CISSP Cheat Sheet
Security & Risk Management
Professional Ethics
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Concepts (CIA)
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- The five pillars are CIA plus authenticity and nonrepudiation
Information security preserves five properties: confidentiality, integrity, and availability (the CIA triad) plus authenticity and nonrepudiation. CIA is the historic core codified in U.S. law and FIPS 200; (ISC)2 adds authenticity (data is genuine and its origin verifiable) and nonrepudiation (an actor cannot deny an action) as the fourth and fifth pillars. Each is a property to preserve, so a control earns its place only by strengthening one or more of them for a defined asset.
- Confidentiality preserves authorized restrictions on access and disclosure
Confidentiality is preserving authorized restrictions on information access and disclosure, explicitly including protecting personal privacy and proprietary information. It is preserved primarily by encryption (data at rest and in transit), access control, and data classification. The point is who is allowed to see the data, not whether the data is correct or reachable.
Trap Equating confidentiality with privacy, when privacy is the subset concerned specifically with personal data while confidentiality covers any restricted information.
- Integrity guards against improper modification and, in the federal sense, includes authenticity and nonrepudiation
Integrity is guarding against improper information modification or destruction; the FIPS 200 wording adds that it includes ensuring information nonrepudiation and authenticity. It is preserved by hashing (detects change), digital signatures (binds change to a signer), and change/version control. That nesting is why a single digital signature can satisfy integrity, authenticity, and nonrepudiation at once.
Trap Treating integrity as only 'data isn't changed' and forgetting the FIPS 200 definition folds authenticity and nonrepudiation inside it.
- Availability ensures timely and reliable access to information
Availability is ensuring timely and reliable access to and use of information. It is preserved by redundancy, backups, capacity planning, and denial-of-service defense. Its distinguishing trait is that it fights loss of access, not loss of secrecy, so a perfectly encrypted backup you cannot restore in time has failed availability while still serving confidentiality.
- Authenticity is the property of being genuine with verifiable origin
Authenticity is the property of being genuine and verifiable and trusted, confidence in the validity of a transmission, message, or originator. It answers 'did this truly come from the claimed source?' and is preserved by origin authentication: digital signatures, message authentication codes (MACs), certificates, and mutual authentication. Encryption alone does not provide it, because a confidential channel can still carry data from a forged sender.
Trap Assuming encryption establishes authenticity, when a confidential channel can still carry data injected by a forged or impersonated sender.
- Nonrepudiation stops an actor from credibly denying an action
Nonrepudiation assures that the sender is given proof of delivery and the recipient proof of the sender's identity, so neither can later deny having processed the information. It is preserved by asymmetric digital signatures over content plus secure, tamper-evident logging and trusted timestamps. Its defining requirement is third-party verifiability: an outside arbiter can attribute the action to one party.
- DAD is the inverse of CIA: disclosure, alteration, destruction
The DAD triad names the failure of each CIA property: Disclosure breaks confidentiality, Alteration breaks integrity, and Destruction or denial breaks availability. It is not a separate theory but CIA read as outcomes, and it is the fastest way to classify what an incident actually broke. A leaked database is disclosure, a tampered transfer amount is alteration, and a ransomware-locked server is destruction.
- Match the threatened pillar to the control whose primary effect IS that property
Control selection means naming the dominant or threatened pillar first, then choosing the control class whose primary effect is that property: confidentiality maps to encryption and access control, integrity to hashing and signatures, availability to redundancy and backups. The exam-correct answer is the control that fits the threatened pillar, not the strongest control overall. Reversing the order, picking an impressive control before identifying the pillar, is how candidates choose a mis-targeted answer.
Trap Choosing a strong control for the wrong pillar, e.g. a digital signature when the requirement is confidentiality (which needs encryption).
- Encryption provides confidentiality, not authentication of the sender
Encryption protects confidentiality by making data unreadable to unauthorized parties, but on its own it proves nothing about who sent the data, which is authenticity. A TLS certificate authenticates the server, yet encrypting a payload does not authenticate the payload's origin. When a stem says data was encrypted and asks whether the recipient can trust its source, the missing piece is an origin-authentication mechanism.
Trap Assuming an encrypted message is therefore proven to come from the stated sender, conflating confidentiality with authenticity.
- A MAC gives authenticity but not nonrepudiation; only a signature gives both
A message authentication code proves data came from someone holding the shared secret key, so it provides integrity and authenticity between two parties. It cannot provide nonrepudiation because both parties hold the same key and either could have produced the tag, so no third party can attribute the action to one of them. Asymmetric digital signatures, where the private key is held by exactly one party, are required for nonrepudiation.
Trap Selecting a MAC or shared-secret HMAC to satisfy a nonrepudiation requirement, when only an asymmetric signature can defeat a later denial.
- Authenticity vs nonrepudiation: 'genuine source' vs 'cannot deny to a third party'
Authenticity answers whether a message genuinely came from its stated sender; nonrepudiation adds that the sender cannot later deny it to an auditor, arbiter, or court. The cue words 'deny', 'dispute', 'prove to a third party', and 'legally binding' signal nonrepudiation, whereas 'confirm the sender is genuine' signals authenticity alone. Both can be satisfied by a digital signature, so the answer hinges on which property the stem is actually demanding.
Trap Picking nonrepudiation when the stem only asks to confirm the sender is genuine, a requirement that authenticity alone satisfies.
- FIPS 199 rates confidentiality, integrity, and availability independently
FIPS 199 categorizes a system by rating the potential impact of losing each objective, confidentiality, integrity, and availability, independently as LOW, MODERATE, or HIGH. Assets value the pillars unequally: a public price list needs integrity and availability but little confidentiality, while a draft merger needs confidentiality above all. Rating them separately stops you from over-protecting a pillar the asset does not need.
5 questions test this
- A federal agency is categorizing an information system that processes multiple information types with different security requirements. The…
- An organization's security team is implementing a data classification scheme that incorporates all three elements of the CIA Triad. They…
- A healthcare organization is classifying its medical records system according to the CIA Triad. Patient records require protection from…
- An organization is implementing a data classification scheme with four levels: Public, Internal, Confidential, and Restricted. The security…
- A manufacturing company operates a SCADA system that monitors production line equipment. The security team is establishing data…
- Impact levels: LOW is limited, MODERATE is serious, HIGH is severe or catastrophic
FIPS 199 grades each objective's potential impact by the magnitude of adverse effect on operations, assets, or individuals: LOW is a limited adverse effect, MODERATE is a serious adverse effect, and HIGH is a severe or catastrophic adverse effect. These three levels, applied per pillar, are what later drive the strength of the control baseline.
- High-water-mark: a system's overall impact is the highest of its three ratings
Under the FIPS 199 high-water-mark rule, the overall impact level of a system equals the highest of its confidentiality, integrity, and availability impact ratings. A system rated (LOW, LOW, HIGH) is a HIGH-impact system overall and selects controls accordingly. This is why an asset whose availability alone is critical still inherits a strong baseline even if its confidentiality need is trivial.
Trap Averaging the three impact ratings instead of taking the maximum, which understates the required baseline.
3 questions test this
- A federal agency is categorizing an information system that processes multiple information types with different security requirements. The…
- A financial services organization is implementing a data classification scheme following FIPS 199 guidelines. Their customer transaction…
- An organization is implementing a data classification scheme with four levels: Public, Internal, Confidential, and Restricted. The security…
- Pillars are weighed and traded off, not all maximized at once
Strengthening one pillar routinely costs another: mandatory signing and immutable logs (integrity) can slow availability, heavy encryption and tight access (confidentiality) can impede legitimate users' availability, and wide replication for availability enlarges the surface confidentiality must defend. A security leader sets each pillar's target to the asset's real impact rating and accepts the residual trade-off deliberately, rather than turning every dial to maximum.
Trap Assuming all three pillars should be maximized for every asset, ignoring that raising one pillar routinely degrades another.
- First identify the asset's value and dominant pillar, then select a control
When a stem asks for the FIRST or BEST step to protect an asset, the manager-altitude answer is to determine the asset's value and which pillar it most needs, that is, categorize impact, before choosing any technology. Jumping to a specific mechanism before the impact is understood is the classic distractor. Identify the dominant pillar and its impact level first; the control follows from that.
Trap Picking a specific technology as the FIRST step before the asset's value and dominant pillar have been determined.
Security Governance
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Governance directs and oversees; management executes
Security governance is the leadership system that sets direction and accountability: it fixes the risk appetite, assigns authority, approves policy, and oversees results. Management is the separate function that plans, builds, and runs the controls within that direction. COBIT draws the line explicitly, placing governance in the Evaluate-Direct-Monitor (EDM) domain at the board level and management in the Plan-Build-Run-Monitor domains. Classify an act by the kind of decision (direct/oversee versus operate), not by the seniority of who performed it.
Trap Treating an operational act as governance because a senior executive performed it: governance is defined by directing and overseeing, not by rank.
- Security strategy must align to business strategy and mission
Governance's first job is alignment: the security function's goals, objectives, and mission must trace back to the organization's business strategy, mission, and risk appetite. A control or program with no line to a business objective is misallocated spend even if it is technically excellent, and a program that blocks legitimate business has failed at governance. This is also why winning management support starts with demonstrating business value, not technical sophistication.
Trap Basing security strategy on the latest threat or newest technology rather than on the business mission, objectives, and risk appetite.
- Senior management owns the program and is ultimately accountable
The board and senior management are ultimately accountable for the security program: they set risk appetite, approve strategy and policy, fund the program, and formally accept residual risk. They delegate the work but never the accountability. Senior-leadership ownership and sign-off are what make a security strategy authoritative and funded rather than a wish list from the security team.
Trap Assuming the CISO or security team, rather than senior/executive management, holds ultimate accountability for the program.
- Accountability cannot be delegated; responsibility can
The governing rule of the role chain is that you can hand down the responsibility to perform work but never the accountability for the outcome. A data owner stays accountable for data classification even when an IT custodian implements the controls, and senior management stays accountable for the program even when teams operate it. The same holds for outsourcing: you can transfer the work and the operational responsibility to a third party, but the accountability remains yours.
