm systems, networks, or applications with massive volumes of traffic, exhausting resources such as bandwidth, CPU, or memory and preventing legitimate users from accessing services.

The goal of a DDoS attack is not to steal data, alter information, or deny accountability, but rather todisrupt access. Confidentiality and integrity may remain intact, but users are unable to reach the system, resulting in service outages, financial loss, and reputational damage.

Availability is a critical security objective for public-facing services such as websites, APIs, and online platforms. Defenses against DDoS attacks include traffic filtering, rate limiting, content delivery networks (CDNs), scrubbing services, and redundant architectures.

Security frameworks such as NIST and ISO/IEC explicitly associate denial-of-service attacks with availability risks, making availability the most directly affected cybersecurity principle.

Cross-Site Request Forgery (CSRF) tricks an authenticated user’s browser into sending unauthorized requests to a trusted server. Because the user is already authenticated, the server processes the request as legitimate.

XSS injects malicious scripts, while spoofing involves impersonation. CSRF exploits trust in an existing authenticated session. Defenses include CSRF tokens, same-site cookies, and proper request validation.

Data backupsare essential to disaster recovery, enabling restoration of systems and data following failures or disasters.

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records to ensure authenticity and integrity. It prevents attacks such as DNS spoofing and cache poisoning.

DNSSEC allows clients to verify that DNS responses have not been altered. It is the industry-standard solution recommended by security frameworks for protecting DNS infrastructure.

Type 1 authenticationrefers to “something you know,” such as a password, PIN, or passphrase. This is the most common and oldest form of authentication used in information systems.

Other authentication types include Type 2 (something you have, such as a smart card or token) and Type 3 (something you are, such as biometrics). Some models also define additional types, such as location-based or behavior-based authentication.

While easy to implement, Type 1 authentication is considered the weakest because secrets can be guessed, reused, stolen, or phished. For this reason, security best practices strongly recommend combining it with other authentication types using multi-factor authentication (MFA).

NIST and CIS guidelines consistently discourage reliance on single-factor, knowledge-based authentication for sensitive systems due to its susceptibility to compromise.

Authentication is the phase of the AAA (Authentication, Authorization, Accounting) model in which a user proves their identity. During authentication, the system verifies that the user is who they claim to be by validating credentials such as passwords, biometrics, smart cards, or cryptographic keys.

Identification occurs first, when a user claims an identity (for example, entering a username). Authentication then confirms that claim. Authorization follows authentication and determines what actions the authenticated user is permitted to perform. Accounting tracks and logs user activities for auditing and monitoring purposes.

Strong authentication is critical to system security because all subsequent access control decisions depend on its accuracy. Weak authentication mechanisms increase the risk of unauthorized access, credential theft, and impersonation attacks.

Modern security frameworks emphasize multi-factor authentication (MFA) to strengthen this phase. NIST SP 800-63 highlights authentication as a core security function essential to protecting systems, data, and services from unauthorized access.

Aturnstileis a physical access control device designed to allow only one individual to pass at a time. Turnstiles are commonly used to prevent tailgating and unauthorized entry in offices, transit stations, and secure facilities. Unlike mantraps, turnstiles typically allow one-way movement and do not lock a person inside an enclosed space.

Risk appetitedefines the level of risk an organization is willing to tolerate and guides decision-making across the enterprise.

MITRE ATTandCK maps adversary tactics, techniques, and procedures (TTPs) across the attack lifecycle.

Routers control traffic flow between different networks by making routing decisions based on IP addresses. They operate at OSI Layer 3 and determine the optimal path for data packets.

TheApplication Layer (Layer 7)of the OSI model provides services directly to the user and user-facing applications. This layer supports protocols such as HTTP, HTTPS, SMTP, FTP, and DNS, which enable web browsing, email, file transfers, and name resolution.

