Study Guide · CC

CC Cheat Sheet

345 entries · 17 chapters · 5 domains

Security Principles

Information Assurance

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

The CIA triad is confidentiality, integrity, and availability

The CIA triad names the three core goals of information assurance: confidentiality (only authorized people can see the data), integrity (the data stays accurate and unaltered), and availability (the data and systems are usable when authorized people need them). Almost every control you study protects at least one of the three, so a fast first step on any scenario is to decide which of the three is at stake.

4 questions test this
Confidentiality is about who can see the data, protected by access control and encryption

Confidentiality preserves authorized restrictions on access and disclosure, so only the right people can read the information. It is protected mainly by access control, encryption, and careful data handling. A confidentiality breach is any exposure to the wrong person, such as a leaked database, a shoulder-surfed password, or a stolen unencrypted laptop.

11 questions test this
Integrity is about data staying unaltered, and hashing is the classic check

Integrity guards information against improper or accidental modification, keeping it accurate and complete. Hashing is the classic check: a one-way function produces a short fingerprint of the data, and if even one character changes, the fingerprint changes, so a mismatch reveals tampering. An integrity breach is any unauthorized or accidental change, such as an altered bank balance or a corrupted file.

Trap Picking confidentiality when records were altered rather than viewed; a change to the data is integrity, even if the attacker needed access to make it.

11 questions test this
Availability is about timely access, protected by backups and redundancy

Availability ensures timely and reliable access to information and systems for the people authorized to use them. It is protected by backups, redundancy such as a standby server, and enough capacity to handle the load. An availability breach needs no secret exposed and no data changed: an outage, a hardware failure, or a denial-of-service flood that blocks legitimate users all count.

7 questions test this
Authentication confirms identity and always comes before authorization

Authentication verifies that a user, device, or process is who it claims to be, and it must happen before authorization because a system cannot grant the right permissions to an identity it has not first confirmed. Authentication answers "who are you?" while authorization answers "what are you allowed to do?", and the order is fixed: authenticate first, then authorize.

Trap Treating authorization as the step that proves identity; authorization only assigns permissions after authentication has already confirmed who the identity is.

1 question tests this
Authentication factors fall into three categories: know, have, are

Proof of identity comes from three categories of factors: something you know (a password or PIN), something you have (a phone, token, or smart card), and something you are (a biometric such as a fingerprint or face). The exam expects you to sort an example into the right category, because the category, not the specific item, is what determines whether a login is multi-factor.

9 questions test this
MFA requires factors from two or more different categories

Multi-factor authentication combines factors from two or more different categories, so a password plus a phone code is MFA because it mixes something you know with something you have. The point is to resist stolen passwords: a second factor from another category means one captured secret is no longer enough to get in.

Trap Counting a password plus a security question as MFA; both are something you know, so it is single-factor and one phishing attack can capture both.

4 questions test this
Non-repudiation means an actor cannot deny what they did

Non-repudiation is assurance that the person who took an action cannot later deny it, and that the receiver cannot deny receiving it. It depends on integrity plus strong proof of identity, and it is what lets an organization hold someone responsible for an action with confidence.

5 questions test this
A digital signature provides non-repudiation because only the signer holds the private key

A digital signature gives origin authenticity, integrity, and non-repudiation at once. Because only the signer holds the private key used to sign, a valid signature ties the document or action to that one person, so they cannot credibly deny it. This is the classic control to reach for when a scenario asks to prove who sent or approved something.

Trap Reaching for a shared-key message authentication code (MAC) for non-repudiation; both parties hold the same key, so either could have produced it and neither is uniquely bound.

5 questions test this
Accountability traces each action to one individual, which shared accounts defeat

Accountability is the goal of tracing every action uniquely back to the individual who performed it, and it rests on authentication plus logging. Shared accounts defeat accountability no matter how strong the password is: if several people sign in as "admin", the logs show the action but not who is responsible.

Trap Assuming a strong password on a shared account preserves accountability; shared use breaks the unique attribution that accountability and non-repudiation both require.

1 question tests this
Privacy is the right to control personal data, not the same as confidentiality

Privacy is the right of individuals to control how their personal information is collected, used, shared, and retained, and it is increasingly driven by laws and regulations. Confidentiality is the control that keeps data secret; privacy is the individual's right to decide what is done with data about them. You can hold data with perfect confidentiality and still violate privacy by using it for a purpose the person never agreed to.

Trap Treating strong confidentiality controls as satisfying privacy; secrecy of the data does not cover consent or how the personal data is used.

1 question tests this
Read the harm in the stem to pick the CIA goal

Most Information Assurance questions describe a situation and ask which goal is at stake, and the harm names the goal. Data seen by the wrong person is confidentiality, data changed is integrity, and a system that is down or unreachable is availability. Match the verb in the scenario to the goal rather than guessing from the topic.

1 question tests this
Information assurance balances the three goals rather than maximizing one

The three goals can pull against each other: locking everything down strengthens confidentiality but can hurt availability, while spreading data everywhere for availability can widen how it leaks. Security is the act of balancing confidentiality, integrity, and availability for the value of what is being protected, not maximizing any single one.

Authentication, non-repudiation, and privacy extend the triad in the CC outline

The CC Information Assurance topic covers the CIA triad plus three more goals: authentication (confirming identity), non-repudiation (preventing denial of an action), and privacy (individual control over personal data). Knowing that the outline lists these alongside the triad helps you recognize which goal an answer choice is naming.

To send a confidential message, encrypt with the recipient's public key

In asymmetric (public-key) encryption, the sender encrypts with the recipient's public key, and only the recipient's matching private key can decrypt it, which is how confidentiality is achieved. The private key is never shared, so even an intercepted message stays unreadable.

Trap Encrypting with the sender's own private key, which gives a signature for non-repudiation, not confidentiality.

4 questions test this
Symmetric encryption shares one key and is fast; asymmetric uses a key pair and is slow

Symmetric encryption uses a single shared secret key for both encryption and decryption, so it is fast and suited to bulk data at rest (for example AES). Asymmetric encryption uses a public/private key pair, which solves key distribution but is slower, so hybrid systems use it only to exchange a symmetric session key.

Trap Reaching for asymmetric encryption to protect large volumes of data, when its overhead makes symmetric the efficient choice for bulk encryption.

6 questions test this

Risk Management

Read full chapter
  • Risk needs a threat, a vulnerability, and an asset to line up
  • A vulnerability is a weakness, a threat is what acts on it, and risk is the chance of harm
  • Risk is sized by likelihood and impact together
  • Qualitative analysis ranks risk in bands; quantitative analysis puts money on it
  • The risk process loops: identify, assess, treat, monitor
  • You cannot manage a risk you have never identified
  • There are exactly four ways to treat a risk
  • Avoid a risk by stopping the activity that creates it
  • Mitigate by adding controls, the most common response
  • Transfer moves the financial impact, not the accountability
  • Accepting a risk is a deliberate, documented decision
  • Senior leadership accepts residual risk, not the analyst
  • Risk tolerance sets how much risk the organization will accept
  • Risk priorities steer scarce security resources
  • You cannot remove all risk, so manage it down to tolerance
  • Match the scenario verb to the right treatment
  • An asset's criticality comes from its impact on the mission, not its hardware
  • Value an information asset by the impact of losing its confidentiality, integrity, or availability
  • Annual Loss Expectancy is SLE times ARO
  • Continuous monitoring checks that controls stay effective over time
  • Report risk to leadership in business and financial terms

Unlock with Premium — includes all practice exams and the complete study guide.

Security Controls

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A security control is any safeguard that protects CIA

A security control is a safeguard or countermeasure put in place to reduce risk and protect the confidentiality, integrity, and availability of information and systems. A door lock, a firewall rule, a password policy, and a nightly backup are all controls despite looking nothing alike, because each lowers risk to the same asset. FIPS 200 formally groups controls as management, operational, and technical.

Classify a control by how it is enforced: technical, administrative, or physical

The three control types describe the mechanism that does the work, not how important the control is. Technical (logical) controls are enforced by hardware, software, or firmware; administrative (managerial) controls are policies, procedures, and human practices; physical controls are tangible barriers and the environment. Most real safeguards need all three working together around one asset.