Trap Believing that outsourcing a function to a vendor transfers accountability: only the work and responsibility move; accountability stays with the organization.
- Data owner classifies and sets requirements; custodian implements them
The data (information) owner is a senior business official who classifies data and defines its protection and access requirements, and is accountable for it. The data custodian, usually IT/operations, implements and maintains those protections (backups, access enforcement, patching) and is responsible for day-to-day care, not for the classification decision. The system owner operates a specific system within the owner's requirements. When a stem asks who is accountable, name the owner; who implements, name the custodian.
Trap Naming the custodian (IT) as accountable for the data: the custodian only implements; the business data owner is accountable and sets the requirements.
- Mergers, acquisitions, and divestitures are governance triggers
Acquisitions, mergers, and divestitures each force a governance review because each reshapes assets, obligations, and risk posture. Before an acquisition, perform security due diligence on the target so you inherit its risk knowingly; after, integrate its assets under your policy. On a divestiture, revoke access, separate or sanitize data, and unwind shared obligations cleanly. Governance committees are the venue where leadership reviews and approves these decisions.
Trap Skipping security due diligence on an acquisition target and treating the deal as purely a financial and legal matter, so its inherited risks surface only after close.
- Governance committees are where oversight actually happens
Standing bodies (a security steering committee plus board-level oversight) are the organizational structures where leadership reviews risk, approves strategy and policy, allocates resources, and holds the program accountable. They turn governance from an abstract responsibility into a recurring, documented process, and they are the answer when a stem asks where strategy and policy get ratified or how the board exercises oversight.
Trap Expecting a steering committee to perform operational security work rather than to set direction, approve policy, and oversee the program.
- NIST CSF 2.0 added Govern as a sixth, cross-cutting function
The NIST Cybersecurity Framework 2.0 (2024) is organized around six Functions: Govern, Identify, Protect, Detect, Respond, Recover, where Govern was newly added in version 2.0. Govern establishes and monitors the organization's risk-management strategy, expectations, and policy, and it informs how the other five functions are prioritized and carried out. CSF is a voluntary outcomes framework for communicating and organizing risk, not a control catalog and not certifiable.
Trap Listing only the original five functions (Identify, Protect, Detect, Respond, Recover) and omitting Govern, which CSF 2.0 added as the sixth.
- ISO/IEC 27001 is certifiable; ISO/IEC 27002 is control guidance
ISO/IEC 27001 specifies the requirements for an Information Security Management System (ISMS) and is the standard an organization actually certifies against. ISO/IEC 27002 is its companion code of practice that gives implementation guidance for selecting and applying the controls, and is not certifiable on its own. When a stem says "certify our ISMS," the answer is 27001; 27002 is the trap.
Trap Choosing ISO/IEC 27002 when the requirement is to certify a management system: 27002 is guidance only; you certify against 27001.
3 questions test this
- A multinational manufacturer is responding to a wave of customer requests for proposals from European and Asian partners that each demand…
- A SaaS company headquartered in Europe is preparing to be acquired by a multinational group, and the acquirer's due-diligence team requires…
- A SaaS provider expanding into European and Asian markets finds that enterprise customers' procurement teams repeatedly demand independent,…
- NIST RMF and SP 800-53 underpin US federal authorization
The NIST Risk Management Framework (SP 800-37) provides the seven-step risk lifecycle: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor, and SP 800-53 supplies the control catalog and baselines it draws from. Together they are the mandatory basis for authorizing a U.S. federal information system to operate (the ATO). CSF organizes outcomes; SP 800-53 supplies the actual controls.
Trap Confusing NIST CSF (an outcomes/communication framework) with SP 800-53 (the control catalog): CSF does not enumerate the controls.
- FedRAMP standardizes cloud authorization on SP 800-53
FedRAMP provides a standardized, government-wide approach to security assessment and authorization for cloud services used by U.S. federal agencies, built on NIST SP 800-53 baselines selected by impact level (low/moderate/high). Its value is reuse: one authorization package can be accepted by many agencies, instead of each agency reassessing the same cloud service. Reach for FedRAMP specifically when the obligation is a cloud service serving federal agencies.
Trap Reaching for FedRAMP to authorize a federal on-premises system, when FedRAMP applies specifically to cloud services and a non-cloud system runs on plain RMF and SP 800-53.
3 questions test this
- A cloud service provider whose growth strategy depends on selling infrastructure-as-a-service to United States federal agencies must…
- A SaaS analytics vendor with an established commercial customer base now wants to sell its hosted platform to several US federal civilian…
- A commercial cloud service provider wants to sell its multi-tenant SaaS offering to US federal agencies. Its leadership is frustrated that…
- COBIT governs all of enterprise IT and separates govern from manage
COBIT (ISACA) is a framework for the governance and management of enterprise information and technology, with 40 governance and management objectives across five domains. Its defining principle is separating governance (the EDM domain: Evaluate, Direct, Monitor) from management (APO, BAI, DSS, MEA). Choose COBIT when the obligation is to govern enterprise IT end to end, especially when a stem stresses distinguishing governance responsibilities from management responsibilities.
Trap Picking COBIT when the obligation is a certifiable ISMS or a concrete control catalog, when COBIT is a governance framework rather than ISO/IEC 27001 or SP 800-53.
- SABSA traces security architecture to business risk
SABSA is a business-driven, risk- and opportunity-led methodology for enterprise security architecture. Every architectural decision is traceable back to a business requirement, so the program is justified by business need rather than technology. Reach for SABSA when the stem asks for a framework that ties security architecture to business risk and drivers, as opposed to a control catalog or a certifiable management system.
Trap Picking TOGAF for security architecture traceable to business risk, when TOGAF is a general enterprise-architecture framework and SABSA is the security-specific, risk-driven one.
- Pick the control framework by obligation, not preference
Control frameworks are not interchangeable; match the framework to the named obligation. Cardholder data points to PCI DSS; a U.S. federal system ATO to NIST RMF/SP 800-53 and, for cloud, FedRAMP; a certifiable ISMS to ISO/IEC 27001; end-to-end IT governance to COBIT; business-traceable architecture to SABSA; and communicating risk outcomes across six functions to NIST CSF 2.0. The wrong answer is usually the most familiar framework rather than the one the obligation requires.
- Due diligence is investigating risk; due care is acting on it
Due diligence is doing your homework: investigating and understanding the risk, such as assessing a vendor or researching legal obligations. Due care is acting on that knowledge to the prudent-person standard: implementing reasonable controls and maintaining them over time. Diligence is knowing; care is doing. Both are the governance evidence that an organization behaved reasonably, and failing either can amount to negligence.
Trap Swapping the two: calling ongoing operation of a control "due diligence" when continuing maintenance is due care, and the upfront investigation is due diligence.
- The prudent-person standard defines what "reasonable" means
Due care is measured against the prudent-person (reasonable-person) standard: would a careful, sensible person in a similar role have taken the same protective action. It sets the bar for what counts as reasonable security and is the yardstick courts and regulators apply when judging whether an organization was negligent. Governance demonstrates the standard by documenting that controls were both selected (care) and chosen after investigation (diligence).
Trap Reading the prudent-person standard as a demand for perfect or maximum security, when it asks only for what a reasonable person in a similar role would do.
Legal & Compliance
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Investigation Types
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Documentation
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Business Continuity Requirements
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Personnel Security
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Risk Management
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Risk is likelihood times impact on a paired threat and vulnerability
Risk is the likelihood that a specific threat exploits a specific vulnerability, multiplied by the resulting impact. A vulnerability with no credible threat, or a threat with no exploitable weakness, carries no risk, which is why risk is always assessed on the threat-vulnerability pair rather than on a weakness alone. NIST frames it as a function of the likelihood of an event and the adverse impact if it occurs.
Trap Treating a discovered vulnerability as a risk on its own, without asking whether any threat can credibly exploit it.
- Single Loss Expectancy is asset value times exposure factor
SLE is the money lost in one occurrence of a risk event, computed as SLE = AV x EF, where AV is the asset's value and EF is the fraction of that value destroyed in a single event (a percentage). For example a $200,000 asset with a 25% exposure factor has an SLE of $50,000. EF is expressed as a decimal in the formula, so 25% becomes 0.25.
Trap Reading the exposure factor as a flat dollar loss instead of a percentage of asset value, which inflates SLE.
- Annualized Loss Expectancy is SLE times the annual rate of occurrence
ALE is the expected yearly loss from a risk, computed as ALE = SLE x ARO, where ARO is the expected number of occurrences per year. It is the single number that justifies safeguard spend: a control is cost-effective only when its annual cost is below the ALE reduction it produces. ARO can be fractional (a once-in-ten-years event has an ARO of 0.1).
Trap Confusing SLE (loss from one event) with ALE (loss per year) when a stem asks for annual exposure.
- Fund a safeguard only when its cost is below the ALE it removes
A control is justified when its annual cost is less than the reduction in Annualized Loss Expectancy it delivers; you compare ALE-before minus ALE-after against the control's yearly cost. Spending more to mitigate than the risk is worth is itself a risk-management failure, even if the control is technically the most secure option. This cost-benefit test is what turns quantitative analysis into a budget decision.
Trap Selecting the most secure control regardless of cost, when a cheaper option already drives ALE below the control's price.
3 questions test this
- A financial institution is prioritizing security investments and has calculated the ALE for four different risks. Risk A has an ALE of…
- A security manager identifies a moderate vulnerability in a legacy application that is firmly scheduled for decommissioning in three…
- A healthcare provider's risk assessment finds that unencrypted laptops used by field clinicians hold regulated patient data and are…
- Quantitative analysis yields dollars; qualitative yields ranked bands
Quantitative analysis assigns monetary values (SLE, ALE) and needs reliable asset values and event frequencies, producing figures you can compare directly against control costs. Qualitative analysis rates likelihood and impact on ordinal bands plotted on a risk matrix; it is fast and needs no hard loss data but its outputs cannot be summed or expressed in money. Choose quantitative when spend must be defended in dollars, qualitative when data is scarce.
Trap Claiming qualitative analysis produces a dollar figure, when it only produces relative low/medium/high ratings.