While users interact with applications rather than the OSI model itself, the Application Layer is responsible for enabling those interactions. The Session Layer manages session establishment, the Presentation Layer handles data formatting and encryption, and the Physical Layer transmits raw bits over physical media.

From a security perspective, many attacks target the Application Layer, including SQL injection, cross-site scripting (XSS), and authentication bypasses. As a result, application-layer security controls such as WAFs, secure coding practices, and input validation are critical.

Understanding OSI layers helps security professionals design layered defenses and properly place controls.

White-box testing involves examining an application’s internal structure, including source code, logic paths, and configurations, to identify vulnerabilities and security weaknesses. Testers have full knowledge of the system and can analyze how data flows and how controls are implemented.

This testing approach is effective for identifying issues such as insecure coding practices, logic flaws, and hard-coded credentials. Black-box testing does not involve source code access, functional testing validates behavior, and user acceptance testing focuses on business requirements.

White-box testing is commonly used in secure code reviews, static application security testing (SAST), and DevSecOps pipelines. Security standards strongly recommend white-box techniques for early vulnerability detection.

An incident response policy establishes authority, scope, and direction. Without management approval, IR activities lack legitimacy.

The loopback address allows a system to test its own network stack.127.0.0.1is the IPv4 loopback address, while::1is its IPv6 equivalent. Both route traffic internally without leaving the host.

The primary goal of arisk assessmentis to identify, estimate, and prioritize risks based on likelihood and impact. This allows organizations to make informed decisions about how to handle risk. Risk avoidance, mitigation, or transfer occurafterthe assessment phase.

When restoring operations after a disaster,most critical systemsmust be restored first. Systems enable business functions, and without them, functions cannot operate.

Disaster recovery focuses on restoring IT infrastructure in priority order based on business impact analysis (BIA). While functions are important, they depend on systems to operate. Management and least critical functions are lower priorities.

NIST and ISO/IEC business continuity standards emphasize restoring mission-critical systems first to minimize downtime and financial loss.

Defense in depth begins by identifying assets, followed by administrative controls (policies), technical controls (logical), and physical controls to protect systems at multiple layers.

A Business Impact Analysis (BIA) identifies critical systems, dependencies, and acceptable downtime. It is foundational to both BCP and DRP development.

Token Ringis a legacy networking technology defined by IEEE 802.5 and operates primarily at thePhysical Layer (Layer 1)of the OSI model, with some functions extending into the Data Link Layer.

The Physical Layer is responsible for transmitting raw bits over a physical medium, defining signaling, cabling, and transmission characteristics. Token Ring used a token-passing mechanism to control access to the physical medium, ensuring only one device transmitted at a time.

While modern Ethernet has replaced Token Ring, understanding its OSI placement remains important for foundational networking knowledge and certification exams.

Clear roles ensure fast, coordinated response, reduce confusion, and prevent duplicated or missed actions during incidents.

Disaster Recovery includes restoring systems and returning operations to normal, which may involve staff moving back to the primary site after temporary relocation.

Business Continuity encompasses the strategies, processes, and tools needed to keep critical operations running during a contingency.

Anintrusionis an unauthorized attempt to access systems or networks. Not all intrusions succeed or result in breaches, but they represent active threats.

Segregation of duties ensures no single individual can propose, approve, and implement changes alone, reducing fraud and errors.

Non-repudiation is a core security principle that ensures an individual or system cannot deny having performed a specific action. In cybersecurity, this concept is critical for accountability, auditing, and legal enforcement. Non-repudiation provides assurance that an action—such as sending an email, approving a transaction, or signing a document—can be definitively attributed to a specific user.

This principle is commonly enforced using cryptographic techniques such as digital signatures, public key infrastructure (PKI), hashing, and secure logging. For example, when a user digitally signs a document using their private key, anyone can later verify that signature using the corresponding public key. This prevents the signer from denying authorship.