Trap Ranking the types so technical counts as the real security and the others as paperwork; they are equals and usually all apply to one asset.

2 questions test this
Technical controls are enforced by the system itself

A technical (logical) control is carried out by hardware, software, or firmware rather than by a person. Encryption, firewalls, access-control lists, antivirus, and intrusion-detection systems are technical controls. If a machine does the enforcing, the answer is technical.

1 question tests this
Administrative controls direct how people behave

An administrative (managerial) control works through policy, procedure, and human practice rather than through a machine. A security policy, a pre-hire background check, separation of duties, and a security-awareness program are administrative controls. If the safeguard tells people what to do, classify it administrative.

Trap Calling a policy that requires encryption a technical control; the written rule directing people is administrative, even though the thing it mandates is technical.

5 questions test this
Physical controls protect the tangible world

A physical control acts on the physical environment: fences, locks, badge readers, mantraps, security guards, CCTV cameras, and fire-suppression systems. If you could touch it or walk into it, it is physical. Environmental safeguards like HVAC and fire suppression count here too because they protect the site and equipment.

1 question tests this
Type and function are separate, independent axes

A control's type (technical, administrative, physical) describes how it is built; its function describes what it does about a threat. The two are independent, so any type can serve any function: a fence (physical) deters, a firewall (technical) prevents, an audit-log review (administrative) detects. Exam stems often want both answers, so read the scenario once for the mechanism and once for the goal.

Trap Assuming a control's type fixes its function, so a firewall is always preventive; the same firewall can be preventive or detective depending on how it is used.

1 question tests this
Preventive controls stop an event before it happens

A preventive control blocks an unwanted event from occurring at all. A firewall that drops a connection, a door lock that bars entry, and enforced strong-password rules are preventive. Preventive is the function exam stems describe with verbs like block, bar, or stop.

10 questions test this
Detective controls notice an event during or after it

A detective control identifies an event while it happens or after the fact, but does not stop it on its own. Intrusion-detection systems, reviewed audit logs, and CCTV recordings are detective. The signal in a stem is that the control records, alerts, or reveals rather than blocks.

Trap Treating a recording CCTV camera as preventive; on its own it only detects, the deterrent or preventive effect comes from the visible presence or a guard acting on it.

9 questions test this
Corrective controls fix the damage and restore operations

A corrective control acts after an event to repair harm and return to normal. Restoring files from backup, removing malware, and applying a patch that closes the exploited hole are corrective. Recovery controls are a closely related, broader restore-to-operations idea that overlaps corrective.

6 questions test this
Deterrent controls discourage an attacker from trying

A deterrent control reduces the will to attack rather than the ability. A visible surveillance sign, a guard at the gate, and login warning banners are deterrent because they make a target look harder or riskier. Deterrence works on the attacker's decision, so a control nobody can see does not deter.

One control can fill more than one function at once

Functions are not exclusive, so a single control can do several jobs. A security guard physically deters an intruder at the gate, detects one on the cameras, and prevents entry at the door. When a stem asks for the primary function, pick the effect the scenario emphasises rather than insisting on a single label.

A compensating control substitutes for one that will not fit

A compensating control is an alternative safeguard used in lieu of a recommended control that cannot be implemented as written, and it must give equivalent or comparable protection. It is triggered by a real constraint, such as a legacy system that cannot run encryption or accept multi-factor authentication, not by convenience. Wrap the gap in other safeguards, for example isolating the legacy system on its own monitored network segment.

Trap Picking a compensating control to save effort or money on a control that could be implemented; it is justified only when the recommended control genuinely cannot be deployed.

9 questions test this
Document why the recommended control could not be used

Every compensating control should be recorded together with the reason the original control could not be implemented and how the substitute reaches comparable protection. The documentation makes the risk decision traceable later and is part of what distinguishes a legitimate compensating control from a quietly skipped one.

1 question tests this
Defense in depth layers independent controls so one failure is not fatal

Defense in depth (layered security) stacks multiple controls across different layers so an attacker who defeats one still faces the others. NIST frames it as integrating people, technology, and operations to set up barriers across multiple layers, which is why mixing control types around one asset strengthens the stack. A badge reader, network segmentation, and a least-privilege policy each guard the same database by a different route.

23 questions test this
Layers only count if they fail independently

Real depth requires controls that fail for different reasons; two controls sharing a single point of failure fail together and count as one layer, not two. A firewall and a VPN that both authenticate against the same identity store are a single layer, because cracking that one store gets past both. A physical lock is not bypassed by a stolen password, which is why mixing types creates genuine independence.

Trap Counting many controls that share one credential store or one chokepoint as deep defense; the shared dependency means a single failure removes them all at once.

4 questions test this
More controls is not the same as more layers

Adding safeguards that all depend on one thing does not deepen defense, because they collapse together. Defense in depth is measured in independent layers, not in the raw number of controls. When a stem lists several controls that hinge on one admin account or one gateway, the correct read is that it is not effective defense in depth.

Security awareness training exists to change human behavior against attacks

Awareness training reduces risk by teaching employees to recognize and respond to threats like phishing and social engineering, addressing the human element that attackers find easier to exploit than technology. Best practice runs it at hire and at least annually, with role-based training for higher-risk jobs.

Trap Treating training as a one-time onboarding checkbox rather than an ongoing program with annual refreshers.

13 questions test this
Phishing simulations measure and reinforce awareness by tracking click rates over time

Simulated phishing exercises give employees safe practice and let the organization measure behavior change through the click rate (phish-prone percentage). A falling click rate, and just-in-time training for those who fail, indicate the program is working.

Trap Using training-completion counts as the success metric instead of the simulated-phishing click rate that reflects actual behavior.

8 questions test this
An IDS only alerts; an IPS can actively block the threat

Per NIST SP 800-94, the defining difference is that an IPS can respond to a detected threat by attempting to prevent it from succeeding, while an IDS passively monitors and alerts. A host-based system (HIDS) watches one host's logs and events; an IPS is often deployed in detection-only mode first to tune out false positives before it blocks live traffic.

Trap Assuming a false negative (a missed real attack) is the harmless error, when it is the dangerous one because no alert is raised.

5 questions test this
A mantrap admits one authenticated person at a time to stop tailgating

A mantrap is two interlocking doors where the first must close before the second opens, so only one authenticated person passes and tailgating is prevented. Visitor sign-in, escort badges, and escorts distinguish authorized staff from visitors, and a lost access badge should be disabled immediately.

Trap Treating a badge reader on a single door as tailgating protection, when nothing stops a second person from following through.

3 questions test this

ISC2 Code of Ethics

Read full chapter
  • The ISC2 Code has exactly four Canons in a fixed order
  • Lower-numbered Canons take precedence in a conflict
  • Protect-society is Canon 1 and the usual default answer
  • A principal is your employer or client
  • Canon 2 makes acting legally part of acting ethically
  • The Code can demand more than the law requires
  • Strict adherence to the Code is a condition of certification
  • Complaint standing follows the Canon order
  • An ethics complaint must be a sworn affidavit
  • Canons are high-level on purpose, not a detailed rulebook
  • Concealing a public danger for an employer violates Canon 1
  • Canon 4 standing belongs to fellow professionals
  • You must report an observed Code breach by another member, or your inaction is itself a breach
  • Get written authorization defining scope before any penetration test
  • Canon III requires competent service, so build or defer expertise rather than wing it
  • Report an out-of-scope finding to the client without exploiting it

Unlock with Premium — includes all practice exams and the complete study guide.