- Hybrid analysis triages qualitatively, then quantifies the top risks
A hybrid (semi-quantitative) approach ranks the whole risk register with fast qualitative bands, then spends the effort of a full quantitative model only on the few risks that justify it. This balances the speed of qualitative against the precision of quantitative and is the common real-world choice for a large register. It avoids both the paralysis of quantifying everything and the imprecision of quantifying nothing.
Trap Assuming a hybrid approach must produce dollar figures for every risk, when it reserves the full quantitative model for only the top-ranked few.
- Every risk gets one primary response: avoid, transfer, mitigate, or accept
After analysis, each risk is treated with one primary response. Avoid eliminates the risk by stopping the activity; transfer (share) shifts the financial impact to a third party; mitigate (reduce) applies controls to lower likelihood or impact; accept knowingly retains the residual risk because treatment costs more than the exposure. Mitigate is the most common and the only response that uses the safeguard-cost-versus-ALE math.
Trap Treating mitigate as if it eliminates the risk, when only avoid removes it and mitigation merely lowers likelihood or impact.
5 questions test this
- A CISO at a public water utility evaluates a risk in which compromise of safety instrumented systems could cause physical harm to the…
- A CISO at a regional payment startup is reviewing a proposed product that would store full primary account numbers to enable a niche…
- A security manager at a mid-size insurer is outsourcing claims-document processing to a specialized SaaS provider whose security controls…
- A security manager identifies a moderate vulnerability in a legacy application that is firmly scheduled for decommissioning in three…
- A healthcare provider's risk assessment finds that unencrypted laptops used by field clinicians hold regulated patient data and are…
- Insurance transfers the cost of a loss, it does not avoid the risk
Buying cyber-insurance or signing a contractual indemnity is risk transfer (sharing): it shifts the financial consequence to a third party but the incident still happens to you, and you keep the reputational and legal fallout. Risk avoidance is different: it means not doing the risky activity at all, so the risk cannot occur. Transfer moves cost; avoidance removes the activity.
Trap Labeling cyber-insurance as risk avoidance; insurance only moves the financial impact, so it is transfer.
3 questions test this
- A manufacturing firm's security committee has already mitigated its ransomware exposure through segmentation, immutable backups, and tested…
- A regional hospital has implemented due-care security controls that materially reduced breach likelihood, yet a quantified analysis shows a…
- A healthcare organization purchases cybersecurity breach insurance to address potential data breach costs. The Chief Information Security…
- Residual risk must be formally accepted by senior management
Residual risk is what remains after a control is applied, conceptually total risk minus the portion the control removes. The owning senior or executive management must formally accept it; the security team, analyst, or IT operations cannot accept risk on the business's behalf. This formal acceptance is the same act the NIST RMF calls Authorize.
Trap Having a security engineer or analyst accept residual risk, when acceptance is a business-owner authority.
5 questions test this
- An organization has completed a risk assessment and identified a vulnerability in a non-critical internal application. The estimated annual…
- After completing a comprehensive risk assessment, a security team determines that several identified risks have been reduced through…
- During a risk governance review, the board of directors learns that a business unit accepted a cybersecurity risk that exceeds the…
- A security manager identifies a moderate vulnerability in a legacy application that is firmly scheduled for decommissioning in three…
- An organization completed a risk assessment and determined that after implementing all planned controls, the residual risk for a critical…
- Doing nothing about a known risk is rejection, not acceptance
Risk acceptance is a deliberate, documented management decision to retain a risk after weighing the cost of treatment. Silently ignoring a known risk is risk rejection, which is explicitly not a legitimate response and is indefensible if the risk materializes. The difference is documentation and authority: acceptance is signed off, rejection is neglect.
Trap Treating an organization that ignores a documented risk as having accepted it, when unowned inaction is rejection.
- Classify controls by category and by type at the same time
Controls have a category describing how they are implemented (administrative/managerial, technical/logical, physical) and a type describing what they do relative to an event (preventive, detective, corrective, deterrent, recovery, directive, compensating). A single control can hold one category and several types, so a question asking you to classify a control usually wants both axes named. For instance an audit log is a technical control that is primarily detective.
Trap Answering a control's category (technical, physical, administrative) when the stem is asking for its type (preventive, detective, corrective), or vice versa.
- A compensating control substitutes when the primary control is infeasible
A compensating control is an alternative safeguard used when the intended primary control cannot be implemented, providing comparable protection by another means. It is the answer when a stem says a required control is impractical (cost, legacy system, business constraint) yet the risk must still be addressed. PCI DSS, for example, allows documented compensating controls in place of a specific requirement.
Trap Calling any backup or secondary control compensating; the term specifically means a substitute for an infeasible required control.
- The NIST RMF runs seven steps and loops back to monitoring
The NIST Risk Management Framework (SP 800-37 Rev. 2) is a seven-step system lifecycle: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor. Categorize sizes the system's impact, Select chooses SP 800-53 controls, Authorize is senior-official sign-off to operate, and Monitor feeds findings back into the cycle for continuous improvement. The order is testable, so memorize the sequence.
Trap Placing Select or Implement before Categorize, when categorization of system impact must come first to drive control selection.
- SP 800-30 is the assessment guide; SP 800-37 is the management framework
NIST SP 800-30 Rev. 1 is the Guide for Conducting Risk Assessments and defines the assessment methodology (prepare, conduct, communicate, maintain) across three tiers: organization, mission/business process, and information system. NIST SP 800-37 is the broader Risk Management Framework that wraps assessment inside a full system lifecycle. A stem about how to assess risk points to 800-30; one about the end-to-end governance lifecycle points to 800-37.
Trap Citing SP 800-37 for the risk-assessment methodology, when 800-30 is the assessment guide and 800-37 is the broader lifecycle framework.
- NIST CSF 2.0 added Govern to make six functions
The NIST Cybersecurity Framework is organized around functions; version 2.0 added Govern, giving six: Govern, Identify, Protect, Detect, Respond, Recover. Govern was elevated to make risk governance and organizational context a first-class function alongside the operational ones. CSF is a voluntary, outcome-based framework, distinct from the RMF's prescriptive control lifecycle.
Trap Listing only the original five CSF functions (Identify, Protect, Detect, Respond, Recover) and omitting Govern, which CSF 2.0 added.
- ISO/IEC 27005 is the international information-security risk standard
ISO/IEC 27005 provides guidance on managing information-security risk and complements an ISO/IEC 27001 information security management system (ISMS). Where 27001 specifies the ISMS requirements and 27002 lists control guidance, 27005 governs the risk-management process within that system. It is the standards-based alternative to the NIST publications for organizations aligned to ISO.
Trap Picking ISO/IEC 27001 or 27002 as the risk-management standard, when 27001 specifies the ISMS and 27002 lists controls, leaving 27005 for the risk process.
- A KRI signals rising exposure; a KPI measures performance
A Key Risk Indicator is a leading metric that warns of increasing risk exposure before a loss occurs, such as the percentage of systems past their patch deadline. A Key Performance Indicator is a lagging metric of how well a control or process is performing, such as mean time to detect. A stem describing an early-warning signal wants KRI; one describing how effective a control already is wants KPI.
Trap Calling a backward-looking performance measure a KRI; an early-warning exposure metric is the KRI, the performance measure is the KPI.
7 questions test this
- Marcella is the CISO at a financial services firm and needs to report security program performance to the board of directors. She wants to…
- A CISO is redesigning the quarterly risk report presented to the board, which has complained that current awareness-program reporting is…
- An organization is implementing a metrics program to support security governance. The security team needs to differentiate between metrics…
- A security awareness manager is establishing key performance indicators to measure the effectiveness of a new security awareness program.…
- A security awareness manager is developing key performance indicators (KPIs) to measure program effectiveness. The organization wants…
- A security manager is selecting metrics to include in the quarterly security dashboard for executive leadership. The manager wants to…
- A CISO is developing a security metrics program to report to the board of directors. The organization wants to demonstrate how security…
- Assess the risk before selecting any control
When a newly discovered risk asks what to do first, the answer is to assess and analyze it before buying or deploying any safeguard, because you cannot rationally treat a risk you have not sized. Jumping straight to a control skips the analysis that tells you whether the control is even cost-justified or correctly targeted. Identify and analyze, then respond.
Trap Choosing to deploy a specific control as the first action, before the risk has been assessed and prioritized.
- Risk maturity models chart the climb from ad-hoc to optimized
A risk maturity model describes an organization's progression from ad-hoc, reactive risk handling through defined and managed stages to an optimized, metrics-driven program. It frames continuous improvement as moving up maturity levels rather than treating each risk in isolation. Higher maturity means risk decisions are consistent, measured, and integrated into governance rather than improvised per incident.
- The asset owner is accountable even when a custodian operates the control
Accountability for a risk and its asset rests with the owner, typically senior or business management, even when a custodian or third party operates the safeguard day to day. Operating a control or processing data does not transfer accountability; responsibility for daily handling can be delegated, but accountability cannot. This is why residual-risk acceptance is an owner decision.
Trap Assuming a managed-service provider or IT custodian becomes accountable for the risk because it runs the control.
- Defense-in-depth layers diverse controls because no single control suffices
Defense-in-depth integrates people, technology, and operations into multiple overlapping layers so that if one control fails or is bypassed, others still protect the asset - the core rationale being that no single mechanism stops every threat. Strength comes from heterogeneity (e.g., firewalls from different vendors) and segmentation (network zones/conduits or micro-segmentation) that limit lateral movement and align with zero-trust principles.
Trap Stacking several copies of the same vendor's product is not true defense-in-depth; one shared flaw defeats every identical layer at once.
5 questions test this
- A security architect is designing a new enterprise security program and wants to implement a defense-in-depth strategy. According to NIST…
- A CISO is briefing executives on why the organization should invest in multiple overlapping security controls rather than relying on a…
- An organization operating industrial control systems (ICS) is implementing defense-in-depth using zones and conduits to protect critical…
- A security architect is designing a defense-in-depth strategy for a financial services organization. Which approach BEST demonstrates the…
- Sarah is implementing network segmentation as part of her organization's layered security architecture. Which approach best supports…
- Risk appetite is set by the board; risk tolerance is the operational threshold
Senior leadership/the board declares the enterprise risk appetite - the broad amount of risk it is willing to pursue - and management translates it into risk tolerance: specific, often quantitative thresholds for business processes. A residual risk (computed as probability times impact after controls) is acceptable when it falls within the established appetite/tolerance; otherwise further treatment is required.
