CC Cheat Sheet
Security Principles
Information Assurance
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- The CIA triad is confidentiality, integrity, and availability
The CIA triad names the three core goals of information assurance: confidentiality (only authorized people can see the data), integrity (the data stays accurate and unaltered), and availability (the data and systems are usable when authorized people need them). Almost every control you study protects at least one of the three, so a fast first step on any scenario is to decide which of the three is at stake.
4 questions test this
- When determining the value of an information asset using the CIA triad approach, what THREE attributes are summed together?
- Which of the following best describes the CIA triad in information security?
- What is the PRIMARY purpose of the CIA triad in information security?
- When assessing the security requirements of an information asset, which three attributes form the CIA triad?
- Confidentiality is about who can see the data, protected by access control and encryption
Confidentiality preserves authorized restrictions on access and disclosure, so only the right people can read the information. It is protected mainly by access control, encryption, and careful data handling. A confidentiality breach is any exposure to the wrong person, such as a leaked database, a shoulder-surfed password, or a stolen unencrypted laptop.
11 questions test this
- Which security control is MOST appropriate for protecting sensitive data stored on a laptop hard drive?
- What is the PRIMARY purpose of encryption in information security?
- Which of the following scenarios represents a threat specifically targeting confidentiality?
- Which security principle is PRIMARILY protected when data is encrypted during transmission?
- What security assurance is primarily provided when a sender encrypts a message using the recipient's public key?
- Which security control provides confidentiality protection for data stored on a laptop hard drive?
- Which element of the CIA triad is PRIMARILY supported by encrypting sensitive data files stored on a server?
- Which security principle is primarily concerned with ensuring that information is only accessible to those authorized to view it?
- Encryption is an important technical control that primarily protects which element of the CIA triad?
- What is the PRIMARY element of the CIA triad that encryption is designed to protect?
- Which security principle ensures that information is not disclosed to unauthorized individuals, processes, or devices?
- Integrity is about data staying unaltered, and hashing is the classic check
Integrity guards information against improper or accidental modification, keeping it accurate and complete. Hashing is the classic check: a one-way function produces a short fingerprint of the data, and if even one character changes, the fingerprint changes, so a mismatch reveals tampering. An integrity breach is any unauthorized or accidental change, such as an altered bank balance or a corrupted file.
Trap Picking confidentiality when records were altered rather than viewed; a change to the data is integrity, even if the attacker needed access to make it.
11 questions test this
- A company uses hash values to verify that software downloads have not been tampered with during transmission. Which CIA triad element does…
- An organization requires employees to digitally sign all outgoing contracts. What security benefits does this provide?
- Which cryptographic mechanism enables a recipient to verify both the origin of a message and that the message has not been altered?
- Which cryptographic technique is BEST suited for verifying data integrity?
- Sarah digitally signs an email to her colleague using her private key. What security services does this digital signature provide?
- Which of the following controls BEST supports the integrity element of the CIA triad?
- Sarah needs to verify that a software download has not been corrupted or tampered with during the download process. Which cryptographic…
- A ransomware attack encrypts all files on a company's server, making the data inaccessible to users. Which elements of the CIA triad are…
- An organization wants to verify that a file has not been modified during transmission. Which cryptographic technique is MOST appropriate…
- A security analyst needs to verify that a software download has not been altered during transmission. Which mechanism BEST supports the…
- A hospital discovers that patient medical records have been altered without authorization. Which element of the CIA triad has been…
- Availability is about timely access, protected by backups and redundancy
Availability ensures timely and reliable access to information and systems for the people authorized to use them. It is protected by backups, redundancy such as a standby server, and enough capacity to handle the load. An availability breach needs no secret exposed and no data changed: an outage, a hardware failure, or a denial-of-service flood that blocks legitimate users all count.
7 questions test this
- An organization implements data backups, redundant systems, and load balancing across multiple servers. Which element of the CIA triad do…
- An organization needs to ensure that its online banking portal remains operational during high traffic periods. Which element of the CIA…
- A ransomware attack encrypts all files on a company's server, making the data inaccessible to users. Which elements of the CIA triad are…
- Which of the following best describes the concept of availability in the CIA triad?
- A company's critical business application becomes inaccessible due to a distributed denial-of-service (DDoS) attack. Which element of the…
- A critical hospital system must be accessible 24/7 for patient care. Which element of the CIA triad is MOST important for this system?
- A ransomware attack encrypts all files on a company server, making them inaccessible to employees. Which element of the CIA triad is…
- Authentication confirms identity and always comes before authorization
Authentication verifies that a user, device, or process is who it claims to be, and it must happen before authorization because a system cannot grant the right permissions to an identity it has not first confirmed. Authentication answers "who are you?" while authorization answers "what are you allowed to do?", and the order is fixed: authenticate first, then authorize.
Trap Treating authorization as the step that proves identity; authorization only assigns permissions after authentication has already confirmed who the identity is.
- Authentication factors fall into three categories: know, have, are
Proof of identity comes from three categories of factors: something you know (a password or PIN), something you have (a phone, token, or smart card), and something you are (a biometric such as a fingerprint or face). The exam expects you to sort an example into the right category, because the category, not the specific item, is what determines whether a login is multi-factor.
9 questions test this
- A user logs into a banking application using a password and then receives a one-time code on their mobile phone that must be entered. What…
- An organization implements authentication that requires employees to enter a password and then provide a fingerprint scan. Which…
- A user logs into a system using a smart card and enters a PIN. Which authentication factors are being used?
- A fingerprint scan used during login is an example of which authentication factor?
- A user enters a password and then scans their fingerprint to access a secure system. What type of authentication is being used?
- Which authentication factor category does a hardware security token represent?
- Which combination represents valid authentication factors for multi-factor authentication?
- Which of the following represents the three standard categories of authentication factors?
- An organization requires employees to use a proximity card combined with a PIN to enter the data center. Which security concept does this…
- MFA requires factors from two or more different categories
Multi-factor authentication combines factors from two or more different categories, so a password plus a phone code is MFA because it mixes something you know with something you have. The point is to resist stolen passwords: a second factor from another category means one captured secret is no longer enough to get in.
Trap Counting a password plus a security question as MFA; both are something you know, so it is single-factor and one phishing attack can capture both.
4 questions test this
- A user logs into a banking application using a password and then receives a one-time code on their mobile phone that must be entered. What…
- A user enters a password and then scans their fingerprint to access a secure system. What type of authentication is being used?
- Which combination represents valid authentication factors for multi-factor authentication?
- An organization requires employees to use a proximity card combined with a PIN to enter the data center. Which security concept does this…
- Non-repudiation means an actor cannot deny what they did
Non-repudiation is assurance that the person who took an action cannot later deny it, and that the receiver cannot deny receiving it. It depends on integrity plus strong proof of identity, and it is what lets an organization hold someone responsible for an action with confidence.
5 questions test this
- An organization requires employees to digitally sign all outgoing contracts. What security benefits does this provide?
- Sarah digitally signs an email to her colleague using her private key. What security services does this digital signature provide?
- An organization wants to ensure that employees cannot deny sending critical business communications. Which mechanism best supports this…
- A financial services company needs to prove that a specific customer authorized a large wire transfer. Which security principle is the…
- An employee claims they did not authorize a financial transaction that occurred under their credentials. Which security principle addresses…
- A digital signature provides non-repudiation because only the signer holds the private key
A digital signature gives origin authenticity, integrity, and non-repudiation at once. Because only the signer holds the private key used to sign, a valid signature ties the document or action to that one person, so they cannot credibly deny it. This is the classic control to reach for when a scenario asks to prove who sent or approved something.
Trap Reaching for a shared-key message authentication code (MAC) for non-repudiation; both parties hold the same key, so either could have produced it and neither is uniquely bound.
5 questions test this
- An organization requires employees to digitally sign all outgoing contracts. What security benefits does this provide?
- Which cryptographic mechanism enables a recipient to verify both the origin of a message and that the message has not been altered?
- Sarah digitally signs an email to her colleague using her private key. What security services does this digital signature provide?
- An organization wants to ensure that employees cannot deny sending critical business communications. Which mechanism best supports this…
- What cryptographic mechanism is primarily used to achieve non-repudiation?
Accountability is the goal of tracing every action uniquely back to the individual who performed it, and it rests on authentication plus logging. Shared accounts defeat accountability no matter how strong the password is: if several people sign in as "admin", the logs show the action but not who is responsible.
Trap Assuming a strong password on a shared account preserves accountability; shared use breaks the unique attribution that accountability and non-repudiation both require.
- Privacy is the right to control personal data, not the same as confidentiality
Privacy is the right of individuals to control how their personal information is collected, used, shared, and retained, and it is increasingly driven by laws and regulations. Confidentiality is the control that keeps data secret; privacy is the individual's right to decide what is done with data about them. You can hold data with perfect confidentiality and still violate privacy by using it for a purpose the person never agreed to.
Trap Treating strong confidentiality controls as satisfying privacy; secrecy of the data does not cover consent or how the personal data is used.
- Read the harm in the stem to pick the CIA goal
Most Information Assurance questions describe a situation and ask which goal is at stake, and the harm names the goal. Data seen by the wrong person is confidentiality, data changed is integrity, and a system that is down or unreachable is availability. Match the verb in the scenario to the goal rather than guessing from the topic.
- Information assurance balances the three goals rather than maximizing one
The three goals can pull against each other: locking everything down strengthens confidentiality but can hurt availability, while spreading data everywhere for availability can widen how it leaks. Security is the act of balancing confidentiality, integrity, and availability for the value of what is being protected, not maximizing any single one.
- Authentication, non-repudiation, and privacy extend the triad in the CC outline
The CC Information Assurance topic covers the CIA triad plus three more goals: authentication (confirming identity), non-repudiation (preventing denial of an action), and privacy (individual control over personal data). Knowing that the outline lists these alongside the triad helps you recognize which goal an answer choice is naming.
- To send a confidential message, encrypt with the recipient's public key
In asymmetric (public-key) encryption, the sender encrypts with the recipient's public key, and only the recipient's matching private key can decrypt it, which is how confidentiality is achieved. The private key is never shared, so even an intercepted message stays unreadable.
Trap Encrypting with the sender's own private key, which gives a signature for non-repudiation, not confidentiality.
4 questions test this
- To ensure only the intended recipient can read a confidential message using asymmetric encryption, which key should the sender use to…
- In asymmetric encryption, if Sarah wants to send a confidential message to James, which key should she use to encrypt the message?
- What security assurance is primarily provided when a sender encrypts a message using the recipient's public key?
- In asymmetric encryption, which key should be kept confidential and never shared with other parties?
- Symmetric encryption shares one key and is fast; asymmetric uses a key pair and is slow
Symmetric encryption uses a single shared secret key for both encryption and decryption, so it is fast and suited to bulk data at rest (for example AES). Asymmetric encryption uses a public/private key pair, which solves key distribution but is slower, so hybrid systems use it only to exchange a symmetric session key.
Trap Reaching for asymmetric encryption to protect large volumes of data, when its overhead makes symmetric the efficient choice for bulk encryption.
6 questions test this
- Which statement correctly describes symmetric encryption?
- A security administrator needs to encrypt large volumes of data efficiently. Which type of encryption should be used?
- Which statement accurately describes the difference between symmetric and asymmetric encryption?
- Which statement accurately describes the relationship between asymmetric encryption and symmetric encryption in modern security…
- In symmetric encryption, which characteristic distinguishes it from asymmetric encryption?