Governance

Read full chapter
  • Governance is leadership setting direction in writing
  • Policies, standards, and procedures are mandatory; only guidelines are discretionary
  • A policy is high-level intent, broad and rarely changing
  • A standard names the exact required setting
  • A procedure is the ordered step-by-step how-to
  • A guideline is recommended practice, not a requirement
  • Identify the document type by how general or specific it is
  • The hierarchy runs policy then standard then procedure, with guidelines advising
  • Regulations and laws are external and mandatory, written by governments
  • HIPAA and GDPR are laws a CC candidate should recognize by name
  • PCI DSS is a contractual industry standard, not a government law
  • Accountability cannot be delegated, only the work can
  • Governance is about documents, not about choosing individual controls
  • Classify a mixed document or system at the highest sensitivity level present
  • The data owner sets classification and access; the custodian implements the controls
  • Higher classification levels demand stronger controls, so classify to prioritize protection
  • GDPR gives data subjects rights like erasure and requires 72-hour breach notice
  • Review security policies at least annually and when significant changes occur

Unlock with Premium — includes all practice exams and the complete study guide.

BC, DR & Incident Response

Business Continuity

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Business continuity keeps critical functions operating during a disruption

A business continuity plan (BCP) is the plan for sustaining the organization's mission and critical business processes during and after a disruption, so the business keeps serving customers even while its normal setup is broken. Its goal is to keep operating, not to fix the broken systems. Per NIST SP 800-34 Rev. 1 the BCP focuses on the business processes, while the technical restoration of the systems those processes depend on is handled separately by disaster recovery.

3 questions test this
BC keeps the business running; DR restores the IT systems

The most tested point on this topic is the difference between business continuity and disaster recovery (DR). BC is about keeping the business operating (people, processes, customer service) during and after a disruption; DR is the information-system-focused work to restore the technology, servers, applications, and facilities, often at an alternate site. NIST SP 800-34 Rev. 1 frames the DR plan as supporting the BCP, since it recovers the systems the business processes rely on. The tie-breaker on an exam: focus on the business process means BC, focus on the technology means DR.

Trap Choosing disaster recovery when the scenario is about keeping the business running during the outage; both involve an outage, but DR is the technical restore of systems, not keeping the mission going.

The BIA comes before the continuity plan

The business impact analysis (BIA) is done first, because it tells the plan what to protect and how fast. The BIA identifies the critical business processes, estimates the impact of each one being disrupted, and ranks them; the BCP is then written from those results. Asking what you do first, or what the continuity plan is based on, points to the BIA.

Trap Writing or selecting the continuity plan before the BIA; you cannot prioritize recovery without first knowing which processes are critical and how much downtime each can tolerate.

3 questions test this
The BIA runs three ordered steps

NIST SP 800-34 Rev. 1 structures the BIA as three ordered steps: first determine the mission and business processes and how critical each is, then identify the resources each process needs to resume along with its dependencies, and finally identify recovery priorities. The output of these steps, especially each process's recovery target, is what the continuity plan is built around.

Maximum tolerable downtime is the longest a process can be down before unacceptable harm

Maximum tolerable downtime (MTD) is the total amount of time a critical process can be unavailable before the damage becomes unacceptable, per NIST SP 800-34 Rev. 1. It is the recovery target the BIA produces for each critical process, and it drives how much to invest in recovery: a short MTD justifies fast, costly recovery while a long MTD can rely on simpler, cheaper measures.

2 questions test this
MTD is a business tolerance set by leadership, not by IT

MTD is set by the business, the leadership or process owner, and recorded in the BIA, because only the business can say how much outage it can survive. IT then designs recovery to meet that target. Watch for stems where the wrong answer has a technical or IT role choosing the MTD; the business sets the tolerance and hands it to IT to satisfy.

Trap Treating MTD as a number IT or the technical team picks; it is a business-set tolerance recorded in the BIA, separate from the technical recovery timeline built to meet it.

MTD ranking decides which processes recover first

Because the BIA ranks processes and sets each one's MTD, the continuity effort recovers the most time-critical work first instead of treating everything as equally urgent. A process whose MTD is minutes, like card payments, justifies a standby capability, while one whose MTD is days, like refreshing a public catalog, can wait. This ranking is what turns limited recovery resources toward the work that cannot wait.

1 question tests this
A continuity plan needs people and named roles, not just technology

A usable BCP assigns the people and roles who keep each critical function running, names who can declare an emergency, and identifies their backups. A plan that lists technology but no clear owners fails the moment a decision has to be made under pressure. The plan ties each critical process to who is responsible for keeping it going.

Trap Assuming a continuity plan is mainly a technology document; without named owners and decision authority it stalls in the real disruption it was written for.

1 question tests this
The communication plan keeps one consistent message in a crisis

A BCP includes a communication plan so staff, customers, and partners get consistent information during a disruption. NIST SP 800-34 Rev. 1 crisis-communications guidance is to document internal and external communication procedures and typically designate specific individuals as the only authority for speaking to the public, so the organization speaks with one voice. The plan also covers how people will be reached when normal channels like office email and desk phones are down.

Trap Letting any employee answer public or media questions during a crisis; the plan designates a single authorized spokesperson so the organization speaks with one voice and avoids conflicting messages.

Continuity dependencies on outside vendors are bound by SLAs

A critical process often depends on a vendor or partner, and the BIA must surface those external dependencies. NIST SP 800-34 Rev. 1 notes that external continuity dependencies are governed by service level agreements (SLAs) stating how quickly the provider must respond, aligned to the dependent process's recovery needs. Miss a dependency in the BIA and the plan can look complete yet stall because a supplier never committed to a recovery time.

A continuity plan is exercised and kept current, not filed away

A BCP that sits unread is a liability: contact lists go stale and staff forget their roles. Plans are tested and updated so people know what to do and information is current before a real disruption rather than during one. Testing is part of having a continuity capability, not an optional extra.

1 question tests this
Incident response handles a security event; business continuity handles a broad disruption

Incident response (IR) is the plan for detecting, containing, and recovering from a security attack or breach, and it is triggered by a security event. Business continuity is broader, covering any major operational disruption and keeping critical functions running. When the stem describes an attack or breach the answer is IR; when it describes keeping operations going through an outage it is BC.

Trap Reaching for business continuity when the trigger is specifically a confirmed or suspected attack or breach; that security event is what incident response is for.

Disaster Recovery

Read full chapter
  • Disaster recovery restores the IT systems and data after a disaster
  • DR restores the technology; business continuity keeps the mission running
  • RPO is the maximum data loss you can accept, measured as time
  • RTO is the maximum downtime you can accept before restoring
  • RPO is about data lost; RTO is about time down
  • A tighter RPO or RTO costs more
  • Reliable, tested, offsite backups are the foundation of recovery
  • RAID and replication are redundancy, not backup
  • A recovery site is the alternate location you fail over to
  • A cold site is empty space, cheapest and slowest
  • A warm site is partly equipped, a middle ground
  • A hot site is a running duplicate, fastest and priciest
  • Cost and recovery speed rise together from cold to warm to hot
  • Restore the most critical systems first, following the BIA
  • An untested DR plan is unproven
  • The 3-2-1 backup rule keeps 3 copies on 2 media types with 1 copy offsite
  • Incremental and differential backups trade backup speed for restore complexity
  • Redundancy eliminates single points of failure to protect availability
  • Failover automatically switches operations to a standby system when the primary fails
  • A tabletop exercise validates a plan through discussion, without touching production

Unlock with Premium — includes all practice exams and the complete study guide.

Incident Response

Read full chapter
  • An event is any observable occurrence, and most events are harmless
  • An alert is a notification to investigate, not a confirmed incident
  • An incident harms or threatens CIA, or violates security policy
  • A breach is confirmed exposure of protected data, and every breach is an incident
  • Know the four NIST incident response phases in order
  • Preparation comes first and never really stops
  • Detection and Analysis decides whether an event is really an incident
  • A precursor warns of a future incident; an indicator shows one now or already past
  • Prioritize incidents by impact, not first-come first-served
  • Contain, then eradicate, then recover, in that order
  • Containment buys time and stops the spread first
  • Eradication removes the root cause, not just the symptom
  • Preserve evidence before containment or recovery destroys it
  • Hold the lessons-learned review soon after the incident closes
  • The CSIRT is a cross-functional team, not just IT security
  • The incident response plan says how; the policy says it will happen
  • Test the incident response plan before a real incident
  • Incident response handles the attack; disaster recovery restores the business
  • Chain of custody documents who handled evidence so it stays admissible
  • A SIEM correlates aggregated log data to detect threats spanning many systems
  • Recover from ransomware by restoring verified clean backups, not by decrypting
  • An incident response plan must cover communication with internal and external stakeholders
  • Incident responders need standing authority and management backing to act fast

Unlock with Premium — includes all practice exams and the complete study guide.