Trap Risk appetite is the high-level, strategic statement; risk tolerance is the measurable operational limit derived from it - they are not interchangeable.
3 questions test this
- A financial services organization is developing its enterprise risk management framework. The Chief Risk Officer needs to establish…
- An organization's board of directors is establishing a risk governance framework aligned with NIST guidance. They want to ensure that…
- An organization completed a risk assessment and determined that after implementing all planned controls, the residual risk for a critical…
Threat Modeling
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Threat modeling is risk assessment done during design, not after deployment
Threat modeling is a form of risk assessment that models the attack and defense sides of an entity (data, application, host, system, or environment) to spend limited security resources where they reduce the most risk (NIST SP 800-154). It pays off because a design flaw found on a diagram is far cheaper to fix than the same flaw found in production. It is proactive and iterative, revisited whenever the architecture, data, or threat landscape changes.
Trap Treating threat modeling as a post-deployment or one-time activity done during penetration testing. Its value is during design, and the model must be kept current.
- Every threat-modeling method answers the same four questions
Regardless of methodology, threat modeling answers four questions: what are we working on, what can go wrong, what are we going to do about it, and did we do a good enough job. The acronyms (STRIDE, PASTA, DREAD) are just disciplined ways to answer 'what can go wrong' and rank the answers. Keeping the four questions in mind prevents mistaking a tool for the whole process.
Trap Treating an acronym like STRIDE or DREAD as the entire threat-modeling process rather than as one disciplined way to answer the 'what can go wrong' question.
- Threats concentrate at trust boundaries on a data-flow diagram
A data-flow diagram (DFD) models external entities, processes, data stores, and the data flows between them; a trust boundary is the line where the level of trust changes, such as between the internet and an internal service. Threats cluster at trust boundaries because that is where an attacker crosses from a less-trusted to a more-trusted context, so data crossing a boundary is scrutinized first. Decomposing the system this way (not any acronym) is what turns vague worry into an enumerable list of threats.
Trap Assuming an acronym like STRIDE is what decomposes the system, when it is the DFD and its trust boundaries that produce the enumerable list of threats the acronym then categorizes.
3 questions test this
- A security team is analyzing a data flow diagram and must prioritize their threat analysis efforts due to limited resources. The DFD…
- During a threat modeling session, a security team is creating a data flow diagram for a web application. The team identifies a point where…
- During a threat modeling exercise using data flow diagrams (DFDs), a security analyst identifies that customer data crosses from the…
- An attack vector is the path or means used to reach and exploit a target
On the attack side, a vulnerability is a weakness, an exploit is the technique that takes advantage of it, and an attack vector is the path or means an attacker uses to reach the target and deliver the exploit. NIST SP 800-154's data-centric method works by selecting which attack vectors to include, then characterizing controls that mitigate those vectors. Distinguishing the vector (the route) from the vulnerability (the weakness) and the threat (the potential) is core threat-modeling vocabulary.
Trap Confusing the attack vector (the route used to reach a target) with the vulnerability (the weakness itself) or the exploit (the technique that takes advantage of the weakness).
- Pick a threat-modeling methodology by its center of gravity
Methodologies differ by what they put at the center of the analysis: STRIDE is threat-centric (per DFD element), PASTA is risk- and attacker-centric (business-aligned), attack trees are goal-centric (one objective), and DREAD is a rating model rather than an enumeration. The data-centric method of NIST SP 800-154 puts high-value data at the center and works outward to its attack vectors. There is no single right choice: pick by whether you need coverage, business alignment, or protection of a specific crown-jewel asset.
Trap Matching the methodology to the wrong center of gravity, such as treating STRIDE as business-risk-centric or PASTA as a per-element checklist, when STRIDE is threat-centric and PASTA is risk- and attacker-centric.
- Each STRIDE category is the violation of one security property
STRIDE (Microsoft) names six threat categories, each defeating exactly one property: Spoofing defeats authentication, Tampering defeats integrity, Repudiation defeats non-repudiation, Information disclosure defeats confidentiality, Denial of service defeats availability, and Elevation of privilege defeats authorization. The mapping is bidirectional: if a design must guarantee integrity, STRIDE says Tampering is the threat and a hash or signature is the countermeasure. STRIDE gives systematic coverage but says what can go wrong, not how likely or how severe.
Trap Calling unauthorized modification of data 'information disclosure'. Modification is Tampering (integrity); information disclosure is reading data you should not (confidentiality).
- Tampering is unauthorized change; information disclosure is unauthorized read
Within STRIDE the two most-confused categories are Tampering and Information disclosure. Tampering is the malicious modification of data and violates integrity; Information disclosure is exposing data to someone not authorized to see it and violates confidentiality. Anchor on the verb in the stem: change/modify points to Tampering, read/expose points to Information disclosure.
Trap Labeling the unauthorized reading or exposure of data as Tampering, when reading points to Information disclosure (confidentiality) and only modification is Tampering (integrity).
- Repudiation is countered by logging and signatures, not by encryption
Repudiation is a user denying an action with no way to prove otherwise; it violates non-repudiation (accountability). The countermeasures are secure audit logging and digital signatures that bind an action to an identity, because they create the evidence that defeats a later denial. Encryption protects confidentiality, not accountability, so it does not address repudiation.
Trap Picking encryption as the countermeasure to repudiation, when encryption protects confidentiality and it is audit logging plus digital signatures that provide the accountability evidence.
- PASTA is a seven-stage, risk-centric methodology tied to business impact
PASTA (Process for Attack Simulation and Threat Analysis) is a heavier, seven-stage methodology that starts from business objectives and carries each technical threat through to its business impact, and it is attacker-centric in that it simulates a realistic adversary. Reach for PASTA when leadership needs threats expressed as business risk rather than a list of technical issues. The cost is that it needs business context and far more effort than a single STRIDE pass.
Trap Choosing PASTA when you only need quick per-component coverage during design. That is STRIDE's job; PASTA's weight is justified only when business-risk alignment matters.
- An attack tree decomposes one attacker goal into the paths to reach it
An attack tree is goal-centric: the attacker's objective is the root and branches decompose it into the alternative sub-goals and steps needed to achieve it, often with AND/OR logic showing which steps must combine. Use it when you must understand every path to one specific objective in depth. Its scope is that single goal, not the whole system, so it complements rather than replaces a system-wide method like STRIDE.
Trap Expecting an attack tree to give system-wide threat coverage, when its scope is one specific attacker goal and a method like STRIDE is what covers the whole system.
4 questions test this
- During a threat modeling exercise, Kenji places 'Exfiltrate Customer Database' at the top of his attack tree diagram. He then decomposes…
- When constructing an attack tree to model threats against a financial trading system, a security analyst identifies that an attacker must…
- During Stage 6 (Attack Modeling) of the PASTA methodology, the security team is developing visual representations of how an attacker might…
- During threat modeling, Marcus is analyzing an attack tree where reaching the goal requires an attacker to both exploit a web application…
- DREAD ranks threats you already found; it does not discover them
DREAD is a rating model, not an enumeration method: its five factors are Damage, Reproducibility, Exploitability, Affected users, and Discoverability, scored and combined into a relative priority so the costliest threats are mitigated first. It needs another method (STRIDE, PASTA) to find the threats first. Its known weakness is that scores are subjective and inconsistent between raters, which is why many teams replaced it with a simpler high/medium/low scheme.
Trap Picking DREAD when a stem asks how to enumerate or discover threats. DREAD only rates, so a discovery question wants STRIDE or PASTA.
- DREAD produces a relative priority, not an objective risk measurement
DREAD's output is a relative ranking derived from subjective scores, not a precise or objective measure of risk. Different raters score the same threat differently, so its reliability is limited. The defensible claim is that DREAD prioritizes threats; calling it an objective or precise risk metric is wrong.
Trap Treating a DREAD score as an objective or precise risk measurement, when its rater-dependent scores yield only a relative ranking for prioritization.
- TTPs describe how an adversary operates; IOCs are the artifacts left behind
Tactics, techniques, and procedures (TTPs) describe how an adversary operates: tactics are the goals (why), techniques are the methods (how), procedures are the specific implementations. Indicators of compromise (IOCs) are observable artifacts an attack leaves, such as malicious IPs, file hashes, and domains. Hunting on TTPs is more durable than hunting on IOCs because an attacker can swap a hash or IP far more easily than change how they operate.
Trap Treating IOCs as the more durable detection signal. IOCs are trivially changed by the attacker, so behavior-based TTPs are the more resilient basis for detection.
- The Cyber Kill Chain models an intrusion as seven sequential phases
The Lockheed Martin Cyber Kill Chain breaks an intrusion into seven sequential phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. Its value is that placing a control to break the chain at the earliest phase is cheaper than responding at Actions on Objectives. Its limitation is that it is linear and perimeter-oriented, fitting classic malware intrusions better than insider abuse or fast lateral movement.
Trap Assuming the linear, perimeter-oriented Cyber Kill Chain models insider abuse or fast lateral movement well, when those scenarios fit it poorly and are better reasoned about with a matrix like ATT&CK.
- MITRE ATT&CK is a matrix knowledge base of real-world adversary behavior
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations, organized as a matrix where tactics are columns (adversary goals like Initial Access, Persistence, Privilege Escalation) and many techniques and sub-techniques sit under each. It supplies realistic TTPs to test a threat model against and serves as a common language for mapping detections and gaps. Use the kill chain to reason about where in the lifecycle to place a control, and ATT&CK to reason about which concrete techniques the control must counter.
Trap Calling MITRE ATT&CK a linear chain or the Cyber Kill Chain a technique catalog. ATT&CK is a matrix of techniques, the kill chain is a linear lifecycle.
- Threat-model during design, before code is written
Threat modeling delivers the most value during the design phase, before code exists, because flaws are cheapest to fix on a diagram. Testing (penetration testing, code review, scanning) validates the model against the real system but does not replace it. Because the attack and defense sides change, the model is a living artifact that is revisited as the system and threat landscape evolve.