- Which type of encryption uses a single key for both encrypting and decrypting data, making it efficient for protecting large amounts of…
Risk Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Controls
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A security control is any safeguard that protects CIA
A security control is a safeguard or countermeasure put in place to reduce risk and protect the confidentiality, integrity, and availability of information and systems. A door lock, a firewall rule, a password policy, and a nightly backup are all controls despite looking nothing alike, because each lowers risk to the same asset. FIPS 200 formally groups controls as management, operational, and technical.
- Classify a control by how it is enforced: technical, administrative, or physical
The three control types describe the mechanism that does the work, not how important the control is. Technical (logical) controls are enforced by hardware, software, or firmware; administrative (managerial) controls are policies, procedures, and human practices; physical controls are tangible barriers and the environment. Most real safeguards need all three working together around one asset.
Trap Ranking the types so technical counts as the real security and the others as paperwork; they are equals and usually all apply to one asset.
- Technical controls are enforced by the system itself
A technical (logical) control is carried out by hardware, software, or firmware rather than by a person. Encryption, firewalls, access-control lists, antivirus, and intrusion-detection systems are technical controls. If a machine does the enforcing, the answer is technical.
1 question tests this
- Administrative controls direct how people behave
An administrative (managerial) control works through policy, procedure, and human practice rather than through a machine. A security policy, a pre-hire background check, separation of duties, and a security-awareness program are administrative controls. If the safeguard tells people what to do, classify it administrative.
Trap Calling a policy that requires encryption a technical control; the written rule directing people is administrative, even though the thing it mandates is technical.
5 questions test this
- An organization wants employees to recognize and report phishing attempts. Which administrative control would BEST achieve this objective?
- Which of the following BEST describes an administrative control?
- Which characteristic distinguishes administrative controls from technical controls?
- A security team is developing a program to help employees recognize and report phishing attempts. Which concept BEST describes this…
- What type of security control is security awareness training classified as?
- Physical controls protect the tangible world
A physical control acts on the physical environment: fences, locks, badge readers, mantraps, security guards, CCTV cameras, and fire-suppression systems. If you could touch it or walk into it, it is physical. Environmental safeguards like HVAC and fire suppression count here too because they protect the site and equipment.
- Type and function are separate, independent axes
A control's type (technical, administrative, physical) describes how it is built; its function describes what it does about a threat. The two are independent, so any type can serve any function: a fence (physical) deters, a firewall (technical) prevents, an audit-log review (administrative) detects. Exam stems often want both answers, so read the scenario once for the mechanism and once for the goal.
Trap Assuming a control's type fixes its function, so a firewall is always preventive; the same firewall can be preventive or detective depending on how it is used.
- Preventive controls stop an event before it happens
A preventive control blocks an unwanted event from occurring at all. A firewall that drops a connection, a door lock that bars entry, and enforced strong-password rules are preventive. Preventive is the function exam stems describe with verbs like block, bar, or stop.
10 questions test this
- An organization implements a firewall to block unauthorized network traffic before it reaches internal systems. Which type of security…
- Which of the following correctly pairs a security measure with its functional control type?
- An organization requires all employees to use strong passwords with a minimum of 12 characters. Which type of security control is this?
- Which security control classification scheme categorizes controls based on WHEN they act relative to a security incident?
- An organization implements a firewall that blocks unauthorized network traffic from entering its systems. What type of control BEST…
- Which type of physical security control function does a locked server room door perform?
- An organization installs bollards and concrete barriers around the entrance to its data center building. What category of physical control…
- An organization requires all employees to use multi-factor authentication before accessing sensitive systems. How should this control BEST…
- Which type of security control is PRIMARILY designed to stop an unauthorized action before it occurs?
- A security architect recommends implementing multi-factor authentication to address the risk of unauthorized access. How should this…
- Detective controls notice an event during or after it
A detective control identifies an event while it happens or after the fact, but does not stop it on its own. Intrusion-detection systems, reviewed audit logs, and CCTV recordings are detective. The signal in a stem is that the control records, alerts, or reveals rather than blocks.
Trap Treating a recording CCTV camera as preventive; on its own it only detects, the deterrent or preventive effect comes from the visible presence or a guard acting on it.
9 questions test this
- Which physical security control is PRIMARILY intended to detect unauthorized access rather than prevent it?
- A security analyst reviews log files to identify suspicious login attempts on the organization's network. What type of control function…
- What is the PRIMARY purpose of closed-circuit television (CCTV) systems in physical security?
- Which security control scenario correctly matches the control type with its function?
- A security analyst reviews system logs each morning to identify any unusual activity that occurred overnight. What type of control does…
- Which security control classification scheme categorizes controls based on WHEN they act relative to a security incident?
- Which of the following is the PRIMARY purpose of a detective control?
- Which type of security control is primarily designed to identify that a security event has occurred?
- Which of the following BEST describes the role of CCTV in a comprehensive physical security program?
- Corrective controls fix the damage and restore operations
A corrective control acts after an event to repair harm and return to normal. Restoring files from backup, removing malware, and applying a patch that closes the exploited hole are corrective. Recovery controls are a closely related, broader restore-to-operations idea that overlaps corrective.
6 questions test this
- An organization implements data backups to support recovery operations after a ransomware attack. What type of control does this represent?
- After discovering a malware infection, an organization restores affected systems from known-good backups. Which control type is being…
- After a ransomware attack encrypts critical files, an organization restores its data from backup tapes stored offsite. The backup system…
- Which of the following is an example of a corrective security control?
- Which security control classification scheme categorizes controls based on WHEN they act relative to a security incident?
- After a ransomware attack encrypted critical files, an organization restored its systems using data backups. This recovery action is an…
- Deterrent controls discourage an attacker from trying
A deterrent control reduces the will to attack rather than the ability. A visible surveillance sign, a guard at the gate, and login warning banners are deterrent because they make a target look harder or riskier. Deterrence works on the attacker's decision, so a control nobody can see does not deter.
- One control can fill more than one function at once
Functions are not exclusive, so a single control can do several jobs. A security guard physically deters an intruder at the gate, detects one on the cameras, and prevents entry at the door. When a stem asks for the primary function, pick the effect the scenario emphasises rather than insisting on a single label.
- A compensating control substitutes for one that will not fit
A compensating control is an alternative safeguard used in lieu of a recommended control that cannot be implemented as written, and it must give equivalent or comparable protection. It is triggered by a real constraint, such as a legacy system that cannot run encryption or accept multi-factor authentication, not by convenience. Wrap the gap in other safeguards, for example isolating the legacy system on its own monitored network segment.
Trap Picking a compensating control to save effort or money on a control that could be implemented; it is justified only when the recommended control genuinely cannot be deployed.
9 questions test this
- What requirement must a compensating control satisfy to be considered acceptable?
- An organization has a legacy system that cannot support modern session timeout controls. Which action demonstrates proper use of…
- A small organization cannot implement separation of duties due to limited staffing resources. Which is a valid compensating control…
- Under what circumstance is it appropriate for an organization to implement a compensating control instead of the primary control specified…
- When an organization cannot implement a recommended security control from an established baseline, what is the PRIMARY purpose of…
- A small organization cannot implement segregation of duties due to limited staff. Which compensating control approach would be most…
- When an organization cannot implement a required technical security control due to system limitations, which approach should be taken?
- What is the PRIMARY requirement for a compensating control to be considered valid according to risk management frameworks?
- A small organization cannot implement separation of duties due to limited staffing. Which combination of compensating controls would BEST…
- Document why the recommended control could not be used
Every compensating control should be recorded together with the reason the original control could not be implemented and how the substitute reaches comparable protection. The documentation makes the risk decision traceable later and is part of what distinguishes a legitimate compensating control from a quietly skipped one.
- Defense in depth layers independent controls so one failure is not fatal
Defense in depth (layered security) stacks multiple controls across different layers so an attacker who defeats one still faces the others. NIST frames it as integrating people, technology, and operations to set up barriers across multiple layers, which is why mixing control types around one asset strengthens the stack. A badge reader, network segmentation, and a least-privilege policy each guard the same database by a different route.
23 questions test this
- What is the PRIMARY benefit of implementing multiple security controls at different layers within an organization?
- Which of the following BEST describes why organizations implement multiple layers of physical security controls at their facilities?
- Which security strategy integrates people, technology, and operations capabilities to establish multiple barriers across an organization?
- Which of the following BEST describes the primary purpose of a defense in depth strategy?
- How does implementing a defense in depth strategy affect attackers attempting to compromise an organization's systems?
- Which statement BEST describes the purpose of using heterogeneous security technologies in a defense in depth strategy?
- An organization relies solely on a perimeter firewall to protect its network. Why does this approach fail to follow defense in depth…
- Which three elements does a defense in depth strategy integrate to establish variable barriers across multiple layers of an organization?
- Which combination represents the three dimensions that defense in depth integrates to protect organizational information systems?
- An organization wants to protect its sensitive database server. Which approach BEST demonstrates defense in depth?
- How does a defense in depth strategy benefit an organization when facing sophisticated attackers?
- In a defense in depth strategy, what is the primary benefit of implementing security controls at multiple layers of an organization's…
- According to NIST, defense in depth is an information security strategy that integrates which three elements?
- Which of the following scenarios BEST demonstrates a layered security approach consistent with defense in depth principles?
- In a defense in depth strategy, what happens when an attacker successfully bypasses one security control?
- Which security principle is MOST closely related to defense in depth?
- A security architect is designing a defense in depth strategy. Which combination of control types should be included for comprehensive…
- What is the PRIMARY purpose of implementing a defense in depth strategy?
- A security architect is explaining why the organization should not rely solely on perimeter defenses. Which statement BEST supports…
- What is the PRIMARY purpose of using multiple layers of physical barriers such as fences, gates, and locked doors around a facility?
- How does a defense in depth strategy help organizations defend against advanced persistent threats (APTs)?
- What is a PRIMARY benefit of implementing a defense in depth strategy?
- A security analyst is explaining why relying on a single firewall to protect the network is insufficient. Which defense in depth principle…
- Layers only count if they fail independently
Real depth requires controls that fail for different reasons; two controls sharing a single point of failure fail together and count as one layer, not two. A firewall and a VPN that both authenticate against the same identity store are a single layer, because cracking that one store gets past both. A physical lock is not bypassed by a stolen password, which is why mixing types creates genuine independence.
Trap Counting many controls that share one credential store or one chokepoint as deep defense; the shared dependency means a single failure removes them all at once.
4 questions test this
- What is the PRIMARY benefit of implementing multiple security controls at different layers within an organization?
- Which statement BEST describes the purpose of using heterogeneous security technologies in a defense in depth strategy?
- An organization relies solely on a perimeter firewall to protect its network. Why does this approach fail to follow defense in depth…
- Which of the following scenarios BEST demonstrates a layered security approach consistent with defense in depth principles?
- More controls is not the same as more layers
Adding safeguards that all depend on one thing does not deepen defense, because they collapse together. Defense in depth is measured in independent layers, not in the raw number of controls. When a stem lists several controls that hinge on one admin account or one gateway, the correct read is that it is not effective defense in depth.
- Security awareness training exists to change human behavior against attacks
Awareness training reduces risk by teaching employees to recognize and respond to threats like phishing and social engineering, addressing the human element that attackers find easier to exploit than technology. Best practice runs it at hire and at least annually, with role-based training for higher-risk jobs.
Trap Treating training as a one-time onboarding checkbox rather than an ongoing program with annual refreshers.
13 questions test this
- What is the primary purpose of security awareness training within an organization?
- Which statement BEST describes the primary purpose of a security awareness program?
- An organization wants to help employees recognize and respond to social engineering attacks. Which training topic should be prioritized?
- Which activity is considered a key component of an effective security awareness program?
- According to best practices, how frequently should security awareness training be conducted at minimum?