Access Controls

Physical Access Controls

Read full chapter
  • Physical access controls protect the facility, hardware, and people that every other control assumes are safe
  • Layer physical controls along the deter, deny, detect, delay, respond chain
  • A control's function tells you which link in the chain it fills, so match the verb in the question
  • A door enforces the credential, not the headcount, so no reader stops tailgating
  • Tailgating is without the insider's knowledge; piggybacking is with their consent
  • An access-control vestibule (mantrap) admits one person at a time to stop tailgating
  • A full-height turnstile prevents tailgating; an optical turnstile only detects it
  • Visitor escort, sign-in logs, and awareness training back up the anti-tailgating hardware
  • PE-3 names the physical access devices: keys, locks, combinations, biometric readers, card readers
  • Re-key or revoke when a key is lost or an employee leaves
  • A proximity card broadcasts a static ID and is easily cloned; a smart card authenticates cryptographically
  • A biometric identifies the person directly but cannot be reissued, so pair it with a second factor
  • Cards and biometrics log the individual; a shared physical key logs nothing
  • CCTV is a detective control: it records and observes but does not stop an intruder
  • PE-6 monitors physical access with guards, video surveillance, and sensor devices
  • CPTED reduces crime through natural surveillance, access control, and territorial reinforcement
  • Put sensitive equipment in the interior core, arranged as concentric zones (defensible space)
  • A visitor log's purpose is an audit trail of who was in the facility and when
  • Security guards add human judgment that automated access controls cannot replicate
  • Integrating CCTV with alarm systems lets operators visually verify what tripped an alarm
  • CCTV footage retention is set by organizational policy and legal or compliance requirements
  • Store sensitive media and equipment in a locked cabinet or rack with restricted keys and access logging
  • Fail-secure doors stay locked on power loss but must still allow emergency egress
  • Bollards block vehicle attacks, and active barriers move while passive ones stay fixed
  • An electronic access control system both authenticates the person and authorizes the entry

Unlock with Premium — includes all practice exams and the complete study guide.

Logical Access Controls

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A logical access control is a technical safeguard that gates a subject's use of an object

Logical access controls are enforced by software or firmware, and they decide whether a subject (a user, process, or device) may use an object (a file, database, application, or system). They are the technical, or logical, type of control, separate from physical controls like locks and from administrative controls like policies. Every access decision answers two questions: how much access to grant, set by the principles least privilege and need-to-know, and who writes the rule, set by the model DAC, MAC, or RBAC.

Least privilege grants only the access a task needs, shrinking the blast radius

Least privilege restricts every user, process, or device to the minimum permissions its assigned job requires, and nothing more. The benefit is containment: if the account is phished or misused, the attacker inherits only the few permissions it actually held rather than the keys to everything. A help-desk technician who resets passwords should not also reach the payroll file, because reading payroll is not part of that job.

Trap Granting broad access for convenience and planning to trim it later; the standing extra permissions are exactly what an attacker inherits if the account is compromised.

18 questions test this
Need-to-know is least privilege applied to information, separate from clearance

Clearance or job title sets eligibility to see a whole category of data; need-to-know is the narrower decision that a person actually requires these specific records to do their work. The two are independent, so a user cleared for Secret material still cannot pull an unrelated Secret file because the need-to-know is missing. Need-to-know limits which data within an eligibility level a person may touch.

Trap Treating a high clearance as automatic permission to read every file at that level; clearance is eligibility, but need-to-know must also exist for the specific object.

Separation of duties splits a sensitive process so no one person can finish it alone

Separation of duties (also called segregation of duties) divides a critical process across two or more people, so no single individual holds enough privilege to misuse the system by themselves. The classic case is payments: whoever requests a payment must not also approve it, since one person controlling both steps could pay themselves. It is a preventive administrative control aimed at fraud by a lone insider.

Trap Calling it least privilege when the real fix is splitting one over-powered process across two people; least privilege trims one account's access, separation of duties divides the steps.

6 questions test this
Dual control requires two authorized people to act together for one action

Dual control is the strictest form of separation of duties: a single action cannot complete unless two authorized people act together, such as two officers each turning a key. Where ordinary separation of duties splits a multi-step process across people, dual control binds two people to the very same step. Both reduce single-insider abuse but do not stop two people colluding, which is why sensitive duties are also rotated.

Three access-control models differ on one axis: who decides access

DAC, MAC, and RBAC are the three access-control models, and the clean way to tell them apart is a single question each answers differently: who decides access. DAC puts the decision with the object's owner, MAC puts it with the system, and RBAC puts it with a role an administrator defines. Read any scenario by asking who holds the decision and the model names itself.

4 questions test this
DAC lets the object's owner decide and re-share access

Under discretionary access control (DAC), access is left to the discretion of the object's owner, who can grant permissions to other subjects and even let them pass those permissions along. Sharing a file on a laptop or shared drive is the everyday example, and DAC is the default in most commercial operating systems. Its flexibility is also its weakness, because owners re-share at will and permissions drift in ways no central administrator planned.

Trap Believing DAC permissions are centrally controlled; owners can grant and pass on access themselves, which is why DAC is the least centrally controlled model.

6 questions test this
MAC is enforced by the system from labels and clearances, and users cannot override it

Mandatory access control (MAC) is a policy uniformly enforced across all subjects and objects by the system itself. Each object carries a sensitivity label and each subject holds a formal clearance, and the system grants access only when the clearance is high enough for the label and a need-to-know exists. The defining trait is that an ordinary user cannot change a label or grant access to anyone else, because the decision belongs to the system, not the owner.

Trap Assuming an owner can grant an exception or relabel data under MAC; only the system decides, so users have no discretion to override the policy.

RBAC grants access by job role, not by individual identity

Role-based access control (RBAC) attaches permissions to roles such as Nurse, Cashier, or Database Administrator, and a user receives those permissions by being assigned to the role. When someone changes jobs you move them to a new role instead of editing dozens of individual grants, so RBAC scales cleanly and maps naturally onto least privilege. An administrator, not the end user, defines the roles.

Trap Saying RBAC lets each user set their own permissions; that is DAC owner-discretion, while RBAC access comes only through administrator-defined role membership.

16 questions test this
Choose the model by trading flexibility against control

DAC is the most flexible but hardest to control centrally, MAC is the most rigid and uniformly enforced, and RBAC sits in the middle as the scalable, administrator-controlled choice. Pick MAC when access must be tightly and uniformly controlled for classified or highly sensitive data, RBAC when many users map cleanly onto well-defined jobs, and DAC when owners should conveniently share their own resources.

Trap Calling MAC the most flexible model; MAC is the most rigid by design, while DAC is the most flexible because owners control sharing.

MAC fits classified and government systems; RBAC fits ordinary businesses

MAC is used in military, government, and intelligence systems where confidentiality must be guaranteed and individual discretion is too risky to allow. RBAC is the common choice for hospitals, banks, and large enterprises because access maps onto job functions and scales without per-user editing. DAC suits personal computers, shared drives, and most commercial operating systems where convenience matters more than tight central control.

A model alone does not enforce the principles; apply least privilege and separation of duties on top

Choosing DAC, MAC, or RBAC decides who writes the access rule, but it does not by itself guarantee that the rule grants only what each task needs or that sensitive processes are split. Least privilege and separation of duties are principles applied on top of whichever model is in force. A system can run RBAC and still over-grant if its roles bundle more access than the job requires.

An ACL lists which identities may access a resource and what they may do, one access control entry per identity

An access control list (ACL) is a mechanism attached to a resource that enumerates the identities permitted or denied access along with their specific rights (read, write, execute). Each individual line is an access control entry (ACE), which names one trustee (user or group) and the operations allowed, denied, or audited for it.

Trap Treating the ACL as the single entry rather than the whole list; the ACE is the per-identity line inside the ACL.