Trap Assuming penetration testing or code review can replace threat modeling, when those activities validate the model against the running system but do not substitute for design-phase modeling.
- Threat modeling identifies and prioritizes; it does not compute dollar loss
Threat modeling enumerates and ranks what can go wrong; it does not produce SLE/ALE dollar figures. Quantitative loss math belongs to the risk-management process, which consumes the threat model as an input. A threat model is also one activity within a secure development lifecycle, not a substitute for secure coding, testing, or the full SDLC.
Trap Expecting a threat model to output SLE/ALE dollar figures, when quantitative loss math belongs to the risk-management process that consumes the threat model as an input.
- NIST data-centric threat modeling runs four steps from data to controls
NIST SP 800-154's data-centric method has four steps: identify and characterize the system and data of interest, identify and select the attack vectors to include, characterize the security controls that mitigate those vectors, and analyze the threat model. It puts high-value data at the center, so it is the method to reach for when protecting a specific crown-jewel asset rather than a whole system. It is meant to supplement, not replace, existing methodologies.
Trap Reaching for the NIST SP 800-154 data-centric method to model a whole system broadly, when it is purpose-built to center on a specific high-value data asset and is meant to supplement existing methodologies.
- DREAD rates five factors to prioritize a threat
DREAD scores a threat on five factors - Damage, Reproducibility, Exploitability, Affected users, and Discoverability - and combines them into an overall priority. Microsoft's original model rated each factor on a small scale and summed them; a widely used later variant rates each 1-10 and averages them (sum of the five divided by five) for a 1-10 score, so the exact combining method varies by source. Damage = severity of harm, Reproducibility = how reliably the attack works, Exploitability = effort/skill to pull it off, Affected users = scope of impact, and Discoverability = how easily the flaw is found, which is often rated high since any flaw is assumed to be discoverable eventually.
7 questions test this
- A security analyst is using the DREAD model to assess a newly discovered vulnerability in a web application. After evaluating all five…
- During a threat modeling exercise, an organization is using the DREAD model to rank threats after identifying them with STRIDE. When…
- During a threat modeling session, a security team debates which DREAD factor to prioritize when assessing a newly discovered zero-day…
- A security team is conducting threat modeling for a new API service that will expose customer financial data. Using the DREAD model, they…
- A security analyst is using the DREAD model to assess a SQL injection vulnerability in a customer-facing web application. The analyst…
- A threat analyst evaluating an SQL injection vulnerability using DREAD has determined the following: the exploit requires only a web…
- A penetration tester has identified a buffer overflow vulnerability that requires local administrator access to exploit and works reliably…
Supply Chain Risk
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Awareness
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Asset Security
Data Classification
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Classify data so protection is proportional to the harm its compromise would cause
Data classification ranks each information type by the impact of losing its confidentiality, integrity, or availability, then lets that label drive every downstream control: access, storage, transmission, marking, retention, and destruction. The purpose is proportionality: you cannot protect everything to the maximum, so grading once turns an open-ended "how hard should we protect this?" into a policy lookup. A classification with no defined handling rules per level protects nothing: the label must map to required controls to be useful.
- Sensitivity and criticality are separate axes: judge the one the loss event threatens
Sensitivity measures the harm from unauthorized disclosure or modification (a confidentiality/integrity concern); criticality measures the harm from the data or system being unavailable when needed (an availability concern). They do not move together: a public price list is low-sensitivity but can be high-criticality if it drives live transactions, while archived personal notes can be high-sensitivity but low-criticality. Decide which objective the scenario's loss threatens before assigning a level.
Trap Treating low-sensitivity data as unimportant. A low-sensitivity but high-criticality asset still needs strong availability controls.
- You can delegate the work of protecting data, but never accountability for it
Responsibility to perform a task can be delegated or outsourced; accountability cannot. The data owner stays accountable for the classification and for whether the data is adequately protected even after handling is handed to a custodian or a cloud provider. This is why outsourcing storage does not transfer the owner's duty for the label.
Trap Assuming that outsourcing storage to a custodian or cloud provider transfers accountability along with the work, when only the responsibility to perform moves.
- Classifying a new dataset is the first step before selecting any control
When new data or a new system is onboarded, have its owner classify it before granting access or choosing safeguards, because the label is the input every protection decision depends on. Selecting a control before you know the classification is choosing a solution before you know the requirement.
Trap Reaching for encryption or access controls as the FIRST step on new data. Categorization must precede control selection, since the label sizes the control.
- U.S. government classified tiers are defined by expected damage to national security
The national-security scheme grades the three classified levels by the damage unauthorized disclosure could reasonably be expected to cause: Top Secret = exceptionally grave damage, Secret = serious damage, Confidential = damage (per Executive Order 13526). Unclassified is not a classified level and carries no damage standard. Learn each tier by its damage definition rather than the word alone.
Trap Counting Unclassified as a fourth classified tier, when it carries no damage standard and is not a classified level at all.
- In the government scheme, Confidential is the LOWEST classified tier
Among the three classified government levels, Confidential ranks below Secret and Top Secret. Its disclosure standard is plain "damage," the least severe of the three. This collides with everyday commercial usage, where "Confidential" often labels the most sensitive data, so the same word means opposite ends of the scale depending on the scheme.
Trap Ranking government Confidential as the most sensitive classified level. It is the least sensitive of the three classified tiers, below Secret and Top Secret.
- A common commercial scheme runs Confidential, Private, Sensitive, Public
Commercial organizations grade by business impact rather than national-security damage. A widely taught four-tier model is Confidential (most sensitive; serious harm if disclosed), Private (internal personnel/financial data), Sensitive (harm if disclosed or altered; above public, below private), and Public (no harm on disclosure). The number of levels is a policy choice (others use Restricted/Internal/Public) but each level must be a defined band of expected harm.
Trap Treating one commercial label set as the single mandated standard, when the number and names of levels are a policy choice as long as each is a defined harm band.
- FIPS 199 rates confidentiality, integrity, and availability impact independently
NIST FIPS 199 assigns an information type three separate impact ratings, one each for confidentiality, integrity, and availability, every one valued LOW, MODERATE, or HIGH. The ratings are independent, so a record can be HIGH for confidentiality yet LOW for availability; there is no single combined score for an information type.
Trap Collapsing C, I, and A into one overall impact score. FIPS 199 keeps the three objectives separate, each with its own level.
- FIPS 199 impact levels map to limited, serious, and severe-or-catastrophic harm
FIPS 199 defines LOW as a loss expected to have a limited adverse effect, MODERATE as a serious adverse effect, and HIGH as a severe or catastrophic adverse effect on organizational operations, assets, or individuals. HIGH includes loss of a primary mission function, major financial loss, or loss of life. The verbal anchors (limited / serious / severe-or-catastrophic) are the testable distinction.
- FIPS 199 records a category as SC = {(C, impact), (I, impact), (A, impact)}
The FIPS 199 security category (SC) notation lists the impact for each objective in a fixed triple, e.g. investigative information categorizes as {(confidentiality, HIGH), (integrity, MODERATE), (availability, MODERATE)}. For an information type, an objective may be NOT APPLICABLE, but NOT APPLICABLE is allowed only for confidentiality, never for integrity or availability.
Trap Assuming NOT APPLICABLE may be assigned to integrity or availability, when FIPS 199 permits it only for the confidentiality objective.
- A system's category is the high-water mark across all its information types
When a system holds several information types, FIPS 199 sets its category by taking the highest impact in each objective independently across all resident types: the high-water mark. You do not average the levels and you do not apply a single type's whole triple to the system; each objective is maxed separately. This system category becomes the input that drives the control baseline selected next.
Trap Averaging the information types' impact levels, or copying one type's SC to the system. The system takes the maximum per objective, not a mean or a single type.
3 questions test this
- An organization's data protection standard specifies that data at rest must be protected according to its classification level. A database…
- A financial services organization stores multiple types of data within a single database, including publicly available market data,…
- A data steward discovers that a single database contains records with different sensitivity levels, ranging from public marketing data to…
- A system's minimum category is LOW. NOT APPLICABLE cannot apply at the system level
Unlike an individual information type, an information system can never carry NOT APPLICABLE for any objective; its floor is LOW (the low-water mark). FIPS 199 reasons that the system must always protect its own processing functions and system information regardless of the data it happens to hold, so confidentiality, integrity, and availability each have at least a LOW minimum impact.
Trap Carrying NOT APPLICABLE up to the system level the way it is allowed for an information type, when a system's floor is always at least LOW for every objective.
- SP 800-60 maps information types to their provisional impact levels
NIST SP 800-60 Volume 1 is the Guide for Mapping Types of Information and Information Systems to Security Categories; it catalogs information types (privacy, financial, investigative, and so on) and recommends a provisional confidentiality, integrity, and availability impact for each, which the owner then adjusts to context. It is the lookup that feeds the categorization, distinct from FIPS 199 which defines what the levels mean.
Trap Crediting SP 800-60 with defining what LOW, MODERATE, and HIGH mean, when it only maps types to provisional levels and FIPS 199 defines the levels themselves.
- Attribute the standards: FIPS 199 defines levels, SP 800-60 maps types, SP 800-53 supplies controls
Keep the three roles separate: FIPS 199 defines the impact levels and the categorization rules, SP 800-60 maps an information type to its provisional impact, and SP 800-53 is the control catalog selected after categorization to build the baseline. Categorization (FIPS 199 / SP 800-60) precedes control selection (SP 800-53). Naming the source document correctly is a recurring exam discriminator.
Trap Citing SP 800-53 as the categorization method. It is the control catalog applied after the category is set, not the tool that determines impact levels.
- Asset classification inherits the sensitivity of the data the asset holds or the function it supports
Classification extends from information to the things that hold it: hardware, systems, software, and media are graded by the sensitivity of the data they process or store, or the criticality of the function they support. A laptop handling HIGH-confidentiality data inherits that grade and earns the matching controls. The asset usually takes its level from the data on it, so reclassifying or wiping the data can change the asset's required handling.
Trap Grading hardware on its own cost or specs rather than inheriting the sensitivity of the data it holds or the criticality of the function it supports.