- An organization wants to measure the effectiveness of its security awareness program. Which metric provides the BEST indication of actual…
- Which social engineering attack method should be a PRIMARY focus of security awareness training based on current threat intelligence?
- What is the PRIMARY purpose of security awareness training for employees?
- Why are phishing simulations considered an effective component of security awareness programs?
- Why is security awareness training particularly important for protecting against social engineering attacks?
- A security team is developing a program to help employees recognize and report phishing attempts. Which concept BEST describes this…
- What type of security control is security awareness training classified as?
- Why is it important for security awareness training to include social engineering recognition?
- Phishing simulations measure and reinforce awareness by tracking click rates over time
Simulated phishing exercises give employees safe practice and let the organization measure behavior change through the click rate (phish-prone percentage). A falling click rate, and just-in-time training for those who fail, indicate the program is working.
Trap Using training-completion counts as the success metric instead of the simulated-phishing click rate that reflects actual behavior.
8 questions test this
- An organization conducts simulated phishing exercises and provides immediate training when employees click on suspicious links. What is…
- An organization wants to measure the effectiveness of its phishing awareness training program. Which metric would BEST indicate improvement…
- Which activity is considered a key component of an effective security awareness program?
- How can an organization measure the effectiveness of its security awareness training program?
- An organization wants to measure the effectiveness of its security awareness program. Which metric provides the BEST indication of actual…
- Why are phishing simulations considered an effective component of security awareness programs?
- An organization wants employees to recognize and report phishing attempts. Which administrative control would BEST achieve this objective?
- What is the PRIMARY reason organizations include phishing simulations in their security awareness training programs?
- An IDS only alerts; an IPS can actively block the threat
Per NIST SP 800-94, the defining difference is that an IPS can respond to a detected threat by attempting to prevent it from succeeding, while an IDS passively monitors and alerts. A host-based system (HIDS) watches one host's logs and events; an IPS is often deployed in detection-only mode first to tune out false positives before it blocks live traffic.
Trap Assuming a false negative (a missed real attack) is the harmless error, when it is the dangerous one because no alert is raised.
5 questions test this
- Which of the following BEST describes the defining characteristic that differentiates an intrusion prevention system (IPS) from an…
- What is the primary data source monitored by a host-based intrusion detection system (HIDS)?
- What is the primary reason an organization might initially deploy an Intrusion Prevention System (IPS) in detection-only mode?
- Which characteristic distinguishes an intrusion prevention system (IPS) from an intrusion detection system (IDS)?
- What type of intrusion detection system monitors traffic on an individual computer or device?
- A mantrap admits one authenticated person at a time to stop tailgating
A mantrap is two interlocking doors where the first must close before the second opens, so only one authenticated person passes and tailgating is prevented. Visitor sign-in, escort badges, and escorts distinguish authorized staff from visitors, and a lost access badge should be disabled immediately.
Trap Treating a badge reader on a single door as tailgating protection, when nothing stops a second person from following through.
3 questions test this
- What is the PRIMARY purpose of requiring visitors to sign in, receive an escort badge, and be accompanied by an employee at all times?
- Which physical security control is specifically designed to prevent tailgating by allowing only one person to pass through at a time?
- An employee loses their access badge used to enter secure areas of the facility. What should be the FIRST action taken by security…
ISC2 Code of Ethics
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Governance
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
BC, DR & Incident Response
Business Continuity
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Business continuity keeps critical functions operating during a disruption
A business continuity plan (BCP) is the plan for sustaining the organization's mission and critical business processes during and after a disruption, so the business keeps serving customers even while its normal setup is broken. Its goal is to keep operating, not to fix the broken systems. Per NIST SP 800-34 Rev. 1 the BCP focuses on the business processes, while the technical restoration of the systems those processes depend on is handled separately by disaster recovery.
- BC keeps the business running; DR restores the IT systems
The most tested point on this topic is the difference between business continuity and disaster recovery (DR). BC is about keeping the business operating (people, processes, customer service) during and after a disruption; DR is the information-system-focused work to restore the technology, servers, applications, and facilities, often at an alternate site. NIST SP 800-34 Rev. 1 frames the DR plan as supporting the BCP, since it recovers the systems the business processes rely on. The tie-breaker on an exam: focus on the business process means BC, focus on the technology means DR.
Trap Choosing disaster recovery when the scenario is about keeping the business running during the outage; both involve an outage, but DR is the technical restore of systems, not keeping the mission going.
- The BIA comes before the continuity plan
The business impact analysis (BIA) is done first, because it tells the plan what to protect and how fast. The BIA identifies the critical business processes, estimates the impact of each one being disrupted, and ranks them; the BCP is then written from those results. Asking what you do first, or what the continuity plan is based on, points to the BIA.
Trap Writing or selecting the continuity plan before the BIA; you cannot prioritize recovery without first knowing which processes are critical and how much downtime each can tolerate.
3 questions test this
- The BIA runs three ordered steps
NIST SP 800-34 Rev. 1 structures the BIA as three ordered steps: first determine the mission and business processes and how critical each is, then identify the resources each process needs to resume along with its dependencies, and finally identify recovery priorities. The output of these steps, especially each process's recovery target, is what the continuity plan is built around.
- Maximum tolerable downtime is the longest a process can be down before unacceptable harm
Maximum tolerable downtime (MTD) is the total amount of time a critical process can be unavailable before the damage becomes unacceptable, per NIST SP 800-34 Rev. 1. It is the recovery target the BIA produces for each critical process, and it drives how much to invest in recovery: a short MTD justifies fast, costly recovery while a long MTD can rely on simpler, cheaper measures.
- MTD is a business tolerance set by leadership, not by IT
MTD is set by the business, the leadership or process owner, and recorded in the BIA, because only the business can say how much outage it can survive. IT then designs recovery to meet that target. Watch for stems where the wrong answer has a technical or IT role choosing the MTD; the business sets the tolerance and hands it to IT to satisfy.
Trap Treating MTD as a number IT or the technical team picks; it is a business-set tolerance recorded in the BIA, separate from the technical recovery timeline built to meet it.
- MTD ranking decides which processes recover first
Because the BIA ranks processes and sets each one's MTD, the continuity effort recovers the most time-critical work first instead of treating everything as equally urgent. A process whose MTD is minutes, like card payments, justifies a standby capability, while one whose MTD is days, like refreshing a public catalog, can wait. This ranking is what turns limited recovery resources toward the work that cannot wait.
- A continuity plan needs people and named roles, not just technology
A usable BCP assigns the people and roles who keep each critical function running, names who can declare an emergency, and identifies their backups. A plan that lists technology but no clear owners fails the moment a decision has to be made under pressure. The plan ties each critical process to who is responsible for keeping it going.
Trap Assuming a continuity plan is mainly a technology document; without named owners and decision authority it stalls in the real disruption it was written for.
- The communication plan keeps one consistent message in a crisis
A BCP includes a communication plan so staff, customers, and partners get consistent information during a disruption. NIST SP 800-34 Rev. 1 crisis-communications guidance is to document internal and external communication procedures and typically designate specific individuals as the only authority for speaking to the public, so the organization speaks with one voice. The plan also covers how people will be reached when normal channels like office email and desk phones are down.
Trap Letting any employee answer public or media questions during a crisis; the plan designates a single authorized spokesperson so the organization speaks with one voice and avoids conflicting messages.
- Continuity dependencies on outside vendors are bound by SLAs
A critical process often depends on a vendor or partner, and the BIA must surface those external dependencies. NIST SP 800-34 Rev. 1 notes that external continuity dependencies are governed by service level agreements (SLAs) stating how quickly the provider must respond, aligned to the dependent process's recovery needs. Miss a dependency in the BIA and the plan can look complete yet stall because a supplier never committed to a recovery time.
- A continuity plan is exercised and kept current, not filed away
A BCP that sits unread is a liability: contact lists go stale and staff forget their roles. Plans are tested and updated so people know what to do and information is current before a real disruption rather than during one. Testing is part of having a continuity capability, not an optional extra.
- Incident response handles a security event; business continuity handles a broad disruption
Incident response (IR) is the plan for detecting, containing, and recovering from a security attack or breach, and it is triggered by a security event. Business continuity is broader, covering any major operational disruption and keeping critical functions running. When the stem describes an attack or breach the answer is IR; when it describes keeping operations going through an outage it is BC.
Trap Reaching for business continuity when the trigger is specifically a confirmed or suspected attack or breach; that security event is what incident response is for.
Disaster Recovery
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Incident Response
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Access Controls
Physical Access Controls
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Logical Access Controls
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A logical access control is a technical safeguard that gates a subject's use of an object
Logical access controls are enforced by software or firmware, and they decide whether a subject (a user, process, or device) may use an object (a file, database, application, or system). They are the technical, or logical, type of control, separate from physical controls like locks and from administrative controls like policies. Every access decision answers two questions: how much access to grant, set by the principles least privilege and need-to-know, and who writes the rule, set by the model DAC, MAC, or RBAC.
- Least privilege grants only the access a task needs, shrinking the blast radius
Least privilege restricts every user, process, or device to the minimum permissions its assigned job requires, and nothing more. The benefit is containment: if the account is phished or misused, the attacker inherits only the few permissions it actually held rather than the keys to everything. A help-desk technician who resets passwords should not also reach the payroll file, because reading payroll is not part of that job.
Trap Granting broad access for convenience and planning to trim it later; the standing extra permissions are exactly what an attacker inherits if the account is compromised.
18 questions test this
- Which security principle requires that users be given only the minimum access rights necessary to perform their job duties?
- According to the principle of least privilege, users should be granted which level of access?
- A security administrator needs to ensure that privileged users use non-privileged accounts when performing routine tasks. Which principle…
- When a user with a privileged account needs to perform routine non-security tasks, what should they do according to least privilege…
- An organization applies the principle of least privilege to its systems. Which statement BEST describes this security principle?
- A security administrator needs to ensure that employees can only access information necessary for their specific duties. Which principle…
- Which security principle requires that users be granted only the minimum access necessary to perform their job functions?
- A database application needs to connect to a production database containing customer records. Applying the principle of least privilege to…
- A security administrator is configuring file permissions for a new employee. According to the principle of least privilege, what approach…
- What is the PRIMARY purpose of the principle of least privilege?
- How does role-based access control (RBAC) support the principle of least privilege?
- Which security principle is MOST directly supported by the timely de-provisioning of user accounts when employees leave an organization?
- According to privilege management best practices, what should users with privileged accounts do when performing routine non-security tasks?
- An organization's file server uses permissions that include Read, Write, and Execute. A user needs to run a program stored on the server…
- When applying the principle of least privilege to access control list configuration, which approach should an administrator follow?
- Which security principle should guide how permissions are configured in an access control list for a new employee?
- What is the primary objective of the principle of least privilege?
- Which principle should guide the configuration of access control lists for system resources?
- Need-to-know is least privilege applied to information, separate from clearance
Clearance or job title sets eligibility to see a whole category of data; need-to-know is the narrower decision that a person actually requires these specific records to do their work. The two are independent, so a user cleared for Secret material still cannot pull an unrelated Secret file because the need-to-know is missing. Need-to-know limits which data within an eligibility level a person may touch.
Trap Treating a high clearance as automatic permission to read every file at that level; clearance is eligibility, but need-to-know must also exist for the specific object.
- Separation of duties splits a sensitive process so no one person can finish it alone
Separation of duties (also called segregation of duties) divides a critical process across two or more people, so no single individual holds enough privilege to misuse the system by themselves. The classic case is payments: whoever requests a payment must not also approve it, since one person controlling both steps could pay themselves. It is a preventive administrative control aimed at fraud by a lone insider.
Trap Calling it least privilege when the real fix is splitting one over-powered process across two people; least privilege trims one account's access, separation of duties divides the steps.