13 questions test this
In Windows a DACL decides who gets access; a SACL decides whose access attempts get logged

A Windows security descriptor holds two ACL types: the Discretionary Access Control List (DACL) lists the trustees allowed or denied access, while the System Access Control List (SACL) tells the system which access attempts to record in the security event log. Configure the SACL when the goal is auditing access rather than granting it.

Trap Reaching for a DACL to capture an audit trail of access attempts; auditing is the SACL's job.

8 questions test this
An empty DACL denies everyone; a missing (NULL) DACL grants everyone full access

An empty DACL contains no entries, so no access is granted and the system denies all requests. A NULL DACL (no DACL assigned at all) is the opposite and dangerous default: the object has no protection, so everyone gets full access. The same logic applies to ACLs generally: if no entry grants the request, access is denied.

Trap Assuming an empty DACL and a NULL DACL behave the same; the empty one locks everyone out, the missing one lets everyone in.

7 questions test this
Anything not explicitly allowed is denied by default (implicit deny)

Implicit deny, also called default deny, means a request that matches no rule granting it is automatically blocked. It is the safe default for ACLs, firewall rules, and file permissions: access is granted only when a rule explicitly permits it, so a missing entry results in denial.

Trap Expecting traffic or a subject to pass because no rule explicitly blocks it; with implicit deny the absence of an allow rule is itself the block.

9 questions test this
MFA requires factors from two different categories: something you know, have, or are

Multi-factor authentication combines factors from at least two of the three categories: something you know (password, PIN), something you have (token, badge, phone), and something you are (biometric). The point is that compromising one category does not give an attacker the others, so the factors must be of different kinds.

Trap Counting a password plus a PIN (or password plus a security question) as MFA; both are "something you know," so it is still one factor category.

19 questions test this
Modern NIST guidance favors long passwords over forced complexity and drops scheduled expiration

NIST SP 800-63B treats length as the primary driver of password strength and advises against mandatory composition rules, because complexity requirements push users toward predictable patterns. It also recommends against fixed periodic password changes, requiring a change only when there is evidence of compromise.

Trap Mandating character-mix rules and a routine 90-day reset; current guidance calls for length instead and changes only on evidence of compromise.

6 questions test this
Store passwords salted and hashed so a stolen database resists offline cracking

Passwords should be stored using a one-way hash with a unique random salt per password, never in plaintext or reversible form. The salt makes identical passwords hash differently and defeats precomputed rainbow tables, while a deliberately slow hashing scheme makes brute-force guessing of a stolen hash database expensive.

Trap Relying on hashing alone without a per-password salt; without salt, identical passwords share a hash and rainbow tables still work.

5 questions test this
End sessions with an idle timeout, an absolute timeout, and an easy logout

An idle (inactivity) timeout ends a session after a period of no activity, limiting the risk of an unattended workstation being hijacked, while an absolute (overall) timeout caps total session length regardless of activity. Applications should also give users a readily accessible logout to terminate a session on demand.

Trap Confusing the idle timeout with the absolute timeout; the idle one triggers on inactivity, the absolute one fires after a fixed duration even on an active session.

8 questions test this
Enforce authentication and session timeouts server-side where the client cannot tamper with them

Session timeout, expiration, and authentication enforcement must live on the server, not the client. If timing or authorization is tracked in client-controlled data such as cookies, an attacker can manipulate it to extend a session indefinitely, so security controls belong where the user cannot reach them.

Trap Trusting client-side cookie values to enforce session timeout; an attacker edits them, so the server must track inactivity itself.

6 questions test this
Review access periodically and on every role change to stop privilege creep

Privilege creep is the gradual accumulation of access rights beyond what a user's current job needs, typically when someone changes roles but keeps old permissions. Counter it with periodic (regular) access reviews plus event-driven reviews triggered by transfers, removing rights that are no longer required to keep least privilege intact.

Trap Granting new access on a role change without removing the old; keeping both is exactly how privilege creep accumulates.

9 questions test this
Disable a leaver's access immediately so no orphan accounts remain

When an employee is terminated, the first and most critical step is to immediately disable or revoke all of their access, ideally driven by an HR-initiated lifecycle event. Accounts left active after someone departs become orphan accounts that former staff, contractors, or attackers can still use to reach internal systems and data.

Trap Deleting the leaver's data or escalating to legal before cutting access; revoking the credentials comes first to close the window for unauthorized entry.

10 questions test this
RBAC grants access by role so administration scales, and senior roles can inherit junior permissions

Role-Based Access Control assigns permissions to roles and users to roles, so admins manage stable roles instead of editing each user individually, which is its main advantage at scale. A role hierarchy lets senior roles automatically inherit the permissions of junior roles, further reducing duplication.

Trap Assigning permissions directly to each individual user; that does not scale and is the very overhead RBAC's role layer removes.

3 questions test this

Network Security

Computer Networking

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Know the OSI seven layers in order, both directions

The OSI (Open Systems Interconnection) model has seven layers, from the bottom up: 1 Physical, 2 Data Link, 3 Network, 4 Transport, 5 Session, 6 Presentation, 7 Application. A common mnemonic for layer 7 down to 1 is "All People Seem To Need Data Processing". Exam questions ask you to place a function or device at the right layer, so the order and each layer's job are the core facts to memorize.

OSI maps onto TCP/IP's four layers by a fixed rule

TCP/IP is the four-layer model the internet actually runs on, and it maps onto OSI predictably: Link = OSI layers 1 to 2, Internet = OSI layer 3, Transport = OSI layer 4, and Application = OSI layers 5 to 7. The two models do not disagree; TCP/IP just groups OSI's top three layers into one Application layer and its bottom two into one Link layer. Questions often give an OSI layer and ask for the matching TCP/IP layer, or the reverse.

Trap Assuming TCP/IP has a separate Session or Presentation layer; those OSI layers (5 and 6) are folded into the single TCP/IP Application layer.

IP and routing live at OSI Layer 3 (Network)

The Network layer (OSI layer 3) handles logical addressing and routing between networks, which is where IP operates and where routers do their work. When a stem asks at which layer a router operates or where IP addressing happens, the answer is layer 3. IPsec, which protects IP packets, also operates at this layer.

Trap Placing a router at OSI layer 2; switches and MAC addressing are layer 2, while routing and IP are layer 3.

11 questions test this
Switches and MAC addresses operate at Layer 2 (Data Link)

The Data Link layer (OSI layer 2) moves frames across a single local link and uses hardware MAC (Media Access Control) addresses to identify devices on that link. Ethernet switches and VLANs operate here. A MAC address is the physical hardware address burned into a network interface, distinct from the logical IP address assigned at layer 3.

Trap Confusing a MAC address (layer 2 hardware address) with an IP address (layer 3 logical address); the two identify a device at different layers.

6 questions test this
TCP and UDP carry data at Layer 4 (Transport) using ports

The Transport layer (OSI layer 4) delivers data end to end between hosts and uses port numbers to direct it to the right service. TCP and UDP are the layer 4 protocols. When a question is about ports, end-to-end delivery, or TCP versus UDP, the layer is 4.

An IP address identifies the host; a port identifies the service

Keep the two roles separate: an IP address says which machine, and a port number says which application or service on that machine. This is why one server with a single IP can run web, email, and remote-login services at the same time, each listening on its own port. A question asking how one server offers many services at once is about ports, not addresses.

Trap Answering a one-server-many-services question with multiple IP addresses; the services are separated by port number, not by address.

IPv4 addresses are 32 bits long

An IPv4 address is 32 bits, written as four decimal numbers from 0 to 255 separated by dots, such as 203.0.113.5. Thirty-two bits gives about 4.3 billion possible addresses, a supply the world has effectively exhausted. The 32-bit figure is the single most testable IPv4 fact.

Trap Stating IPv4 is 128 bits; 128 bits is IPv6. IPv4 is 32 bits.

10 questions test this
IPv6 addresses are 128 bits long and solve IPv4 exhaustion

IPv6 was created because IPv4's address space ran out, and its addresses are 128 bits long, written as eight groups of hexadecimal separated by colons, such as 2001:db8::1. One hundred twenty-eight bits gives roughly 3.4 x 10^38 addresses, so exhaustion is no longer a practical concern. Remember 128 bits for IPv6 versus 32 bits for IPv4; questions like to swap the two numbers.