- Higher classification justifies stronger and costlier controls, not blanket maximum protection
The label sets the bar: more sensitive or more critical classifications warrant stronger access, encryption, monitoring, and destruction controls, while lower tiers get lighter handling so resources are not wasted. The economic argument for classifying at all is that uniform maximum protection is unaffordable and uniform minimum protection is unsafe: graded labels let spend track risk.
Trap Applying the strongest controls uniformly across every tier to be safe, when the economic point of classifying is to let lower tiers receive lighter, cheaper handling.
- A workable classification scheme has a few self-descriptive levels and is reviewed periodically
Most schemes run three to five levels: enough to differentiate sensitivity yet few enough that users apply them consistently. Use self-descriptive, ordered names (e.g. Confidential, Highly Confidential) so the relative sensitivity is obvious, and revisit classifications periodically or when significant business/system change occurs.
3 questions test this
- An organization is developing its data classification scheme and must decide on the number of classification levels. The security team…
- An organization completed its initial data classification project six months ago. The CISO is now concerned about classification accuracy…
- An organization is implementing sensitivity labels for its information assets and wants to ensure consistency across the enterprise.…
Asset Handling
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Secure Provisioning
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Data Lifecycle
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- The data owner sets classification; the custodian implements the controls
The data owner (information owner) is a senior business role that assigns the data's classification and defines its protection requirements, while the data custodian (typically IT) implements and maintains those controls: backups, access enforcement, patching, and the actual destruction. The split matters because a scenario asking who decides sensitivity is always the owner, and one asking who configures the safeguard is always the custodian. The owner directs; the custodian executes.
Trap Assigning the classification decision to the custodian or IT. They implement protections but never set the classification.
8 questions test this
- A financial services company is establishing a data governance program. The Vice President of Finance needs to determine who can access the…
- A financial services organization is implementing a new customer relationship management system that will store sensitive customer data.…
- During asset provisioning, an IT administrator assigns a new laptop to an employee. The process includes recording the serial number,…
- A program manager at a government contractor wants to relax the handling controls on a set of engineering documents currently classified as…
- An organization is developing a data classification policy and needs to determine who should be accountable for assigning classification…
- An organization is implementing a new data classification program. During initial planning, there is confusion about who should be…
- A financial institution is implementing a data classification program. According to industry best practices, who should be primarily…
- A data owner at a financial services firm is establishing classification guidance for personnel who create and handle sensitive…
- Under GDPR the controller sets purposes and means; the processor only follows instructions
The data controller determines the purposes and means of processing personal data and bears primary accountability to the supervisory authority, whereas the data processor processes that data only on the controller's documented instructions. A cloud, payroll, or email provider is the classic processor. The exam parallels this with the internal owner/custodian split, but they are different lenses: owner/custodian is internal governance, controller/processor is the GDPR legal split for personal data. Accountability to the regulator rests with the controller, not the processor.
Trap Treating a cloud or SaaS vendor (a processor) as accountable to the regulator. Accountability stays with the controller.
- The data subject is the person the data describes and holds the privacy rights
A user is anyone who accesses data to do their job, but when the data is about a person, that person is the data subject: the holder of rights such as access, rectification, erasure (right to be forgotten), and portability under the GDPR. Distinguishing the two matters because privacy rights attach to the subject, not to every user who happens to read the record. The subject is who the controller must serve when a rights request arrives.
Trap Assigning the privacy rights to the user who accesses the record rather than to the data subject the record describes.
- Manage data across its whole lifecycle, and match the control to the stage
Data passes through stages (commonly collect, store, use, share, archive, then destroy) with maintenance spanning the active stages, and each stage raises a different control question. Minimize what you collect, protect data at rest while stored, enforce least privilege while in use, secure the channel and bind agreements while sharing, preserve integrity and apply retention while archived, and sanitize verifiably at destroy. Identifying which stage a scenario is in tells you which control family it is really testing.
- Collect only what the purpose needs. Data minimization
At the collection stage the governing principle is minimization: gather only the data the stated purpose actually requires, because data you never collect cannot be breached, mis-shared, or subpoenaed. Over-collection raises retention cost, expands the attack surface, and creates compliance exposure with no offsetting benefit. The cheapest data to protect is the data you chose not to hold.
Trap Reaching for retention limitation when the issue is at collection. Minimization governs what you gather, retention governs how long you keep it.
- Data location decides which laws apply, so residency is a control decision
Where data physically lives governs the jurisdiction over it, and personal data carries the location of the data subject rather than the company. The GDPR reaches organizations outside the EU that offer goods or services to, or monitor, people in the EU. Moving regulated data across a border therefore needs a lawful transfer mechanism: an adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs) for intra-group transfers. The owner or controller chooses acceptable storage and processing locations as part of defining protection requirements.
Trap Assuming the applicable privacy law follows the company's home country rather than the data subject's location.
- Encryption is a protective control, not a lawful transfer mechanism
When a cross-border transfer of personal data is proposed, the legal question is whether a transfer mechanism (adequacy, SCCs, or BCRs) is in place: encrypting the data does not by itself make the transfer lawful. Encryption protects confidentiality in transit and at rest, but it does not satisfy the legal basis a regulator requires for the data to leave the jurisdiction. The two questions are separate: encryption answers how the data is protected, the transfer mechanism answers whether it may move.
Trap Citing strong encryption as the reason a cross-border transfer is compliant. Encryption is a control, the legal basis still needs adequacy, SCCs, or BCRs.
- Deleting or formatting leaves data remanence. The data is still recoverable
A logical delete only unlinks the file and a quick format only rewrites the file-allocation metadata, so the underlying bits remain on the media and are recoverable with ordinary tools. That residual data persisting after a nominal erasure is data remanence, and eliminating it (not just hiding the pointers) is the entire point of media sanitization. Treat any drive that was merely deleted or reformatted as still holding its data until it is actually sanitized.
Trap Treating a deleted file or a quick-formatted disk as sanitized. Both leave recoverable data remanence.
- NIST SP 800-88 defines three sanitization levels by the recovery effort each resists
NIST SP 800-88 Rev. 1 grades sanitization by the effort it defeats: Clear applies logical techniques (typically an overwrite via standard read/write commands) that resist simple non-invasive recovery and leaves the media reusable internally; Purge applies physical or logical techniques that render recovery infeasible even with state-of-the-art laboratory techniques; Destroy makes recovery infeasible and leaves the media unusable for storage. The categories escalate along one axis (how hard recovery is to defeat) rather than being unrelated methods.
Trap Assuming Purge leaves the media unusable like Destroy. Purge defeats laboratory recovery yet can still leave the media reusable.
- Choose the sanitization method by confidentiality first, then media type
NIST SP 800-88's selection rule is to think first in terms of the data's confidentiality (its classification), then apply considerations based on the media type. Lower-confidentiality media reused inside the organization warrants Clear; higher-confidentiality data, or any media leaving your control, warrants Purge or Destroy. Confidentiality sets how thoroughly you must sanitize; media type then decides which technique actually achieves that level.
Trap Selecting the sanitization level from the media type first when the data's confidentiality is what sets how thoroughly you must sanitize.
- Overwriting is unreliable on flash/SSD because wear-leveling hides cells
Software overwriting works on rewritable magnetic media but fails on flash and SSDs: wear-leveling and spare cells mean the device may not let standard write commands reach every area where data was stored, so old data can survive an overwrite. For that reason Purge-level SSD sanitization uses the drive's built-in sanitize command or cryptographic erase, not a software overwrite pass. The physics of flash, not the software, is what breaks the overwrite.
Trap Overwriting an SSD as if it were a magnetic disk. Wear-leveling can leave data in cells the overwrite never reaches.
5 questions test this
- A security administrator needs to sanitize solid-state drives (SSDs) containing confidential data before the organization transfers them to…
- A healthcare organization needs to dispose of solid-state drives that were used to store patient records. Due to the wear-leveling…
- An organization is retiring several solid-state drives (SSDs) that previously stored confidential customer data. According to NIST SP…
- A cloud service provider needs to sanitize solid-state drives (SSDs) that previously stored customer data classified as highly sensitive.…
- An organization is decommissioning solid-state drives (SSDs) that previously contained confidential data. According to NIST SP 800-88…
- Degaussing only works on magnetic media and usually destroys the drive
Degaussing exposes magnetic media (hard disk drives, tapes) to a strong magnetic field and renders the data unrecoverable when the degausser strength is matched to the media's coercivity, typically leaving the drive inoperable afterward. Because flash and SSDs store data electrically, not magnetically, degaussing does nothing to them, and NIST warns it should never be relied on for flash-based devices. Match the method to the media's physics: degauss is a magnetic-only technique.
Trap Degaussing an SSD or flash drive expecting it to wipe the data. Flash is not magnetic, so degaussing has no effect.
- Cryptographic erase sanitizes by destroying the key, leaving only ciphertext
Cryptographic erase (CE) sanitizes self-encrypting media by destroying the encryption key so that only unreadable ciphertext remains; without the key the data is unrecoverable. CE executes in a fraction of a second, which makes it ideal for large SSDs and for leased or cloud storage you cannot physically destroy. Its assurance is bounded by the strength of the encryption and the certainty that every copy of the key is gone.
Trap Picturing cryptographic erase as overwriting the stored data when it only destroys the key and leaves the ciphertext in place.
9 questions test this
- A security administrator needs to sanitize several solid-state drives (SSDs) containing confidential data before returning the leased…
- A company is retiring several servers that processed data classified as moderate impact under FIPS 199. The servers contain solid-state…
- A security architect at a media company is decommissioning a SaaS-hosted dataset that the company classifies as Confidential at the end of…
- A security administrator needs to sanitize solid-state drives (SSDs) containing confidential data before the organization transfers them to…
- An organization is decommissioning self-encrypting solid-state drives (SSDs) that stored highly confidential customer financial data. The…
- An organization with encrypted storage devices needs to quickly sanitize multiple drives containing sensitive data before returning them to…
- An organization is decommissioning cloud storage resources that previously held confidential customer data. The security team must ensure…
- An organization is retiring several solid-state drives (SSDs) that previously stored confidential customer data. According to NIST SP…
- An organization is decommissioning solid-state drives (SSDs) that previously contained confidential data. According to NIST SP 800-88…
- Cryptographic erase is only valid if the data was encrypted from the start and all key copies are gone
CE is trustworthy only when the media was encrypted before any sensitive data was written and you can confirm every copy of the key (including escrowed or backed-up copies) has been destroyed. If encryption was enabled after plaintext was already stored, that earlier data was never encrypted and CE leaves it recoverable; if a key copy survives in escrow, the ciphertext can later be decrypted. In those cases CE must be combined with another sanitization method rather than relied on alone.