6 questions test this
- An organization wants to prevent employees from both creating purchase orders and approving them. Which RBAC feature addresses this…
- In RBAC, which mechanism ensures that a user who is assigned to the role of Accounts Payable Clerk cannot also be assigned to the role of…
- Which security principle does RBAC directly support by ensuring that multiple people are required to complete sensitive tasks?
- In RBAC, what mechanism is commonly used to enforce separation of duties between conflicting job functions?
- Which access control principle ensures that no single employee can both initiate and approve purchase orders?
- When implementing separation of duties in an organization, what is the primary security objective?
- Dual control requires two authorized people to act together for one action
Dual control is the strictest form of separation of duties: a single action cannot complete unless two authorized people act together, such as two officers each turning a key. Where ordinary separation of duties splits a multi-step process across people, dual control binds two people to the very same step. Both reduce single-insider abuse but do not stop two people colluding, which is why sensitive duties are also rotated.
- Three access-control models differ on one axis: who decides access
DAC, MAC, and RBAC are the three access-control models, and the clean way to tell them apart is a single question each answers differently: who decides access. DAC puts the decision with the object's owner, MAC puts it with the system, and RBAC puts it with a role an administrator defines. Read any scenario by asking who holds the decision and the model names itself.
4 questions test this
- What is the key characteristic of Discretionary Access Control (DAC)?
- In a discretionary access control (DAC) model, who has the authority to determine access rights to an object?
- What distinguishes discretionary access control (DAC) from mandatory access control (MAC) when managing permissions for system resources?
- Which access control model allows the owner of a resource to grant or revoke access to other users based on the owner's judgment?
- DAC lets the object's owner decide and re-share access
Under discretionary access control (DAC), access is left to the discretion of the object's owner, who can grant permissions to other subjects and even let them pass those permissions along. Sharing a file on a laptop or shared drive is the everyday example, and DAC is the default in most commercial operating systems. Its flexibility is also its weakness, because owners re-share at will and permissions drift in ways no central administrator planned.
Trap Believing DAC permissions are centrally controlled; owners can grant and pass on access themselves, which is why DAC is the least centrally controlled model.
6 questions test this
- What is the key characteristic of Discretionary Access Control (DAC)?
- In a discretionary access control (DAC) model, who has the authority to determine access rights to an object?
- What distinguishes discretionary access control (DAC) from mandatory access control (MAC) when managing permissions for system resources?
- In discretionary access control (DAC) environments, who typically has the authority to modify the ACL on an object?
- Which access control model allows the owner of a resource to grant or revoke access to other users based on the owner's judgment?
- In a discretionary access control (DAC) environment, who determines access permissions to a resource?
- MAC is enforced by the system from labels and clearances, and users cannot override it
Mandatory access control (MAC) is a policy uniformly enforced across all subjects and objects by the system itself. Each object carries a sensitivity label and each subject holds a formal clearance, and the system grants access only when the clearance is high enough for the label and a need-to-know exists. The defining trait is that an ordinary user cannot change a label or grant access to anyone else, because the decision belongs to the system, not the owner.
Trap Assuming an owner can grant an exception or relabel data under MAC; only the system decides, so users have no discretion to override the policy.
- RBAC grants access by job role, not by individual identity
Role-based access control (RBAC) attaches permissions to roles such as Nurse, Cashier, or Database Administrator, and a user receives those permissions by being assigned to the role. When someone changes jobs you move them to a new role instead of editing dozens of individual grants, so RBAC scales cleanly and maps naturally onto least privilege. An administrator, not the end user, defines the roles.
Trap Saying RBAC lets each user set their own permissions; that is DAC owner-discretion, while RBAC access comes only through administrator-defined role membership.
16 questions test this
- In a role-based access control (RBAC) system, how do users receive their permissions?
- In a role-based access control (RBAC) system, what determines a user's access permissions?
- An organization assigns access permissions to employees based on their job functions defined in the human resources system. What type of…
- Which characteristic BEST describes how access decisions are made in a Role-Based Access Control (RBAC) system?
- In a role-based access control (RBAC) system, what is the primary relationship that simplifies security administration?
- In a role-based access control (RBAC) system, what is the PRIMARY method by which users acquire permissions?
- A user was recently transferred from the sales department to the engineering department. The user can still access sales files but cannot…
- In a role-based access control (RBAC) system, how do users obtain access permissions to resources?
- How does role-based access control (RBAC) support the principle of least privilege?
- In a Role-Based Access Control (RBAC) system, permissions are assigned directly to which element?
- What is a PRIMARY advantage of using Role-Based Access Control compared to assigning permissions directly to individual users?
- An organization is implementing RBAC and needs to define roles. Which approach represents the correct relationship between users, roles,…
- In a role-based access control (RBAC) system, how are permissions assigned to users?
- In RBAC, which mechanism ensures that a user who is assigned to the role of Accounts Payable Clerk cannot also be assigned to the role of…
- In RBAC, what mechanism is commonly used to enforce separation of duties between conflicting job functions?
- When an employee changes positions within an organization using RBAC, what is the MOST appropriate access management action?
- Choose the model by trading flexibility against control
DAC is the most flexible but hardest to control centrally, MAC is the most rigid and uniformly enforced, and RBAC sits in the middle as the scalable, administrator-controlled choice. Pick MAC when access must be tightly and uniformly controlled for classified or highly sensitive data, RBAC when many users map cleanly onto well-defined jobs, and DAC when owners should conveniently share their own resources.
Trap Calling MAC the most flexible model; MAC is the most rigid by design, while DAC is the most flexible because owners control sharing.
- MAC fits classified and government systems; RBAC fits ordinary businesses
MAC is used in military, government, and intelligence systems where confidentiality must be guaranteed and individual discretion is too risky to allow. RBAC is the common choice for hospitals, banks, and large enterprises because access maps onto job functions and scales without per-user editing. DAC suits personal computers, shared drives, and most commercial operating systems where convenience matters more than tight central control.
- A model alone does not enforce the principles; apply least privilege and separation of duties on top
Choosing DAC, MAC, or RBAC decides who writes the access rule, but it does not by itself guarantee that the rule grants only what each task needs or that sensitive processes are split. Least privilege and separation of duties are principles applied on top of whichever model is in force. A system can run RBAC and still over-grant if its roles bundle more access than the job requires.
- An ACL lists which identities may access a resource and what they may do, one access control entry per identity
An access control list (ACL) is a mechanism attached to a resource that enumerates the identities permitted or denied access along with their specific rights (read, write, execute). Each individual line is an access control entry (ACE), which names one trustee (user or group) and the operations allowed, denied, or audited for it.
Trap Treating the ACL as the single entry rather than the whole list; the ACE is the per-identity line inside the ACL.
13 questions test this
- An access control list (ACL) is a mechanism that implements access control by associating which of the following with a system resource?
- When configuring ACL permissions for a file, what is the purpose of specifying read, write, and execute operations?
- Which of the following best describes an access control list (ACL)?
- What information does an individual entry in an access control list (ACL) specify?
- What is the primary function of an Access Control Entry (ACE) within an access control list?
- In identity-based access control systems using ACLs, what must happen for a subject to be granted access to an object?
- An access control list (ACL) is comprised of individual entries that specify access rights. What is each of these individual entries called?
- A mechanism that implements access control for a system resource by listing the identities permitted or denied access is known as a(n)…
- An administrator needs to determine which users can read, write, or modify a file on a Windows server. Which security component should the…
- An access control list (ACL) is best described as which of the following?
- A mechanism that specifies which users or groups have been granted or denied access to a specific system resource.
- What does an access control list (ACL) contain?
- An access control list (ACL) is made up of individual entries that specify permissions for specific users or groups. What are these…
- In Windows a DACL decides who gets access; a SACL decides whose access attempts get logged
A Windows security descriptor holds two ACL types: the Discretionary Access Control List (DACL) lists the trustees allowed or denied access, while the System Access Control List (SACL) tells the system which access attempts to record in the security event log. Configure the SACL when the goal is auditing access rather than granting it.
Trap Reaching for a DACL to capture an audit trail of access attempts; auditing is the SACL's job.
8 questions test this
- In Windows security architecture, what is the primary function of a System Access Control List (SACL)?
- In the context of discretionary access control (DAC), what are the two common types of Access Control Lists (ACLs) used to manage and…
- In Windows security, which pair correctly identifies the two main types of Access Control Lists (ACLs) found in a security descriptor?
- In Windows environments, what is the difference between a Discretionary Access Control List (DACL) and a System Access Control List (SACL)?
- An organization needs to track and audit which users attempted to access sensitive financial files, regardless of whether the access was…
- An administrator needs to determine which users can read, write, or modify a file on a Windows server. Which security component should the…
- What is the primary purpose of a System Access Control List (SACL)?
- In Windows operating systems, which type of access control list identifies which users and groups are allowed or denied access to a…
- An empty DACL denies everyone; a missing (NULL) DACL grants everyone full access
An empty DACL contains no entries, so no access is granted and the system denies all requests. A NULL DACL (no DACL assigned at all) is the opposite and dangerous default: the object has no protection, so everyone gets full access. The same logic applies to ACLs generally: if no entry grants the request, access is denied.
Trap Assuming an empty DACL and a NULL DACL behave the same; the empty one locks everyone out, the missing one lets everyone in.
7 questions test this
- In a discretionary access control (DAC) system, what happens when an object's access control list contains no entries?
- In Windows, what happens when a securable object has no discretionary access control list (DACL) assigned to it?
- What happens when a protected object has a Discretionary Access Control List (DACL) that contains no access control entries?
- What happens when a Windows object has a Discretionary Access Control List (DACL) that contains no access control entries?
- An administrator notices that an object on the system has no discretionary access control list (DACL) assigned to it. What is the result of…
- A system administrator creates a new file but does not configure any access control entries in the discretionary access control list…
- A security administrator discovers that a Windows file has no discretionary access control list (DACL) configured. What is the security…
- Anything not explicitly allowed is denied by default (implicit deny)
Implicit deny, also called default deny, means a request that matches no rule granting it is automatically blocked. It is the safe default for ACLs, firewall rules, and file permissions: access is granted only when a rule explicitly permits it, so a missing entry results in denial.
Trap Expecting traffic or a subject to pass because no rule explicitly blocks it; with implicit deny the absence of an allow rule is itself the block.
9 questions test this
- In a discretionary access control (DAC) system, what happens when an object's access control list contains no entries?
- An organization needs to implement a permission model where access is granted only if it is explicitly specified in the access control…
- An administrator configures an ACL on a shared folder that grants read access only to the Accounting group. A user who belongs to the Sales…
- A security administrator is configuring firewall rules for network traffic. When traffic does not match any rule in the access control…
- What happens when a protected object has a Discretionary Access Control List (DACL) that contains no access control entries?
- What happens when a Windows object has a Discretionary Access Control List (DACL) that contains no access control entries?
- In identity-based access control systems using ACLs, what must happen for a subject to be granted access to an object?
- A system administrator creates a new file but does not configure any access control entries in the discretionary access control list…
- When an access control list has no rule that matches an incoming request, what typically happens?
- MFA requires factors from two different categories: something you know, have, or are
Multi-factor authentication combines factors from at least two of the three categories: something you know (password, PIN), something you have (token, badge, phone), and something you are (biometric). The point is that compromising one category does not give an attacker the others, so the factors must be of different kinds.
Trap Counting a password plus a PIN (or password plus a security question) as MFA; both are "something you know," so it is still one factor category.
19 questions test this
- A user logs into an application using a fingerprint scan on their smartphone, which then generates a one-time code. What type of…
- Which combination represents a valid implementation of multi-factor authentication (MFA)?