Trap Stating IPv6 is 64 bits or 32 bits; an IPv6 address is 128 bits.

10 questions test this
Ports 0 to 1023 are the well-known (system) ports

A port number is 16 bits, so the full range is 0 to 65535, and the lowest block, ports 0 to 1023, are the well-known or system ports reserved by IANA for standard internet services. The well-known set is where the named protocols a candidate must recognize, like HTTP and HTTPS, live. Higher ports are registered or dynamic and are not the focus of CC recall.

4 questions test this
HTTP is port 80; HTTPS is port 443

Web traffic uses HTTP on port 80 in cleartext and HTTPS on port 443 encrypted with TLS. The pair is a favorite exam contrast: the secure version runs on a different well-known port from the cleartext version. If a question asks which port carries encrypted web traffic, the answer is 443.

Trap Answering 80 for encrypted web traffic; port 80 is cleartext HTTP, while HTTPS (TLS-encrypted) is port 443.

8 questions test this
SSH is port 22; it replaces cleartext Telnet on port 23

SSH (Secure Shell) provides encrypted remote command-line access and file transfer on port 22, and it is the secure replacement for Telnet, which runs in cleartext on port 23. Telnet sends credentials and commands unencrypted, so it should not be used over untrusted networks. When a stem contrasts secure and insecure remote login, the ports 22 and 23 are the tell.

Trap Choosing Telnet (port 23) for secure remote administration; Telnet is cleartext, and SSH on port 22 is the encrypted choice.

13 questions test this
FTP uses ports 20 and 21

FTP (File Transfer Protocol) transfers files using two ports: port 21 carries the control connection (commands) and port 20 carries the data. Plain FTP is unencrypted, so secure alternatives like SFTP (over SSH, port 22) or FTPS are preferred for sensitive transfers. The two-port pattern, 20 for data and 21 for control, is a recall point.

1 question tests this
SMTP is port 25 and DNS is port 53

SMTP (Simple Mail Transfer Protocol) sends email between mail servers on port 25, and DNS (Domain Name System) resolves names like example.com into IP addresses on port 53. Both are well-known ports a candidate is expected to recognize by number. DNS is the service that lets people use names instead of memorizing numeric addresses.

3 questions test this
RDP is port 3389

RDP (Remote Desktop Protocol) gives remote graphical access to Windows systems on port 3389. Because RDP exposed to the internet is a frequent attack target, it should be restricted to a VPN or trusted network rather than opened publicly. The number 3389 is the one to recall for remote desktop.

1 question tests this
The secure protocol usually runs on a different port from the cleartext one

When a question pairs an insecure protocol with its secure counterpart, the port number is often the distinguishing clue: HTTP 80 versus HTTPS 443, and Telnet 23 versus SSH 22. Recognizing the pair lets you pick the encrypted option by its port. The secure choice is the encrypted protocol, and it listens on its own well-known port.

5 questions test this
Private IP ranges are not routed on the public internet

Public IP addresses are globally unique and routable on the open internet, while private IPv4 ranges (such as 10.x.x.x and 192.168.x.x) are reused inside many separate internal networks and are not routed across the internet. Reusing private ranges behind translation is part of how IPv4 stretched its limited supply. A host with only a private address cannot be reached directly from the internet.

5 questions test this
WiFi is the IEEE 802.11 wireless LAN family, and it is broadcast

WiFi refers to the IEEE 802.11 family of wireless LAN standards, which carry data over radio. Because the signal travels through the air, anyone within range can capture it, so encryption on the wireless link is essential rather than optional. This broadcast nature is the reason wireless security gets special attention.

Secure WiFi with WPA3 or WPA2, never WEP

The WiFi encryption standards arrived in order, and only the newest are safe: WPA3 (WiFi Protected Access 3) is the current and strongest standard, WPA2 is still acceptable, and WEP (Wired Equivalent Privacy) is thoroughly broken and must never be selected. For CC, choose WPA3 if available, otherwise WPA2, and reject WEP outright. A stem asking how to secure a new wireless network is testing this choice.

Trap Selecting WEP because it is listed as an encryption option; WEP is broken and offers no real protection, so WPA3 or WPA2 is the correct choice.

1 question tests this
Treat an open WiFi network as untrusted

An open wireless network with no encryption, such as a public coffee-shop hotspot, gives no link protection, so any traffic on it can be intercepted. Treat it as untrusted and protect sensitive traffic with its own layer on top, such as a VPN tunnel or HTTPS. The wireless link being open does not encrypt your data; only an added layer does.

Trap Assuming an open hotspot is safe as long as the site uses HTTPS for everything; the open link still exposes any unencrypted traffic, so a VPN or per-session encryption is needed.

TLS encryption sits around OSI layers 5 to 6, not the Transport layer

Despite the name Transport Layer Security, TLS encrypts an application session and conceptually sits around OSI layers 5 to 6 (it secures the data the application sends). The OSI Transport layer (4) is about end-to-end delivery with TCP and UDP and ports, not encryption. Do not equate the OSI Transport layer with transport-layer security; they are different ideas.

Trap Treating the OSI Transport layer (4) as the encryption layer because of the name TLS; layer 4 handles delivery and ports, while TLS protects the application session.

Categorize a networking question by where, who, what service, or how protected

A reliable habit on any networking item is to first decide whether the stem asks about where a function sits (a layer), who a host is (an IP address), what service is involved (a port), or how traffic is protected (encryption like WPA3 or TLS). Naming the category first keeps you from answering a port question with a layer fact, which is exactly the mismatch that distractors exploit.

A LAN is small, fast, and locally owned; a WAN connects LANs across distance more slowly

A Local Area Network covers a confined area such as a building or campus, is usually owned and managed by one organization, and offers the highest data-transfer speeds. A Wide Area Network spans cities or countries and interconnects multiple LANs over long distances, so it serves more users with greater geographic reach but typically lower speed and higher latency; LANs are the building blocks a WAN ties together, and the internet is the largest WAN.

Trap Expecting a WAN to be faster than a LAN; its long-distance links raise propagation delay and lower throughput.

11 questions test this
A hub blindly broadcasts to all ports; a switch forwards by MAC to one port

A hub is a Layer 1 device that repeats incoming data out every other port, so all stations share one collision domain and can see each other's traffic. A switch is a Layer 2 device that reads the destination MAC address and uses its MAC address table to forward a frame only to the correct port, giving each port its own collision domain. A router is the Layer 3 device that connects networks with different IP ranges and contains broadcast traffic.

Trap Treating a hub as a secure equivalent of a switch, when its broadcast-to-all behavior lets any attached host sniff the segment.

6 questions test this
DNS uses UDP 53 for normal queries and TCP 53 for large responses and zone transfers

DNS runs on port 53 over both transports: standard name-resolution queries use UDP 53 because it is fast and low-overhead, while TCP 53 handles responses larger than 512 bytes and zone transfers between servers, where reliable delivery matters.

Trap Opening only UDP 53 on a firewall and breaking zone transfers and oversized responses that need TCP 53.

5 questions test this
WPA3 replaces WPA2's PSK handshake with SAE to defeat offline dictionary attacks

WPA3-Personal uses Simultaneous Authentication of Equals (SAE), the dragonfly handshake, in place of WPA2's pre-shared-key four-way handshake. SAE requires live interaction with the network for each password guess, so an attacker who captures the handshake cannot run an offline dictionary attack against it even when the password is weak.

Trap Believing WPA3 is just a stronger password; its protection comes from the SAE handshake, not from key length.

5 questions test this
WPA3 forward secrecy keeps past captured traffic safe even if the password leaks later

Through SAE, WPA3 derives a unique session key for each connection, providing forward secrecy. If an attacker has been recording encrypted traffic and later obtains the network password, they still cannot decrypt the previously captured sessions because each used a separate key not derived from the password alone.

Trap Assuming a later password compromise exposes old WPA3 sessions, as it would under WPA2-PSK.