Trap Using cryptographic erase on a drive that stored plaintext before encryption was turned on. That earlier data was never encrypted, so CE does not sanitize it.
3 questions test this
- A security administrator needs to sanitize several solid-state drives (SSDs) containing confidential data before returning the leased…
- A security architect at a media company is decommissioning a SaaS-hosted dataset that the company classifies as Confidential at the end of…
- An organization is replacing self-encrypting drives (SEDs) that stored top-secret classified information. The security manager wants to use…
- Destroy when the media cannot be Purged or holds the highest-confidentiality data
Physical destruction (shredding, disintegrating, pulverizing, incinerating, or melting) is the answer when the data confidentiality is highest, when the media cannot be reliably Purged, or when no reuse is needed. It guarantees recovery is infeasible at the cost of the media itself, which can never store data again. Destroy is chosen over Purge precisely when reuse is not required and the assurance of total loss is worth the hardware.
Trap Choosing Destroy when the media must be reused. Purge already renders recovery infeasible while keeping the media usable.
5 questions test this
- A law firm is closing a matter and must dispose of a large volume of privileged client case files that exist as both paper documents and…
- An organization is decommissioning self-encrypting solid-state drives (SSDs) that stored highly confidential customer financial data. The…
- An organization is implementing a media sanitization program and must select the appropriate method for hard drives containing data…
- An organization is disposing of storage media that previously contained top secret government information. The media will leave…
- An organization is replacing self-encrypting drives (SEDs) that stored top-secret classified information. The security manager wants to use…
- Sanitization is not done until it is verified and recorded on a certificate
After sanitizing, verify the result (a full read-back of accessible locations or representative sampling) and complete a certificate of sanitization (certificate of media disposition) for each piece of media. The certificate records the manufacturer, model, serial number, media type, the sanitization category used (Clear, Purge, or Destroy), the specific method (degauss, overwrite, block erase, crypto erase), the verification method, and the person who performed it. That document is the auditable evidence that data leaving the organization was actually destroyed.
- A key's cryptoperiod ends its active use; a deactivated key still decrypts archived data
The cryptoperiod is the span a key is authorized for active (e.g. encrypting) use. When it expires the key moves to the deactivated state: no longer used to protect new data but retained to process (decrypt) data already protected with it. Keys needed for the full retention period must therefore be preserved in a key archive that remains recoverable across technology changes.
Trap Cryptoperiod expiry does not mean destroy the key. Deactivate and archive it so archived ciphertext stays decryptable
4 questions test this
- An organization's cryptographic key management system administrator notices that a symmetric encryption key has passed its cryptoperiod but…
- A company is implementing a data archiving solution and must ensure that cryptographic keys used to encrypt archived data remain available…
- During a security assessment, an auditor discovers that an organization's archived data can be rehydrated from cold storage tiers but the…
- A security architect is defining the organization's key management policy and must establish the maximum time period a cryptographic key…
Asset Retention
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Data Security Controls
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Architecture & Engineering
Secure Design Principles
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Secure design principles are chosen before any product is
Secure design principles are durable, vendor-neutral rules an engineer applies while designing a system, before a specific control is selected, so security becomes a built-in property rather than a later patch. On the exam they decide the "what should you do FIRST / what design is BEST" questions: the right answer reflects a principle, not the most impressive product. Treating security as a bolt-on added after a breach is the failure these principles exist to prevent.
Trap Picking the most feature-rich or expensive product as the BEST answer instead of the design principle it should follow - on principle questions the right choice reflects the principle, not the strongest tool.
- Least privilege grants only the minimum access a function needs
Least privilege gives each subject the minimum system resources and authorizations required to perform its function and nothing more, so a misused or compromised account can damage only a narrow slice of the system. It is a design-time decision about scope, not a runtime monitoring control. Per NIST it is a property the architecture is designed to enforce, not something added once over-broad access already exists.
Trap Treating least privilege as identical to need-to-know - least privilege limits all access an identity holds, while need-to-know specifically limits which information within a clearance level a person may see.
- Separation of duties forces collusion before fraud is possible
Separation of duties (SoD) splits a sensitive task so no single person can complete it alone, reducing the risk of malevolent activity without collusion - the person who authorizes a payment must not also be able to issue it. It can be static (conflicting roles are never assigned to the same user) or dynamic (the conflict is enforced at execution, as in a two-person rule). A specific SoD example NIST calls out: those who administer access-control functions must not also administer the audit functions that would catch them.
Trap Giving the same person a second account to "separate" the duties - if one individual still controls both halves of the task, no duties are actually separated.
4 questions test this
- An organization wants to prevent users from being assigned to both the 'Payment Initiator' and 'Payment Approver' roles at any time.…
- A security manager at a media company stores master backup tapes containing unreleased, high-value intellectual property in an on-site…
- A system architect is designing access controls for a critical infrastructure system. The requirement states that users who perform system…
- An organization wants to implement access controls that ensure database administrators cannot directly access production customer data…
- Job rotation and mandatory vacations expose single-seat fraud
Job rotation and mandatory vacations are companion controls to separation of duties: they surface fraud schemes that depend on one person continuously occupying one role, because a substitute taking over the seat would notice irregularities. Mandatory vacation forces a break long enough for a concealed scheme to come to light. They are detective and deterrent controls, distinct from SoD which is preventive.
Trap Classifying job rotation and mandatory vacation as preventive controls like separation of duties - they uncover a scheme already running, so they are detective and deterrent, not preventive.
- Defense in depth requires independent layers, not just many
Defense in depth places multiple layers of control across people, technology, and operations so defeating one layer still leaves the attacker facing the next. The load-bearing requirement is independence: two layers sharing a single chokepoint or one credential store fail together and count as one layer, not two. Stacking redundant copies of the same control is not defense in depth.
Trap Counting two controls that fail the same way (same credential store, same single gateway) as two layers - shared failure modes collapse them into one effective layer.
- Keep it simple and small to shrink the attack surface
Economy of mechanism (keep it simple and small) holds that the smaller and simpler a mechanism, the fewer flaws it can hide and the easier it is to verify, because complexity is where vulnerabilities live. A minimal, auditable control is preferable to a feature-rich one you cannot fully reason about. It is the principle behind preferring a small trusted computing base.
Trap Reading economy of mechanism as security through obscurity - it calls for a simple, openly verifiable design, not a hidden one whose safety depends on secrecy.
- Fail securely means deny the protected action on failure
Fail securely (fail-closed / fail-safe) means that when a component crashes or a check errors out, it denies the protected action rather than allowing it through. It is the default for access control and data protection because it preserves confidentiality and integrity when the system can no longer make a sound decision. NIST defines fail-safe as a termination mode that prevents damage to system resources when a failure occurs.
Trap Choosing fail-open to preserve availability on a normal access-control component - fail-open is correct only when loss of availability is itself the greater harm, such as a safety-of-life system.
4 questions test this
- A defense contractor is designing a high-security mantrap that requires dual authentication before granting access. The system should…
- A security architect is designing an authentication system for a web application. During the design review, they notice that if the…
- A security engineer is reviewing application code and discovers the following logic pattern: a variable determining administrative…
- During a power failure, a firewall reboots and temporarily allows all traffic through while initializing. Which security principle related…
- Fail-open is correct only when availability is the greater harm
Fail-open keeps a function available through failure and is the right choice only where loss of availability would cause more harm than loss of control - a fire-exit door must unlock when its controller dies. The decision between fail-open and fail-closed is therefore a CIA trade-off resolved by which property dominates: confidentiality/integrity favors fail-closed, safety/availability of life favors fail-open. For ordinary access control, fail-closed wins.
Trap Defaulting an ordinary access-control or data-protection component to fail-open to maximize uptime - fail-open is reserved for cases where lost availability is the greater harm, such as a physical safety system.
- Secure defaults ship denying access until it is explicitly granted
Secure defaults mean a system ships in its most-protected state, denying access until access is explicitly granted, so a forgotten configuration leaves you safe rather than exposed. It is the same instinct as fail securely applied at a different moment: secure defaults govern the initial out-of-the-box state, fail-closed governs the failure state. Both default toward denial.
Trap Equating secure defaults with fail-closed - both default to denial, but secure defaults govern the out-of-the-box initial state while fail-closed governs behavior during a failure.
- Zero trust assumes the network is already compromised
Zero trust (NIST SP 800-207) grants no implicit trust based on physical or network location, because it assumes an attacker is already present inside the environment - being on the corporate LAN earns nothing. It is the "never trust, always verify" posture, defined as minimizing uncertainty in per-request, least-privilege access decisions in the face of a network viewed as compromised. The focus shifts from defending a perimeter to protecting individual resources.
Trap Answering a perimeter-less or breached-network scenario with a bigger perimeter firewall - zero trust's premise is that the perimeter is already breached, so reinforcing it misses the point.
- Zero trust evaluates every request per-session on dynamic policy
In zero trust, access is authenticated, authorized, and granted per-session with least privilege, and the decision is driven by dynamic policy weighing identity, device security posture, and context such as time and behavior. Authenticating to one resource does not automatically grant access to a different resource. A policy decision point (PDP) judges each request and a policy enforcement point (PEP) allows or blocks it.
Trap Assuming a single successful authentication grants ongoing access to other resources - zero trust re-evaluates each request per-session, so one login never carries trust to a different resource.
- Trust but verify is the legacy stance zero trust replaces
Trust but verify extends trust up front - often from network location or a single login - and checks behavior afterward, leaving an implicit trust zone in which a subject is trusted until the next check. That window is exactly what an attacker who has breached the perimeter exploits for lateral movement, which is why zero trust shrinks it toward zero by re-evaluating each request. NIST notes most enterprises run a hybrid of zero-trust and perimeter modes during migration rather than switching all at once.