- What is the primary purpose of implementing multi-factor authentication (MFA)?
- An organization wants to implement MFA for employee access. Which combination represents true multi-factor authentication?
- An organization implements authentication requiring users to enter a password AND a PIN code. Is this considered multi-factor…
- What are the three authentication factors used in multi-factor authentication?
- An organization wants to implement multi-factor authentication. A user logs in with a password and then enters a PIN. Does this…
- A hardware token that generates a six-digit code every 60 seconds represents which authentication factor?
- Which authentication scenario demonstrates the proper implementation of two-factor authentication?
- A user authenticates to a corporate system using their password and then receives a one-time code on their registered smartphone. Which…
- A security administrator needs to implement stronger authentication for remote access to critical systems. Which combination represents…
- Which statement accurately describes the role of biometrics in authentication according to security best practices?
- Which of the following is classified as a 'something you have' authentication factor?
- A data center requires employees to both present their badge AND enter a PIN code at the card reader to gain entry. Which security concept…
- A security administrator is implementing multi-factor authentication for a corporate application. Which combination provides true…
- An organization is implementing multi-factor authentication. Which combination represents factors from two DIFFERENT categories?
- A security administrator is implementing multi-factor authentication. Which combination represents TRUE multi-factor authentication?
- When a user presents an access badge to a reader to enter a secured facility, what authentication factor is primarily being used?
- Which of the following represents a valid multi-factor authentication implementation?
- Modern NIST guidance favors long passwords over forced complexity and drops scheduled expiration
NIST SP 800-63B treats length as the primary driver of password strength and advises against mandatory composition rules, because complexity requirements push users toward predictable patterns. It also recommends against fixed periodic password changes, requiring a change only when there is evidence of compromise.
Trap Mandating character-mix rules and a routine 90-day reset; current guidance calls for length instead and changes only on evidence of compromise.
6 questions test this
- According to current NIST password guidelines, what is the recommended approach to password complexity?
- According to current security guidance, what is the recommended approach to password expiration policies?
- When should organizations require users to change their passwords according to modern security guidelines?
- According to current password security best practices, what is more important than requiring complex character combinations in passwords?
- According to current password security guidelines, what is the PRIMARY factor that determines password strength?
- According to current NIST guidelines for password management, which practice is now recommended against?
- Store passwords salted and hashed so a stolen database resists offline cracking
Passwords should be stored using a one-way hash with a unique random salt per password, never in plaintext or reversible form. The salt makes identical passwords hash differently and defeats precomputed rainbow tables, while a deliberately slow hashing scheme makes brute-force guessing of a stolen hash database expensive.
Trap Relying on hashing alone without a per-password salt; without salt, identical passwords share a hash and rainbow tables still work.
5 questions test this
- How should passwords be stored in authentication systems to protect against offline attacks?
- What security measure should organizations implement to protect stored passwords from offline attacks?
- What is the PRIMARY purpose of salting passwords before hashing them for storage?
- An organization stores passwords using a one-way mathematical function combined with a random value unique to each password. What security…
- What is the primary security benefit of requiring passwords to be salted and hashed before storage?
- End sessions with an idle timeout, an absolute timeout, and an easy logout
An idle (inactivity) timeout ends a session after a period of no activity, limiting the risk of an unattended workstation being hijacked, while an absolute (overall) timeout caps total session length regardless of activity. Applications should also give users a readily accessible logout to terminate a session on demand.
Trap Confusing the idle timeout with the absolute timeout; the idle one triggers on inactivity, the absolute one fires after a fixed duration even on an active session.
8 questions test this
- According to security best practices, what should a web application provide to users regarding session termination?
- What is the PRIMARY purpose of implementing an idle session timeout control?
- What is the PRIMARY purpose of implementing an idle session timeout as part of system hardening?
- What is the PRIMARY security purpose of implementing an idle session timeout?
- According to NIST guidelines, what are the two types of session timeouts used in session management?
- A web application allows users to log in but does not provide a logout button. Which security vulnerability does this create?
- Which session management control should be implemented to address the risk of a user leaving their workstation without logging out?
- Which of the following BEST describes the difference between an idle timeout and an absolute timeout in session management?
- Enforce authentication and session timeouts server-side where the client cannot tamper with them
Session timeout, expiration, and authentication enforcement must live on the server, not the client. If timing or authorization is tracked in client-controlled data such as cookies, an attacker can manipulate it to extend a session indefinitely, so security controls belong where the user cannot reach them.
Trap Trusting client-side cookie values to enforce session timeout; an attacker edits them, so the server must track inactivity itself.
6 questions test this
- Where should session timeout controls be enforced to ensure they cannot be bypassed by attackers?
- To prevent attackers from bypassing security controls, where should authentication and session enforcement mechanisms be implemented?
- Where should security controls like session timeouts be enforced for maximum security?
- Which component should enforce session timeout settings to prevent manipulation by attackers?
- Where should session timeout management and expiration be primarily enforced?
- Where should session timeout management and expiration controls be enforced?
- Review access periodically and on every role change to stop privilege creep
Privilege creep is the gradual accumulation of access rights beyond what a user's current job needs, typically when someone changes roles but keeps old permissions. Counter it with periodic (regular) access reviews plus event-driven reviews triggered by transfers, removing rights that are no longer required to keep least privilege intact.
Trap Granting new access on a role change without removing the old; keeping both is exactly how privilege creep accumulates.
9 questions test this
- How often should organizations conduct access reviews to effectively maintain the principle of least privilege in an RBAC environment?
- An organization notices that employees who have changed roles multiple times retain access from all their previous positions. What security…
- Which practice is MOST important for maintaining effective privilege management over time?
- What security risk occurs when users accumulate access permissions over time that exceed their current job requirements?
- What security concern occurs when employees change roles within an organization but retain their previously assigned privileges in addition…
- Which process should be performed when an employee transfers to a different department within the same organization?
- What is the BEST practice for maintaining the principle of least privilege in an RBAC environment over time?
- What is 'privilege creep' in the context of user account management?
- What is the term used to describe the gradual accumulation of access rights beyond what a user needs for their assigned job functions?
- Disable a leaver's access immediately so no orphan accounts remain
When an employee is terminated, the first and most critical step is to immediately disable or revoke all of their access, ideally driven by an HR-initiated lifecycle event. Accounts left active after someone departs become orphan accounts that former staff, contractors, or attackers can still use to reach internal systems and data.
Trap Deleting the leaver's data or escalating to legal before cutting access; revoking the credentials comes first to close the window for unauthorized entry.
10 questions test this
- When a terminated employee's badge is returned to Human Resources, what action should the electronic access control system administrator…
- When an employee is terminated from an organization, what is the MOST important immediate action regarding their physical access badge?
- What is the MOST significant security risk when employees are not promptly de-provisioned from company systems after leaving the…
- What is the PRIMARY security risk associated with orphan accounts in an organization's systems?
- When an employee is terminated from an organization, which action should be performed FIRST regarding their user account?
- When an employee leaves an organization, what is the PRIMARY security concern if the user account is not properly de-provisioned?
- When an employee is terminated from an organization, what is the MOST critical first step in the de-provisioning process?
- When an employee leaves an organization, what is the MOST critical immediate action regarding their user account?
- Which security principle is MOST directly supported by the timely de-provisioning of user accounts when employees leave an organization?
- When an employee is terminated, what is the MOST critical immediate security action regarding their user account?
- RBAC grants access by role so administration scales, and senior roles can inherit junior permissions
Role-Based Access Control assigns permissions to roles and users to roles, so admins manage stable roles instead of editing each user individually, which is its main advantage at scale. A role hierarchy lets senior roles automatically inherit the permissions of junior roles, further reducing duplication.
Trap Assigning permissions directly to each individual user; that does not scale and is the very overhead RBAC's role layer removes.
3 questions test this
- Which RBAC concept allows senior roles to automatically acquire the permissions of junior roles?
- What is a PRIMARY advantage of using Role-Based Access Control compared to assigning permissions directly to individual users?
- When an employee changes positions within an organization using RBAC, what is the MOST appropriate access management action?
Network Security
Computer Networking
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Know the OSI seven layers in order, both directions
The OSI (Open Systems Interconnection) model has seven layers, from the bottom up: 1 Physical, 2 Data Link, 3 Network, 4 Transport, 5 Session, 6 Presentation, 7 Application. A common mnemonic for layer 7 down to 1 is "All People Seem To Need Data Processing". Exam questions ask you to place a function or device at the right layer, so the order and each layer's job are the core facts to memorize.
- OSI maps onto TCP/IP's four layers by a fixed rule
TCP/IP is the four-layer model the internet actually runs on, and it maps onto OSI predictably: Link = OSI layers 1 to 2, Internet = OSI layer 3, Transport = OSI layer 4, and Application = OSI layers 5 to 7. The two models do not disagree; TCP/IP just groups OSI's top three layers into one Application layer and its bottom two into one Link layer. Questions often give an OSI layer and ask for the matching TCP/IP layer, or the reverse.
Trap Assuming TCP/IP has a separate Session or Presentation layer; those OSI layers (5 and 6) are folded into the single TCP/IP Application layer.
- IP and routing live at OSI Layer 3 (Network)
The Network layer (OSI layer 3) handles logical addressing and routing between networks, which is where IP operates and where routers do their work. When a stem asks at which layer a router operates or where IP addressing happens, the answer is layer 3. IPsec, which protects IP packets, also operates at this layer.
Trap Placing a router at OSI layer 2; switches and MAC addressing are layer 2, while routing and IP are layer 3.
11 questions test this
- A router makes forwarding decisions based on which type of address?
- What is required for devices on different VLANs to communicate with each other?
- Devices on one VLAN cannot communicate directly with devices on a different VLAN. What additional network component is required to enable…
- An organization wants to connect multiple separate networks and route traffic between them using IP addresses. Which device should they…
- An organization needs to connect two separate IP networks and enable communication between devices on different subnets. Which device…
- What is the PRIMARY function of a router in network infrastructure?
- An organization needs to connect two separate networks with different IP address ranges. Which network device is specifically designed for…
- Devices on two different VLANs need to communicate with each other. What is required to enable this inter-VLAN communication?
- Which OSI model layer does a router primarily operate at when making forwarding decisions?
- Which network device operates at Layer 3 of the OSI model and uses IP addresses to determine the best path for forwarding data between…
- A network administrator needs a device that can connect two separate networks and forward packets based on destination IP addresses. Which…
- Switches and MAC addresses operate at Layer 2 (Data Link)
The Data Link layer (OSI layer 2) moves frames across a single local link and uses hardware MAC (Media Access Control) addresses to identify devices on that link. Ethernet switches and VLANs operate here. A MAC address is the physical hardware address burned into a network interface, distinct from the logical IP address assigned at layer 3.
Trap Confusing a MAC address (layer 2 hardware address) with an IP address (layer 3 logical address); the two identify a device at different layers.
6 questions test this
- At which layer of the OSI model does a network switch primarily operate?
- What does a network switch use to forward frames to the correct destination port?
- What is the PRIMARY security advantage of using a switch instead of a hub on a network?
- Which network device operates at Layer 2 of the OSI model and forwards frames based on MAC addresses?
- Which type of address does a network switch use to forward data frames to the appropriate destination port?
- How does a hub differ from a switch in handling network traffic?
- TCP and UDP carry data at Layer 4 (Transport) using ports
The Transport layer (OSI layer 4) delivers data end to end between hosts and uses port numbers to direct it to the right service. TCP and UDP are the layer 4 protocols. When a question is about ports, end-to-end delivery, or TCP versus UDP, the layer is 4.