6 questions test this
WPA3 mandates Protected Management Frames to stop forged deauth attacks

WPA3 requires Protected Management Frames (PMF), which authenticate and protect the integrity of wireless management frames. This blocks eavesdropping, replay, and forgery of management frames, including the spoofed deauthentication/disassociation frames an attacker uses to knock clients off the network.

4 questions test this
WPA2/WPA3-Enterprise uses 802.1X with a RADIUS server to authenticate each user individually

Enterprise wireless mode runs the 802.1X framework against a central RADIUS authentication server so every user logs in with unique credentials rather than a shared password, giving centralized authentication, individual accountability, and dynamic keys. In 802.1X the wireless access point acts as the authenticator, relaying credentials between the client (supplicant) and the RADIUS server.

Trap Choosing WPA2/WPA3-Personal (a shared PSK) when the requirement is per-user credentials checked against a central server.

10 questions test this
WPA2 should use AES-CCMP, not the legacy TKIP

AES, implemented as AES-CCMP with 128-bit keys, is the mandatory and strongest encryption for WPA2 and provides both confidentiality and integrity. TKIP was only a transitional fix for WEP-era hardware and relies on the weak RC4 cipher, so a WPA2 network running TKIP should be moved to AES.

Trap Leaving WPA2 on TKIP for compatibility, which keeps the weak RC4-based cipher instead of AES.

5 questions test this

Network Threats & Attacks

Read full chapter
  • Classify a network attack by which CIA property it targets
  • DDoS uses many hosts at once to attack availability
  • A man-in-the-middle attacks confidentiality and integrity, not availability
  • Malware is the vehicle: code that runs an unauthorized process on a host
  • A virus needs a host file and a user to run it
  • A worm self-propagates over the network with no host and no user
  • A Trojan is disguised software the user installs; it does not self-replicate
  • An IDS detects and alerts; an IPS detects and blocks
  • An IPS must sit inline, so it can drop legitimate traffic
  • A NIDS watches a network segment but cannot read encrypted payloads
  • A HIDS watches one host and sees local and decrypted activity
  • Deploy HIDS and NIDS together; they are complementary
  • A firewall filters traffic at the boundary by a ruleset
  • Antivirus and scans clean malware already on a host
  • Layer prevention controls so each catches what the last one missed
  • Match the threat to the control: detect vs block vs clean
  • A stateful firewall tracks connection state; a stateless filter judges each packet alone
  • Firewalls match rules top-to-bottom, so put specific rules before general ones and deny by default
  • A volumetric DDoS saturates bandwidth; a SYN flood exhausts connection state via the TCP handshake
  • A network traffic baseline lets you spot the abnormal patterns that signal a DDoS
  • Anomaly-based detection catches zero-days; signature-based detection only catches known attacks
  • A false positive is legitimate activity wrongly flagged as an attack
  • DNS cache poisoning injects false records into a resolver's cache to redirect users
  • Packet sniffing is passive and hard to detect, so encryption is the real defense

Unlock with Premium — includes all practice exams and the complete study guide.

Network Infrastructure

Read full chapter
  • A UPS bridges the gap; a generator carries a prolonged outage
  • Keep data-center humidity in a band, roughly 40 to 60 percent
  • A pre-action sprinkler is the data-center default because one broken head will not flood the room
  • CO2 fire suppression is for unoccupied spaces only
  • Express spare capacity as redundancy: N+1 adds one spare, 2N fully duplicates
  • An MOU states intent; an MOA spells out specific obligations
  • Put sensitive equipment in the building's interior core
  • Defense in depth layers independent controls
  • Segmentation limits lateral movement, with VLAN cheapest and physical strongest
  • Put internet-facing servers in a DMZ to isolate a compromise
  • A VPN gives a protected tunnel over an untrusted network
  • NAC enforces two gates: authentication and posture
  • NAC, not IAM, is the control for unmanaged IoT devices
  • Cloud responsibility slides with the service model
  • The provider secures of the cloud; the customer secures in the cloud
  • Know the cloud deployment models: public, private, hybrid, community
  • An SLA is the provider's measurable commitment, most visibly uptime
  • Outsourcing to an MSP does not outsource accountability
  • A TLS certificate proves the server's identity by chaining to a trusted root CA, blocking MitM
  • The root CA is the trust anchor, so compromising it invalidates every certificate beneath it
  • DNSSEC digitally signs DNS data to authenticate its origin and prove integrity
  • Subnetting and VLANs into security zones limit an attacker's lateral movement
  • VPN split tunneling sends internet traffic outside corporate security controls

Unlock with Premium — includes all practice exams and the complete study guide.

Security Operations

Data Security

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Hashing proves integrity; encryption protects confidentiality

Encryption and hashing solve opposite problems, and confusing them is the single most tested mistake in this topic. Encryption scrambles data so only a key holder can read it, serving confidentiality, and it is reversible. Hashing produces a one-way fingerprint that reveals whether data changed, serving integrity, and it is not reversible. A hash hides nothing because anyone can compute it, so it can never be the answer to a question about keeping data secret.

Trap Treating hashing as a form of encryption; a hash detects change but cannot conceal data, so it provides no confidentiality.

8 questions test this
A hash is one-way and fixed-length, with no key

A hash function turns any input into a short fixed-length digest and cannot be run backward to recover the input, so it uses no key and reveals nothing about the content. Comparing a stored digest with a freshly computed one detects tampering, because changing even one character changes the whole digest. The standard families are SHA-2 and SHA-3 (NIST FIPS 180-4 and FIPS 202).

10 questions test this
Symmetric encryption uses one shared key and is fast for bulk data

Symmetric encryption uses the same secret key to encrypt and decrypt, which makes it fast and the right choice for bulk data like full disks, databases, and large files. Its weakness is key distribution: both parties must already share the secret key, and getting that key to the other side safely is the hard part. The standard symmetric algorithm is AES (NIST FIPS 197).

8 questions test this
Asymmetric encryption uses a public/private key pair to solve key exchange

Asymmetric (public-key) encryption uses a matched pair where what one key locks only the other can unlock. The public key can be shared with anyone; the private key stays secret. To send a confidential message you encrypt with the recipient's public key, and only their private key decrypts it, so two parties who never met can communicate without sharing a secret first. RSA is the classic asymmetric algorithm.

Trap Choosing asymmetric encryption to bulk-encrypt large data; it is much slower than symmetric and is meant for small data and key exchange, not the payload.

Real systems combine asymmetric and symmetric encryption

Because asymmetric encryption is slow, practical systems do not choose one family over the other; they use slow asymmetric encryption once to safely exchange a fresh symmetric key, then switch to fast symmetric encryption for the actual data. This is the pattern behind TLS, which protects web data in transit. The takeaway is that asymmetric handles the key exchange and symmetric handles the bulk payload.

Match each data state to its primary protection

Data exists in three states, and the exam expects you to pair each with its main control. Data at rest is stored and is protected by storage encryption plus access control. Data in transit is moving across a network and is protected by transport encryption such as TLS or IPsec. Data in use is loaded in memory being processed and is the hardest to protect because the processor traditionally needs cleartext, mitigated by runtime access control and memory hygiene.

3 questions test this
Storage encryption mainly protects a lost or powered-off device

Full-disk and storage encryption defend data at rest against theft of a powered-off or lost device, but they are not a substitute for access control on a running system. Once an authorized user logs in and the volume is unlocked, the data is available to them in the clear, so an attacker who gets in as that logged-in user is not stopped by the encryption.

Trap Assuming disk encryption protects data on a running, logged-in machine; after the volume is unlocked the data is available, so access control still does the work.

2 questions test this
The data owner sets classification, and classification comes first

Classification assigns a sensitivity level (such as public, internal, confidential, restricted) based on the harm that disclosure or loss would cause. The data owner, a business role, decides the level, while the custodian (usually IT) only implements the resulting controls. Classify before anything else, because you cannot pick the right storage, access, retention, and destruction rules until you know how sensitive the data is.

Trap Assuming IT or the custodian decides the classification; the data owner sets it, and the custodian only implements the controls it requires.