Non-repudiation is particularly important in financial systems, legal documents, and regulated environments where proof of action is required. It differs from authentication, which verifies identity, and authorization, which defines permissions. Non-repudiation focuses on ensuring that actions are traceable and undeniable, supporting forensic investigations and compliance with security and legal requirements.

A URL filter is the most effective control for restricting access to specific websites. URL filtering allows administrators to block access based on domain names, URLs, or content categories such as gambling, social media, or malicious sites.

IP address blocking is less precise because many websites share IP addresses or use dynamic hosting. DLP solutions focus on data protection, not web access control. IPS systems detect and block attacks but are not designed for enforcing acceptable-use browsing policies.

URL filtering is commonly implemented in firewalls, secure web gateways, and proxy servers and is widely used to enforce organizational internet usage policies.

Network segmentation isolates systems and resources into separate security zones to limit lateral movement by attackers. By segmenting networks, organizations protect critical assets and reduce the impact of breaches.

If one segment is compromised, segmentation prevents attackers from easily accessing other systems. This approach supports defense-in-depth and zero trust architectures.

Network segmentation is implemented using VLANs, firewalls, and access controls and is a foundational security practice recommended by NIST and CIS.

Two-factor authentication (2FA) requires users to verify their identity usingtwo independent authentication factorsfrom different categories, such as something you know and something you have.

The purpose of 2FA is to strengthen authentication security and reduce the risk of unauthorized access. Even if one factor is compromised, the attacker cannot authenticate without the second factor.

2FA is a subset of multi-factor authentication and is strongly recommended by modern security standards, particularly for remote access, cloud services, and privileged accounts.

The ISC2 Code of Ethics prioritizesprotecting society and the public, including users, over employer interests.

Transport Layer Security (TLS) helps mitigateman-in-the-middle (MITM) attacksby providing encryption, authentication, and integrity protection for data transmitted between communicating systems. TLS ensures that data exchanged between a client and server cannot be intercepted, modified, or read by unauthorized third parties.

TLS uses digital certificates and public key cryptography to authenticate servers (and sometimes clients), preventing attackers from impersonating legitimate endpoints. It also encrypts session data using symmetric encryption, protecting confidentiality even if traffic is captured.

TLS does not prevent application-layer attacks such as XSS or SQL injection, which are caused by insecure application logic. It also does not address social engineering, which targets human behavior rather than network protocols.

Because MITM attacks exploit unencrypted or improperly authenticated connections, TLS is a primary defense recommended by NIST and all modern security standards for protecting data in transit.

Human life and safety always take precedence over systems, data, and business operations. Security awareness ensures employees know how to act safely during incidents such as fires, active threats, or infrastructure failures.

The Internet Engineering Task Force (IETF) develops and maintains Internet standards through RFCs.

Defense in depth uses multiple layers of controls—administrative, technical, and physical—so that failure of one layer does not compromise security.

Metal detectors are effectivepreventive physical controlsthat detect electronic devices and storage media. They are commonly used in high-security environments to enforce device restrictions.

Risk tolerance, risk appetite, and acceptable risk are closely related terms describing how much risk an organization is willing to accept.

A BIA identifies critical systems, dependencies, and acceptable downtime to establish recovery priorities.

A guard dog deters unauthorized access by increasing perceived risk. Deterrent controls discourage attacks before they occur.

A sudden flood of network packets causing degraded performance is best classified as anadverse event. An adverse event is any occurrence that negatively affects system performance, availability, or operations but may not yet meet the threshold of a confirmed security incident. According to NIST definitions, events such as traffic spikes, system slowdowns, or anomalous behavior are initially treated as adverse events until further analysis confirms malicious intent.

If investigation later confirms the flood was caused by a deliberate denial-of-service attack, the classification may escalate to asecurity incident. However, without confirmation of intent or compromise, adverse event is the most accurate term.

Anintrusionis an unauthorized attempt to access systems or resources, whether successful or not.

Port scanning targetstransport-layer ports(TCP/UDP), making Layer 4 the correct answer.