- An IP address identifies the host; a port identifies the service
Keep the two roles separate: an IP address says which machine, and a port number says which application or service on that machine. This is why one server with a single IP can run web, email, and remote-login services at the same time, each listening on its own port. A question asking how one server offers many services at once is about ports, not addresses.
Trap Answering a one-server-many-services question with multiple IP addresses; the services are separated by port number, not by address.
- IPv4 addresses are 32 bits long
An IPv4 address is 32 bits, written as four decimal numbers from 0 to 255 separated by dots, such as 203.0.113.5. Thirty-two bits gives about 4.3 billion possible addresses, a supply the world has effectively exhausted. The 32-bit figure is the single most testable IPv4 fact.
Trap Stating IPv4 is 128 bits; 128 bits is IPv6. IPv4 is 32 bits.
10 questions test this
- What is the bit length of an IPv4 address?
- What was a primary reason for developing IPv6 to replace IPv4?
- What is the primary advantage of IPv6 over IPv4 regarding address space?
- Which statement accurately describes the format of an IPv4 address?
- How is an IPv4 address structured?
- Which characteristic distinguishes IPv6 addressing from IPv4 addressing?
- What is a primary reason organizations are transitioning from IPv4 to IPv6?
- What is the primary reason IPv6 was developed to replace IPv4?
- How does the format of an IPv6 address differ from an IPv4 address?
- What is the primary advantage of IPv6 over IPv4 that addresses the limitation of internet growth?
- IPv6 addresses are 128 bits long and solve IPv4 exhaustion
IPv6 was created because IPv4's address space ran out, and its addresses are 128 bits long, written as eight groups of hexadecimal separated by colons, such as 2001:db8::1. One hundred twenty-eight bits gives roughly 3.4 x 10^38 addresses, so exhaustion is no longer a practical concern. Remember 128 bits for IPv6 versus 32 bits for IPv4; questions like to swap the two numbers.
Trap Stating IPv6 is 64 bits or 32 bits; an IPv6 address is 128 bits.
10 questions test this
- What was a primary reason for developing IPv6 to replace IPv4?
- How are IPv6 addresses typically represented in text format?
- What is the primary advantage of IPv6 over IPv4 regarding address space?
- Which characteristic distinguishes IPv6 addressing from IPv4 addressing?
- What is a primary reason organizations are transitioning from IPv4 to IPv6?
- What is the primary reason IPv6 was developed to replace IPv4?
- Which address format uses 128 bits and is represented by eight groups of hexadecimal digits separated by colons?
- How does the format of an IPv6 address differ from an IPv4 address?
- How is an IPv6 address typically represented?
- What is the primary advantage of IPv6 over IPv4 that addresses the limitation of internet growth?
- Ports 0 to 1023 are the well-known (system) ports
A port number is 16 bits, so the full range is 0 to 65535, and the lowest block, ports 0 to 1023, are the well-known or system ports reserved by IANA for standard internet services. The well-known set is where the named protocols a candidate must recognize, like HTTP and HTTPS, live. Higher ports are registered or dynamic and are not the focus of CC recall.
4 questions test this
- Which range of TCP/UDP ports are classified as 'well-known ports' and typically require administrative privileges to use?
- Which range of ports is known as the 'well-known ports' or 'system ports' that are typically reserved for privileged services?
- Port numbers ranging from 0 to 1023 are classified into which category by the Internet Assigned Numbers Authority (IANA)?
- Which range of port numbers are known as 'well-known ports' assigned by IANA for standard services?
- HTTP is port 80; HTTPS is port 443
Web traffic uses HTTP on port 80 in cleartext and HTTPS on port 443 encrypted with TLS. The pair is a favorite exam contrast: the secure version runs on a different well-known port from the cleartext version. If a question asks which port carries encrypted web traffic, the answer is 443.
Trap Answering 80 for encrypted web traffic; port 80 is cleartext HTTP, while HTTPS (TLS-encrypted) is port 443.
8 questions test this
- An organization wants to secure web traffic between users and its public web server. Which port should be allowed through the firewall to…
- A firewall administrator needs to allow web servers to serve encrypted content to external users. Which port should be opened on the…
- A security team is configuring a firewall to allow secure web traffic. Which port should be opened to permit HTTPS connections?
- A security analyst notices outbound traffic from an internal server to an external host on port 443. What type of traffic is this port…
- A security analyst reviewing firewall logs notices traffic on port 443. Which service is MOST likely associated with this port?
- Which protocol and port combination provides encrypted web communications?
- A security team is configuring firewall rules for a web server that should only serve encrypted web content. Which port should be ALLOWED…
- An organization wants to ensure secure web communications for its e-commerce site. Which TCP port should be allowed through the firewall…
- SSH is port 22; it replaces cleartext Telnet on port 23
SSH (Secure Shell) provides encrypted remote command-line access and file transfer on port 22, and it is the secure replacement for Telnet, which runs in cleartext on port 23. Telnet sends credentials and commands unencrypted, so it should not be used over untrusted networks. When a stem contrasts secure and insecure remote login, the ports 22 and 23 are the tell.
Trap Choosing Telnet (port 23) for secure remote administration; Telnet is cleartext, and SSH on port 22 is the encrypted choice.
13 questions test this
- Which of the following port and protocol combinations represents an UNENCRYPTED service that poses security risks when used over untrusted…
- An organization wants to replace an insecure protocol used for remote administration. Which protocol pair shows an INSECURE protocol and…
- During a security assessment, a penetration tester identifies that port 22 is open on a server. Which service is MOST likely running on…
- A security analyst notices traffic on TCP port 22 during network monitoring. Which service is MOST likely generating this traffic?
- A security team wants to block insecure remote management protocols in the firewall. Which port should they block to prevent unencrypted…
- During a security audit, an analyst discovers that a server is accepting connections on port 23. What security concern does this represent?
- A security analyst is reviewing firewall rules and sees traffic allowed on port 22. Which service uses this port and why is it considered…
- During a security assessment, a firewall administrator notices unexpected traffic on port 23. From a security perspective, what concern…
- A security analyst discovers that administrators are using Telnet to manage network devices. What is the PRIMARY security concern with this…
- A security analyst notices unexpected traffic on TCP port 23 on a server. Which protocol is likely being used, and why is this a security…
- Which TCP port is used by SSH (Secure Shell) for secure remote access to servers?
- A security analyst reviews firewall logs and notices traffic on TCP port 22. Which protocol is most likely being used on this port?
- A security analyst discovers that an administrator has been using Telnet to remotely manage network devices. Which security risk does this…
- FTP uses ports 20 and 21
FTP (File Transfer Protocol) transfers files using two ports: port 21 carries the control connection (commands) and port 20 carries the data. Plain FTP is unencrypted, so secure alternatives like SFTP (over SSH, port 22) or FTPS are preferred for sensitive transfers. The two-port pattern, 20 for data and 21 for control, is a recall point.
- SMTP is port 25 and DNS is port 53
SMTP (Simple Mail Transfer Protocol) sends email between mail servers on port 25, and DNS (Domain Name System) resolves names like example.com into IP addresses on port 53. Both are well-known ports a candidate is expected to recognize by number. DNS is the service that lets people use names instead of memorizing numeric addresses.
3 questions test this
- Which port is used by DNS services to resolve domain names to IP addresses?
- A security analyst notices traffic on port 53 during network monitoring. Which service is most likely associated with this traffic?
- A network administrator needs to allow DNS traffic through the firewall. Which port and protocol combination should be configured?
- RDP is port 3389
RDP (Remote Desktop Protocol) gives remote graphical access to Windows systems on port 3389. Because RDP exposed to the internet is a frequent attack target, it should be restricted to a VPN or trusted network rather than opened publicly. The number 3389 is the one to recall for remote desktop.
- The secure protocol usually runs on a different port from the cleartext one
When a question pairs an insecure protocol with its secure counterpart, the port number is often the distinguishing clue: HTTP 80 versus HTTPS 443, and Telnet 23 versus SSH 22. Recognizing the pair lets you pick the encrypted option by its port. The secure choice is the encrypted protocol, and it listens on its own well-known port.
5 questions test this
- An organization wants to secure web traffic between users and its public web server. Which port should be allowed through the firewall to…
- Which of the following port and protocol combinations represents an UNENCRYPTED service that poses security risks when used over untrusted…
- An organization wants to replace an insecure protocol used for remote administration. Which protocol pair shows an INSECURE protocol and…
- A security team wants to block insecure remote management protocols in the firewall. Which port should they block to prevent unencrypted…
- A security analyst is reviewing firewall rules and sees traffic allowed on port 22. Which service uses this port and why is it considered…
- Private IP ranges are not routed on the public internet
Public IP addresses are globally unique and routable on the open internet, while private IPv4 ranges (such as 10.x.x.x and 192.168.x.x) are reused inside many separate internal networks and are not routed across the internet. Reusing private ranges behind translation is part of how IPv4 stretched its limited supply. A host with only a private address cannot be reached directly from the internet.
5 questions test this
- Which IP address range is designated as private and NOT routable on the public internet?
- Which IP address range is designated as private address space according to RFC 1918 and cannot be routed on the public internet?
- Which address range is designated for private IPv4 networks that are not routable on the public internet?
- Which address range is designated as private IPv4 address space according to RFC 1918?
- Which of the following correctly identifies the three private IPv4 address ranges defined in RFC 1918?
- WiFi is the IEEE 802.11 wireless LAN family, and it is broadcast
WiFi refers to the IEEE 802.11 family of wireless LAN standards, which carry data over radio. Because the signal travels through the air, anyone within range can capture it, so encryption on the wireless link is essential rather than optional. This broadcast nature is the reason wireless security gets special attention.
- Secure WiFi with WPA3 or WPA2, never WEP
The WiFi encryption standards arrived in order, and only the newest are safe: WPA3 (WiFi Protected Access 3) is the current and strongest standard, WPA2 is still acceptable, and WEP (Wired Equivalent Privacy) is thoroughly broken and must never be selected. For CC, choose WPA3 if available, otherwise WPA2, and reject WEP outright. A stem asking how to secure a new wireless network is testing this choice.
Trap Selecting WEP because it is listed as an encryption option; WEP is broken and offers no real protection, so WPA3 or WPA2 is the correct choice.
- Treat an open WiFi network as untrusted
An open wireless network with no encryption, such as a public coffee-shop hotspot, gives no link protection, so any traffic on it can be intercepted. Treat it as untrusted and protect sensitive traffic with its own layer on top, such as a VPN tunnel or HTTPS. The wireless link being open does not encrypt your data; only an added layer does.
Trap Assuming an open hotspot is safe as long as the site uses HTTPS for everything; the open link still exposes any unencrypted traffic, so a VPN or per-session encryption is needed.
- TLS encryption sits around OSI layers 5 to 6, not the Transport layer
Despite the name Transport Layer Security, TLS encrypts an application session and conceptually sits around OSI layers 5 to 6 (it secures the data the application sends). The OSI Transport layer (4) is about end-to-end delivery with TCP and UDP and ports, not encryption. Do not equate the OSI Transport layer with transport-layer security; they are different ideas.
Trap Treating the OSI Transport layer (4) as the encryption layer because of the name TLS; layer 4 handles delivery and ports, while TLS protects the application session.
- Categorize a networking question by where, who, what service, or how protected
A reliable habit on any networking item is to first decide whether the stem asks about where a function sits (a layer), who a host is (an IP address), what service is involved (a port), or how traffic is protected (encryption like WPA3 or TLS). Naming the category first keeps you from answering a port question with a layer fact, which is exactly the mismatch that distractors exploit.