6 questions test this
Labeling carries the handling rules with the data

Once data is classified, it is labeled so its handling rules travel with it. A marking is the human-readable form, a stamp like 'Confidential' that a person reads and acts on; a label in the strict sense is machine-readable metadata that a system parses and enforces. Both ensure that everyone and every system touching the data knows how it must be handled.

8 questions test this

Retention sets how long data is kept, driven by legal, regulatory, and business needs. Keeping data too long raises storage cost and breach exposure; deleting it too soon can break a compliance obligation. A legal hold is the sharp exception: it suspends the normal retention-and-destruction schedule for data tied to actual or anticipated litigation, and that data must be preserved until the hold is lifted even if its retention period has expired.

Trap Destroying data on its scheduled date while a legal hold is in force; the hold overrides the schedule and the data must be preserved until released.

8 questions test this
Deleting a file does not destroy the data

Pressing delete or quick-formatting a drive only removes the pointer to the data, leaving the underlying bits intact and recoverable, a problem called data remanence. Proper disposal requires sanitization that renders the data unrecoverable, not a logical delete. This is why media that held sensitive data must be sanitized before reuse or disposal.

Trap Treating a deleted file or quick-formatted drive as gone; data remanence leaves the bits recoverable until the media is actually sanitized.

3 questions test this
Sanitization has three levels: clear, purge, destroy

NIST SP 800-88 defines three sanitization levels of rising assurance. Clear overwrites the data with normal commands and the media stays reusable. Purge renders recovery infeasible even with laboratory techniques, using methods like degaussing or cryptographic erase, and the media may still be reusable. Destroy physically wrecks the media by shredding, pulverizing, or incinerating so it can never store data again.

3 questions test this
Choose the sanitization level from data sensitivity, not media type

The decision rule for sanitization is based on the confidentiality of the data, not the kind of media. Pick the level from how sensitive the data is and whether the media will be reused or leave your control: higher sensitivity and loss of control push toward purge or destroy. The media type only influences which technique implements the chosen level.

Trap Picking the sanitization method from the media type first; NIST keys the decision on data confidentiality, then the media type selects the technique.

2 questions test this
Degaussing only works on magnetic media

Degaussing uses a strong magnetic field to wipe magnetic media such as hard disks and tapes, and it usually leaves the drive inoperable. It does nothing to flash and solid-state drives because they are not magnetic, so an SSD that needs purging requires cryptographic erase or the device's built-in sanitize command, not a degausser. Cryptographic erase destroys the encryption key so only unrecoverable ciphertext remains.

Trap Reaching for degaussing to sanitize a solid-state drive; SSD and flash are not magnetic, so degaussing leaves the data intact.

5 questions test this
Logging is the foundation of accountability

A log records security-relevant events as they happen: logins and failed logins, file and resource access, account and permission changes, and configuration changes. Logs are the raw material of accountability, the ability to trace an action back to the individual who performed it. This is why unique user accounts matter: with a shared account the logs prove an action happened but not who did it.

Trap Using shared accounts and relying on logs for accountability; the logs cannot attribute the action to a person, so accountability is lost.

Monitoring is the active review of logs

Logging records events; monitoring is actively reviewing those records to catch problems while there is time to respond. Logs that pile up unread give you evidence to reconstruct an incident afterward but no early warning during it. In practice logs from many systems are centralized so they can be correlated and watched together, with alerts on suspicious patterns like repeated failed logins.

Logging is a detective control, not a preventive one

Logging and monitoring tell you that something happened; they do not stop the event itself, so they are detective controls rather than preventive ones. A question asking how to detect misuse or suspicious activity points to logging and monitoring, while one asking how to prevent the event points to a different control. Logs are also a target: an attacker who can edit or delete them erases evidence, so logs should be protected and stored where they cannot be tampered with.

Trap Choosing logging to prevent an attack; logging detects and records but does not block the event, which needs a preventive control.

A mixed document takes the classification of its most sensitive part

When one document, dataset, or report combines data of several classification levels, the whole asset is classified and handled at the highest (most sensitive) level present. This high-water-mark rule guarantees the most sensitive element still gets adequate protection rather than leaking under a lower label.

Trap Averaging the levels or labeling the document by the bulk of its (lower) content.

8 questions test this
Match control strength to data sensitivity, neither under- nor over-classifying

The point of classification is to apply controls proportional to a data item's sensitivity: public data needs little, highly confidential data needs strong controls. Over-classifying data is a real cost, not a safe default, because it forces expensive controls and restrictive handling onto low-risk information and ties up resources.

Trap Classifying everything at the highest level to be safe, ignoring the cost and lost business use it creates.

9 questions test this
Encryption is only as strong as the management of its keys

Cryptographic strength depends on key protection: compromise or loss of a key exposes or destroys all data it protected. Manage keys across their lifecycle by storing them separately from the data, using each key for a single purpose, rotating them, and securely destroying them at end of life; destroying the key (cryptographic erasure) also renders encrypted media unrecoverable.

Trap Reusing one key for multiple purposes or keeping it alongside the data it protects.

12 questions test this

System Hardening

Read full chapter
  • System hardening shrinks the attack surface by removing what a system does not need
  • Least functionality: provide only the capabilities the system needs, disable the rest
  • Configuration management is the discipline that maintains a secure baseline over time
  • A baseline is the documented, approved reference configuration for a system
  • Adopt an established hardening benchmark instead of inventing your own
  • Configuration drift is divergence from the baseline, and monitoring is the fix
  • Changes to a hardened system flow through change control
  • Patch management is the organized cycle of applying vendor fixes for known flaws
  • Treat patching as scheduled preventive maintenance, not an emergency
  • The patch lifecycle is identify, test, deploy, verify
  • Test a patch in non-production before it touches live systems
  • Verify a patch took effect; deploying is not the same as fixing
  • Phased (ringed) deployment catches a bad patch on a few systems first
  • When you cannot patch, mitigate instead, never ignore the flaw
  • Remove or disable unnecessary services, software, and open ports
  • Remove or disable default and sample accounts
  • Change every default password before a system goes into service
  • Signature-based antivirus only catches malware it already has a signature for
  • Manage devices with encrypted protocols, not cleartext ones

Unlock with Premium — includes all practice exams and the complete study guide.

Security Policies

Read full chapter
  • A security policy states the rule; the exam asks which policy owns the scenario
  • An AUP governs conduct on company systems
  • A BYOD policy governs the personal device, not the user's conduct
  • AUP vs BYOD: behavior on company systems vs the personal device itself
  • A Password policy is where credential rules are recorded
  • A Data Handling policy covers classification, labeling, retention, and destruction
  • A legal hold overrides the retention schedule
  • A Privacy policy is the personal-information slice of data handling
  • A Change Management policy makes changes accountable and reversible
  • Change management runs document, approve, test, implement, rollback
  • Rollback is the step that returns the system to its last known-good state
  • Emergency changes are expedited but still recorded
  • A policy states intent; a standard and a procedure carry it out
  • The Change Advisory Board reviews and authorizes changes before they go live
  • An account lockout threshold blunts brute-force guessing, but set too low it invites denial of service
  • Modern password rules: salt-and-hash storage, check against breach lists, change only on compromise

Unlock with Premium — includes all practice exams and the complete study guide.

Security Awareness Training

Read full chapter
  • People are the most-targeted security layer
  • Social engineering attacks the person, not the system
  • Phishing is the broad email lure; spear phishing is the targeted version
  • Whaling is spear phishing aimed at senior executives
  • Vishing is phishing by voice call; smishing is phishing by text
  • Pretexting invents a false story to justify the request
  • Baiting attaches the attack to something the victim wants
  • Tailgating follows an authorized person through a secure door
  • Awareness, training, and education answer what, how, and why
  • Awareness targets everyone; training targets a role
  • Education is the deepest, professional level
  • Awareness reinforcement is ongoing, not a one-time briefing
  • Use long, unique passwords for every account
  • No legitimate party ever asks for your password
  • MFA blunts a stolen password
  • Awareness changes behavior but does not enforce it
  • Training completion records are evidence of due diligence for auditors
  • Completion rate shows participation, not changed behavior
  • Start with a needs assessment and tailor content to each role

Unlock with Premium — includes all practice exams and the complete study guide.