- A LAN is small, fast, and locally owned; a WAN connects LANs across distance more slowly
A Local Area Network covers a confined area such as a building or campus, is usually owned and managed by one organization, and offers the highest data-transfer speeds. A Wide Area Network spans cities or countries and interconnects multiple LANs over long distances, so it serves more users with greater geographic reach but typically lower speed and higher latency; LANs are the building blocks a WAN ties together, and the internet is the largest WAN.
Trap Expecting a WAN to be faster than a LAN; its long-distance links raise propagation delay and lower throughput.
11 questions test this
- What is the primary function of a Wide Area Network (WAN)?
- What is the relationship between LANs and WANs in enterprise network architecture?
- Which network type is designed to connect devices within a geographically limited area such as a single building or campus?
- Which network architecture type typically provides the HIGHEST data transfer speeds?
- Which characteristic is typically associated with a LAN compared to a WAN?
- An organization needs to connect its branch offices located in different countries to share resources and communicate. Which network type…
- What is the relationship between Local Area Networks and Wide Area Networks?
- Which characteristic accurately describes the relationship between LANs and WANs in network architecture?
- Which characteristic BEST distinguishes a Wide Area Network (WAN) from a Local Area Network (LAN)?
- Which characteristic is typically associated with a Wide Area Network compared to a Local Area Network?
- What is a primary characteristic that distinguishes a WAN from a LAN in terms of network performance?
- A hub blindly broadcasts to all ports; a switch forwards by MAC to one port
A hub is a Layer 1 device that repeats incoming data out every other port, so all stations share one collision domain and can see each other's traffic. A switch is a Layer 2 device that reads the destination MAC address and uses its MAC address table to forward a frame only to the correct port, giving each port its own collision domain. A router is the Layer 3 device that connects networks with different IP ranges and contains broadcast traffic.
Trap Treating a hub as a secure equivalent of a switch, when its broadcast-to-all behavior lets any attached host sniff the segment.
6 questions test this
- What is the PRIMARY security advantage of using a switch instead of a hub on a network?
- Which network device operates at Layer 2 of the OSI model and forwards frames based on MAC addresses?
- When a hub receives data on one of its ports, what action does it take?
- What is a key security advantage of using a switch instead of a hub on a network?
- How does a hub differ from a switch in handling network traffic?
- What security benefit do routers provide by separating networks into distinct segments?
- DNS uses UDP 53 for normal queries and TCP 53 for large responses and zone transfers
DNS runs on port 53 over both transports: standard name-resolution queries use UDP 53 because it is fast and low-overhead, while TCP 53 handles responses larger than 512 bytes and zone transfers between servers, where reliable delivery matters.
Trap Opening only UDP 53 on a firewall and breaking zone transfers and oversized responses that need TCP 53.
5 questions test this
- A security administrator needs to configure firewall rules for DNS traffic. Which statement about DNS port usage is correct?
- A network administrator needs to allow DNS traffic through a firewall. Which port and protocol combination is primarily used for standard…
- A network administrator is configuring firewall rules and needs to allow DNS traffic. Which port and protocol combination should be…
- Which statement accurately describes why DNS uses BOTH TCP and UDP on port 53?
- A network administrator needs to allow DNS traffic through the firewall. Which port and protocol combination should be configured?
- WPA3 replaces WPA2's PSK handshake with SAE to defeat offline dictionary attacks
WPA3-Personal uses Simultaneous Authentication of Equals (SAE), the dragonfly handshake, in place of WPA2's pre-shared-key four-way handshake. SAE requires live interaction with the network for each password guess, so an attacker who captures the handshake cannot run an offline dictionary attack against it even when the password is weak.
Trap Believing WPA3 is just a stronger password; its protection comes from the SAE handshake, not from key length.
5 questions test this
- Which security enhancement does WPA3 introduce to protect wireless networks against offline dictionary attacks?
- What authentication method does WPA3-Personal use to replace the Pre-Shared Key (PSK) exchange found in WPA2-Personal?
- Which wireless security protocol introduced Simultaneous Authentication of Equals (SAE) to replace the Pre-Shared Key (PSK) method?
- A security administrator is configuring wireless access points and wants to protect against offline dictionary attacks. Which…
- Which security benefit does the WPA3 SAE handshake provide that was not available with the WPA2-PSK four-way handshake?
- WPA3 forward secrecy keeps past captured traffic safe even if the password leaks later
Through SAE, WPA3 derives a unique session key for each connection, providing forward secrecy. If an attacker has been recording encrypted traffic and later obtains the network password, they still cannot decrypt the previously captured sessions because each used a separate key not derived from the password alone.
Trap Assuming a later password compromise exposes old WPA3 sessions, as it would under WPA2-PSK.
6 questions test this
- What is a primary security benefit that WPA3-Personal provides over WPA2-Personal?
- An organization discovers that an attacker has been capturing its encrypted wireless traffic for months. The organization recently…
- What security feature introduced in WPA3 provides protection by changing the encryption password each time a connection is established?
- Which capability of WPA3 ensures that previously captured encrypted wireless traffic cannot be decrypted even if the network password is…
- Which security benefit does the WPA3 SAE handshake provide that was not available with the WPA2-PSK four-way handshake?
- What security feature does WPA3 provide that prevents an attacker from decrypting previously captured wireless traffic if they later obtain…
- WPA3 mandates Protected Management Frames to stop forged deauth attacks
WPA3 requires Protected Management Frames (PMF), which authenticate and protect the integrity of wireless management frames. This blocks eavesdropping, replay, and forgery of management frames, including the spoofed deauthentication/disassociation frames an attacker uses to knock clients off the network.
4 questions test this
- What security feature does WPA3 mandate to protect wireless management frames from eavesdropping and forgery attacks?
- Which of the following is a mandatory security requirement in the WPA3 wireless security standard?
- What security feature in WPA3 protects wireless management frames from being forged or tampered with to prevent certain denial-of-service…
- Which feature, made mandatory in WPA3, protects wireless management frames from being forged by attackers to force clients to disconnect…
- WPA2/WPA3-Enterprise uses 802.1X with a RADIUS server to authenticate each user individually
Enterprise wireless mode runs the 802.1X framework against a central RADIUS authentication server so every user logs in with unique credentials rather than a shared password, giving centralized authentication, individual accountability, and dynamic keys. In 802.1X the wireless access point acts as the authenticator, relaying credentials between the client (supplicant) and the RADIUS server.
Trap Choosing WPA2/WPA3-Personal (a shared PSK) when the requirement is per-user credentials checked against a central server.
10 questions test this
- In an 802.1X wireless authentication architecture, which component acts as the authenticator that controls access to the network?
- An organization wants to verify each employee's unique identity before granting wireless network access using credentials checked against a…
- Which wireless security protocol is MOST appropriate for enterprise environments that require centralized authentication using a RADIUS…
- Which wireless security configuration requires users to authenticate through a centralized authentication server such as RADIUS?
- An organization requires wireless network authentication that verifies users through a centralized authentication server. Which mode should…
- A security administrator is configuring wireless security for an enterprise network that requires centralized user authentication through a…
- An organization wants each employee to use unique login credentials when connecting to the wireless network. Which wireless security…
- An organization wants to verify each wireless user individually through a centralized authentication server instead of using a shared…
- An organization requires that each wireless user be authenticated with individual credentials verified by a centralized server. Which…
- An organization wants to implement wireless security that requires users to authenticate against a centralized authentication server. Which…
- WPA2 should use AES-CCMP, not the legacy TKIP
AES, implemented as AES-CCMP with 128-bit keys, is the mandatory and strongest encryption for WPA2 and provides both confidentiality and integrity. TKIP was only a transitional fix for WEP-era hardware and relies on the weak RC4 cipher, so a WPA2 network running TKIP should be moved to AES.
Trap Leaving WPA2 on TKIP for compatibility, which keeps the weak RC4-based cipher instead of AES.
5 questions test this
- A security analyst notices that the organization's wireless network is configured to use WPA2 with TKIP encryption. What recommendation…
- An organization is configuring wireless access points and must choose between encryption protocols. Which encryption type should be…
- Which encryption protocol is recommended for WPA2 wireless networks to provide the strongest security?
- Which encryption standard does WPA2 use to secure wireless network traffic?
- Which encryption algorithm is mandated by the WPA2 standard for protecting wireless data transmissions?
Network Threats & Attacks
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Network Infrastructure
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Operations
Data Security
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Hashing proves integrity; encryption protects confidentiality
Encryption and hashing solve opposite problems, and confusing them is the single most tested mistake in this topic. Encryption scrambles data so only a key holder can read it, serving confidentiality, and it is reversible. Hashing produces a one-way fingerprint that reveals whether data changed, serving integrity, and it is not reversible. A hash hides nothing because anyone can compute it, so it can never be the answer to a question about keeping data secret.
Trap Treating hashing as a form of encryption; a hash detects change but cannot conceal data, so it provides no confidentiality.
8 questions test this
- Which statement BEST describes the purpose of a hash function?
- Which technique is MOST commonly used to verify that backup data has not been corrupted or altered?
- Which technique is commonly used to verify that backup data has not been corrupted or modified?
- What distinguishes hashing from encryption?
- What is the PRIMARY purpose of using checksums when verifying backup data integrity?
- Which method is commonly used to verify the integrity of backup data to ensure it has not been corrupted or tampered with?
- What is the PRIMARY purpose of using checksums during backup operations?
- How does hashing differ from encryption?
- A hash is one-way and fixed-length, with no key
A hash function turns any input into a short fixed-length digest and cannot be run backward to recover the input, so it uses no key and reveals nothing about the content. Comparing a stored digest with a freshly computed one detects tampering, because changing even one character changes the whole digest. The standard families are SHA-2 and SHA-3 (NIST FIPS 180-4 and FIPS 202).
10 questions test this
- According to NIST guidelines, how should passwords be stored by an authentication system?
- Why should organizations store passwords using a salted hash rather than in plaintext?
- Which statement BEST describes the purpose of a hash function?
- Which technique is MOST commonly used to verify that backup data has not been corrupted or altered?
- Which technique is commonly used to verify that backup data has not been corrupted or modified?
- What distinguishes hashing from encryption?
- What is the PRIMARY purpose of using checksums when verifying backup data integrity?
- Which method is commonly used to verify the integrity of backup data to ensure it has not been corrupted or tampered with?
- What is the PRIMARY purpose of using checksums during backup operations?
- How does hashing differ from encryption?
Symmetric encryption uses the same secret key to encrypt and decrypt, which makes it fast and the right choice for bulk data like full disks, databases, and large files. Its weakness is key distribution: both parties must already share the secret key, and getting that key to the other side safely is the hard part. The standard symmetric algorithm is AES (NIST FIPS 197).
8 questions test this
- Which characteristic best describes symmetric encryption?
- An organization needs to efficiently encrypt a large volume of database records stored on disk. Which type of encryption is BEST suited for…
- Which cryptographic method is MOST suitable for encrypting large volumes of database records due to its speed and efficiency?
- Which type of encryption is most commonly used for encrypting data at rest in bulk storage, such as full-disk or database encryption?
- An organization needs to efficiently encrypt large volumes of data stored on its servers. Which type of encryption is best suited for this…
- What is a key characteristic of symmetric encryption?
- Which encryption method is MOST commonly used by database systems to protect large volumes of stored data at rest due to its processing…
- Which encryption method is MOST appropriate for encrypting large volumes of data stored in a database?
- Asymmetric encryption uses a public/private key pair to solve key exchange
Asymmetric (public-key) encryption uses a matched pair where what one key locks only the other can unlock. The public key can be shared with anyone; the private key stays secret. To send a confidential message you encrypt with the recipient's public key, and only their private key decrypts it, so two parties who never met can communicate without sharing a secret first. RSA is the classic asymmetric algorithm.
Trap Choosing asymmetric encryption to bulk-encrypt large data; it is much slower than symmetric and is meant for small data and key exchange, not the payload.
- Real systems combine asymmetric and symmetric encryption
Because asymmetric encryption is slow, practical systems do not choose one family over the other; they use slow asymmetric encryption once to safely exchange a fresh symmetric key, then switch to fast symmetric encryption for the actual data. This is the pattern behind TLS, which protects web data in transit. The takeaway is that asymmetric handles the key exchange and symmetric handles the bulk payload.
- Match each data state to its primary protection
Data exists in three states, and the exam expects you to pair each with its main control. Data at rest is stored and is protected by storage encryption plus access control. Data in transit is moving across a network and is protected by transport encryption such as TLS or IPsec. Data in use is loaded in memory being processed and is the hardest to protect because the processor traditionally needs cleartext, mitigated by runtime access control and memory hygiene.
3 questions test this
- Which type of encryption is BEST suited for protecting data stored on a laptop hard drive?
- Which term describes data that is stored on a device and is not actively being transferred across a network?
- Which type of encryption protects database files stored on disk from being read if physical media is stolen?
- Storage encryption mainly protects a lost or powered-off device
Full-disk and storage encryption defend data at rest against theft of a powered-off or lost device, but they are not a substitute for access control on a running system. Once an authorized user logs in and the volume is unlocked, the data is available to them in the clear, so an attacker who gets in as that logged-in user is not stopped by the encryption.
Trap Assuming disk encryption protects data on a running, logged-in machine; after the volume is unlocked the data is available, so access control still does the work.
- The data owner sets classification, and classification comes first
Classification assigns a sensitivity level (such as public, internal, confidential, restricted) based on the harm that disclosure or loss would cause. The data owner, a business role, decides the level, while the custodian (usually IT) only implements the resulting controls. Classify before anything else, because you cannot pick the right storage, access, retention, and destruction rules until you know how sensitive the data is.
Trap Assuming IT or the custodian decides the classification; the data owner sets it, and the custodian only implements the controls it requires.
6 questions test this
- What is the PRIMARY purpose of implementing a data classification scheme?
- What is the primary purpose of establishing a data classification policy?
- At what point in the data lifecycle should an organization first apply data classification?
- At what point in the data lifecycle should data first be classified?
- When should data first be classified according to an organization's data classification policy?
- What is the primary purpose of a data classification policy?
- Labeling carries the handling rules with the data
Once data is classified, it is labeled so its handling rules travel with it. A marking is the human-readable form, a stamp like 'Confidential' that a person reads and acts on; a label in the strict sense is machine-readable metadata that a system parses and enforces. Both ensure that everyone and every system touching the data knows how it must be handled.
8 questions test this
- What is the act of associating a data classification level with a specific piece of information called?
- What is the PRIMARY purpose of applying labels to data within a classification scheme?
- What is the primary function of applying labels to classified data in an information protection program?
- What does data labeling accomplish within a data classification program?
- What is the primary purpose of labeling data with classification levels?
- What is the purpose of labeling data assets in a classification program?
- What is the primary purpose of applying classification labels to an organization's data assets?
- What is the practice of applying visible or electronic markers to indicate the sensitivity level of information?
- Retention balances obligation against exposure, and a legal hold overrides it
Retention sets how long data is kept, driven by legal, regulatory, and business needs. Keeping data too long raises storage cost and breach exposure; deleting it too soon can break a compliance obligation. A legal hold is the sharp exception: it suspends the normal retention-and-destruction schedule for data tied to actual or anticipated litigation, and that data must be preserved until the hold is lifted even if its retention period has expired.
Trap Destroying data on its scheduled date while a legal hold is in force; the hold overrides the schedule and the data must be preserved until released.
8 questions test this
- What is the PRIMARY purpose of a data retention policy?
- An organization is developing a data retention policy. What is the PRIMARY purpose of defining specific retention periods for different…
- What does a data retention policy primarily define for an organization?
- An organization must decide how long to retain different categories of data. Which factor should be the PRIMARY consideration when setting…
- What is the PRIMARY security risk an organization faces when it retains data longer than the timeframe specified in its data retention…
- What is the MAIN security risk of retaining data beyond its required retention period?
- What is the PRIMARY purpose of establishing a data retention policy within an organization?
- What primarily determines how long an organization must retain specific categories of data?
- Deleting a file does not destroy the data
Pressing delete or quick-formatting a drive only removes the pointer to the data, leaving the underlying bits intact and recoverable, a problem called data remanence. Proper disposal requires sanitization that renders the data unrecoverable, not a logical delete. This is why media that held sensitive data must be sanitized before reuse or disposal.
Trap Treating a deleted file or quick-formatted drive as gone; data remanence leaves the bits recoverable until the media is actually sanitized.
3 questions test this
- Once the mandatory retention period for regulated data has expired, what is the BEST practice for an organization to follow?
- A company plans to donate old computers that previously stored sensitive customer data. Simply deleting files from the hard drives before…
- Hard drives containing sensitive customer data are being discarded without any form of sanitization. What risk does this practice MOST…
- Sanitization has three levels: clear, purge, destroy
NIST SP 800-88 defines three sanitization levels of rising assurance. Clear overwrites the data with normal commands and the media stays reusable. Purge renders recovery infeasible even with laboratory techniques, using methods like degaussing or cryptographic erase, and the media may still be reusable. Destroy physically wrecks the media by shredding, pulverizing, or incinerating so it can never store data again.
3 questions test this
- According to NIST SP 800-88, which media sanitization method results in the media being unable to store data afterward?
- An organization plans to reuse hard drives within the same department at the same classification level. Which sanitization method is most…
- An organization needs to quickly sanitize a large number of self-encrypting solid-state drives for reuse. Which sanitization technique…
- Choose the sanitization level from data sensitivity, not media type
The decision rule for sanitization is based on the confidentiality of the data, not the kind of media. Pick the level from how sensitive the data is and whether the media will be reused or leave your control: higher sensitivity and loss of control push toward purge or destroy. The media type only influences which technique implements the chosen level.
Trap Picking the sanitization method from the media type first; NIST keys the decision on data confidentiality, then the media type selects the technique.
- Degaussing only works on magnetic media
Degaussing uses a strong magnetic field to wipe magnetic media such as hard disks and tapes, and it usually leaves the drive inoperable. It does nothing to flash and solid-state drives because they are not magnetic, so an SSD that needs purging requires cryptographic erase or the device's built-in sanitize command, not a degausser. Cryptographic erase destroys the encryption key so only unrecoverable ciphertext remains.
Trap Reaching for degaussing to sanitize a solid-state drive; SSD and flash are not magnetic, so degaussing leaves the data intact.
5 questions test this
- Why is degaussing NOT an effective sanitization method for solid-state drives (SSDs)?
- What does the cryptographic erase (CE) sanitization technique primarily rely on to render data unrecoverable?
- Which sanitization technique renders data unrecoverable by securely destroying the encryption keys used to protect it?
- An organization needs to quickly sanitize a large number of self-encrypting solid-state drives for reuse. Which sanitization technique…
- What is the primary mechanism used in cryptographic erasure to sanitize data on encrypted storage media?
- Logging is the foundation of accountability
A log records security-relevant events as they happen: logins and failed logins, file and resource access, account and permission changes, and configuration changes. Logs are the raw material of accountability, the ability to trace an action back to the individual who performed it. This is why unique user accounts matter: with a shared account the logs prove an action happened but not who did it.
Trap Using shared accounts and relying on logs for accountability; the logs cannot attribute the action to a person, so accountability is lost.
- Monitoring is the active review of logs
Logging records events; monitoring is actively reviewing those records to catch problems while there is time to respond. Logs that pile up unread give you evidence to reconstruct an incident afterward but no early warning during it. In practice logs from many systems are centralized so they can be correlated and watched together, with alerts on suspicious patterns like repeated failed logins.
- Logging is a detective control, not a preventive one
Logging and monitoring tell you that something happened; they do not stop the event itself, so they are detective controls rather than preventive ones. A question asking how to detect misuse or suspicious activity points to logging and monitoring, while one asking how to prevent the event points to a different control. Logs are also a target: an attacker who can edit or delete them erases evidence, so logs should be protected and stored where they cannot be tampered with.
Trap Choosing logging to prevent an attack; logging detects and records but does not block the event, which needs a preventive control.
- A mixed document takes the classification of its most sensitive part
When one document, dataset, or report combines data of several classification levels, the whole asset is classified and handled at the highest (most sensitive) level present. This high-water-mark rule guarantees the most sensitive element still gets adequate protection rather than leaking under a lower label.
Trap Averaging the levels or labeling the document by the bulk of its (lower) content.
8 questions test this
- A report combines publicly available information with a small section of confidential data. How should the entire document be classified?
- A report contains data elements classified as 'Confidential' combined with data elements classified as 'Public.' How should the overall…
- A report combines publicly available market data with confidential customer records. How should the entire report be classified?
- A report contains a mix of public information and confidential customer records. How should the entire report be classified?
- A report contains both public marketing content and confidential employee records. How should this report be classified?
- A report contains both publicly available information and confidential trade secrets. Which classification level should be assigned to the…
- A report contains both publicly available market data and confidential employee records. What classification level should be applied to the…
- When data classified as 'Internal' is combined with data classified as 'Confidential' into a single report, how should the resulting report…
- Match control strength to data sensitivity, neither under- nor over-classifying
The point of classification is to apply controls proportional to a data item's sensitivity: public data needs little, highly confidential data needs strong controls. Over-classifying data is a real cost, not a safe default, because it forces expensive controls and restrictive handling onto low-risk information and ties up resources.
Trap Classifying everything at the highest level to be safe, ignoring the cost and lost business use it creates.
9 questions test this
- What is the PRIMARY purpose of implementing a data classification scheme?
- What is a significant risk of over-classifying data within an organization?
- What is the primary purpose of establishing a data classification policy?
- What is a likely consequence of broadly over-classifying large amounts of organizational data at the highest sensitivity level?
- How should the strength of security controls relate to data classification levels?
- What is the primary purpose of a data classification policy?
- What is the primary purpose of labeling data with classification levels?
- Which of the following is a risk of applying unnecessarily high classification levels to all organizational data?
- What is the primary purpose of assigning classification levels to data?
- Encryption is only as strong as the management of its keys
Cryptographic strength depends on key protection: compromise or loss of a key exposes or destroys all data it protected. Manage keys across their lifecycle by storing them separately from the data, using each key for a single purpose, rotating them, and securely destroying them at end of life; destroying the key (cryptographic erasure) also renders encrypted media unrecoverable.
Trap Reusing one key for multiple purposes or keeping it alongside the data it protects.
12 questions test this
- When a cryptographic key reaches the end of its operational life, what is the recommended action?
- An organization needs to securely dispose of cryptographic keys that have reached the end of their useful life. Which key management…
- What does the cryptographic erase (CE) sanitization technique primarily rely on to render data unrecoverable?
- According to key management best practices, why should a cryptographic key be limited to a single purpose?
- Which of the following is a BEST practice for managing encryption keys?
- What is the PRIMARY purpose of regularly rotating encryption keys?
- Which sanitization technique renders data unrecoverable by securely destroying the encryption keys used to protect it?
- Why is proper key management considered critical to the effectiveness of an encryption strategy?
- If a cryptographic key used for encryption is modified or corrupted, what is the MOST likely result?
- An organization needs to quickly sanitize a large number of self-encrypting solid-state drives for reuse. Which sanitization technique…
- According to NIST guidance, a single cryptographic key should ideally be used for which of the following?
- What is the primary mechanism used in cryptographic erasure to sanitize data on encrypted storage media?
System Hardening
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Policies
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Awareness Training
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.