Trap Treating trust but verify as a synonym for zero trust because both mention verification - trust but verify grants trust up front and checks later, the implicit-trust window zero trust eliminates.
- SASE delivers zero-trust access from the cloud edge, but is not zero trust itself
Secure access service edge (SASE) is a cloud-delivered model that converges networking (SD-WAN) with security functions such as secure web gateway, cloud access security broker, and firewall-as-a-service, and enforces zero-trust network access at the edge close to the user. Zero trust is the principle (verify every session); SASE is one architecture that operationalizes it for a distributed, perimeter-less workforce. They are related but not synonyms.
Trap Treating SASE as a replacement for zero trust rather than a delivery vehicle for it - SASE enforces zero-trust access, it does not substitute for the principle.
- Privacy by design builds data protection into defaults, not into a late add-on
Privacy by design embeds data protection into a system's defaults and full lifecycle from the outset - data minimization, purpose limitation, and retention limits baked into the data model - rather than adding a consent banner or anonymization step at the end. The exam contrast is disclosure versus design: a privacy notice tells users what happens to their data, whereas privacy by design changes what the system collects and keeps in the first place.
Trap Answering a new-personal-data design question with "add a privacy notice before launch" - a notice is disclosure, not the up-front data-minimizing design the principle requires.
Under the cloud shared-responsibility model the provider secures OF the cloud (physical facilities, hardware, the hypervisor) while the customer secures IN the cloud (their data, identity, and configuration). The boundary shifts toward the provider as you move from IaaS to managed and abstracted services, but data classification and access control almost always stay the customer's job. Knowing which side owns a given control is the recurring exam decision.
Trap Assuming the provider secures your data because it secures the infrastructure - data protection, identity, and configuration remain the customer's responsibility in nearly every cloud service model.
Security Models
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A security model formalizes one policy goal so it can be proven, not just tested
A security model is a precise, often mathematical, statement of the rules a system must follow to uphold a policy goal, almost always one CIA pillar. It sits between the abstract policy and the implementation, so you can reason that the policy holds across every reachable state rather than checking access decisions case by case. On the exam the recurring task is to name which pillar a model protects and recite its rules in the correct direction.
Trap Equating the security model with the security policy itself. The policy states the goal in the abstract, while the model is the formal rule set that makes that goal provable.
- Bell-LaPadula protects confidentiality with no read up and no write down
Bell-LaPadula's Simple Security Property forbids reading above your clearance (no read up) and its Star (*) Property forbids writing below your level (no write down), so classified data cannot flow downward to a lower level. It is a lattice-based multilevel model used to specify Mandatory Access Control. The "no write down" rule protects the data, not the writer: it stops a high-clearance subject from copying secrets into a low container that uncleared users could read.
Trap Reading "no write down" as protecting the author's work from being overwritten: it actually prevents secrets leaking to a lower classification.
4 questions test this
- A defense contractor implements a Bell-LaPadula compliant system for processing classified documents. A software process running at the…
- During a security assessment, an auditor discovers that a Bell-LaPadula implementation allows a Top Secret process to signal information to…
- A government agency's multilevel security system implements Bell-LaPadula for confidentiality protection. Security analysts have identified…
- An architect is configuring the mandatory rules for a multilevel system where analysts hold Secret clearances. Accreditors require that a…
- Biba protects integrity and is the exact inverse of Bell-LaPadula
Biba's Simple Integrity Axiom forbids reading below your level (no read down) and its Star Integrity Axiom forbids writing above your level (no write up), so low-integrity data cannot corrupt high-integrity data. Because its write rule points opposite to Bell-LaPadula's, the mnemonic is "BLP keeps secrets from leaking down; Biba keeps garbage from flowing up." A system cannot enforce both on the same labels at once since their write rules conflict.
Trap Pairing "no read up" with "no write up": that mixes one BLP rule with one Biba rule and is internally inconsistent for either model.
6 questions test this
- A security architect at a defense agency enforces Bell-LaPadula on a multilevel system to protect the confidentiality of records classified…
- A control systems engineer is selecting the formal rule for a high-integrity industrial process that performs safety calculations. The…
- A reliability architect at a medical-device manufacturer is defining integrity rules for a trusted calibration process that computes…
- A security manager at a regulated bank is choosing a formal security model to govern the core ledger that holds customer account balances.…
- In an organization implementing the Biba integrity model, a software developer with a medium integrity clearance attempts to modify a…
- A security architect is comparing the Bell-LaPadula model to the Biba model for a new classified information system. Which statement…
- Clark-Wilson enforces integrity through well-formed transactions, not clearance levels
Clark-Wilson keeps commercial data consistent by forbidding direct access: subjects change constrained data items (CDIs) only through certified transformation procedures (TPs), and integrity verification procedures (IVPs) confirm the data is in a valid state. Its central construct is the access triple (subject to program to object) so a user never operates on data except through an authorized program. This suits fraud and error prevention in financial systems, where clearance levels (BLP/Biba) are the wrong tool.
Trap Assuming Clark-Wilson assigns integrity levels and read/write rules like Biba. It governs integrity through certified programs and the access triple, not a lattice of labels.
3 questions test this
- A financial services company is implementing the Clark-Wilson model to protect its transaction processing system. The security team needs…
- A healthcare organization is comparing the Clark-Wilson model with the Biba model for protecting patient billing records. Which statement…
- A financial services company is implementing the Clark-Wilson model to protect its banking transaction data. When configuring the model,…
- Clark-Wilson bakes in separation of duties so no one both creates and approves a change
Clark-Wilson requires separation of duties: the subject who initiates a transaction cannot be the one who approves it, so fraud needs collusion rather than a single actor. NIST defines separation of duty as the principle that no user is given enough privilege to misuse the system alone, enforced statically or dynamically (the two-person rule is the dynamic case). This is why exam stems about "a user may not both create and approve" point to Clark-Wilson.
Trap Attributing a separation-of-duties requirement to Biba or Bell-LaPadula. Those control read/write by level and say nothing about splitting a transaction across two people.
- Brewer-Nash (Chinese Wall) blocks conflict of interest using access history
Brewer-Nash, the Chinese Wall policy, walls off data sets that present a commercial conflict of interest: once a subject reads data for one company in a conflict class, they are barred from competitors in that same class. It is dynamic and history-based: past access decides future access, so the accessible set narrows with each read. Despite often being grouped with integrity models, its goal is confidentiality: preventing illicit information flow across the wall.
Trap Classifying Brewer-Nash as an integrity model because it is taught alongside Biba and Clark-Wilson. Its actual goal is confidentiality, stopping information flow between conflicting clients.
- Graham-Denning and HRU govern the protection state, and HRU proves safety is undecidable
Graham-Denning defines primitive rights and rules for securely creating and deleting subjects and objects and transferring rights: it administers the protection matrix itself rather than reads and writes of data. Harrison-Ruzzo-Ullman (HRU) extends this and famously proves the safety problem (can a given right ever leak to a subject) is undecidable in the general case. The takeaway is that these answer how rights are administered and whether leakage is provable, which the data-flow models do not.
Trap Crediting the undecidable safety-problem proof to Graham-Denning. The proof that the general safety problem is undecidable belongs to Harrison-Ruzzo-Ullman.
- The reference monitor must be tamperproof, always-invoked, and verifiable
A reference monitor is the abstract control that mediates every access attempt against the policy; NIST requires three properties simultaneously: always invoked (complete mediation, nothing bypasses it), tamperproof (protected from modification), and verifiable (small enough to be analyzed for correctness). It is the enforcement concept every model assumes: a model is inert without something that actually checks each access.
Trap Naming the security model itself as what enforces access: the model is the rulebook; the reference monitor is what mediates against it.
- The security kernel implements the reference monitor; the TCB is the full trusted boundary
The security kernel is the concrete hardware, firmware, and software that implements the reference monitor concept, and it must mediate all access, resist modification, and be verifiable. The Trusted Computing Base (TCB) is the totality of protection mechanisms (hardware, firmware, and software) responsible for enforcing the security policy, so it is the boundary you evaluate for assurance. Keep the three straight: reference monitor (concept), security kernel (implementation), TCB (whole trusted boundary).
Trap Treating the security kernel and the TCB as the same thing. The kernel is the component that implements the reference monitor, while the TCB is the entire trusted boundary that contains it.
- State-machine, information-flow, and noninterference describe HOW a model reasons
These three are reasoning frameworks, not pillar choices, so one named model can be several at once. A state-machine model proves the system is secure in every reachable state and transition; an information-flow model tracks data movement between levels and blocks disallowed flows; a noninterference model requires that a higher-level subject's actions have no observable effect on a lower-level subject. Bell-LaPadula is simultaneously a state-machine and an information-flow model.
Trap Treating state-machine, information-flow, and noninterference as mutually exclusive labels. They describe how a model reasons, so a single model like Bell-LaPadula can be more than one at once.
- Noninterference defeats covert channels and inference that level-based MAC leaves open
A noninterference model goes beyond blocking direct flows: it requires a high-level subject's behavior to be unobservable to a low-level subject, closing covert channels and inference. This matters because even strict MAC leaks: NIST warns information of a higher class can be deduced by assembling and combining lower-class information. A stem describing a low user indirectly deducing high data is testing this gap, and the answer is a noninterference model, not BLP or Biba.
Trap Assuming Bell-LaPadula's no-read-up / no-write-down already closes covert channels and inference. Those block direct flows but leave the indirect leakage that noninterference is meant to address.
3 questions test this
- During a security assessment, an auditor discovers that a Bell-LaPadula implementation allows a Top Secret process to signal information to…
- A security analyst discovers that users are able to determine the existence of sensitive employee termination records by noting that…
- A government agency's multilevel security system implements Bell-LaPadula for confidentiality protection. Security analysts have identified…
- Bell-LaPadula and Biba are lattice models specifying Mandatory Access Control
Both Bell-LaPadula and Biba are multilevel security models that label every subject and object with a level drawn from an ordered lattice, used to express Mandatory Access Control. Under MAC the system enforces protection decisions over the object owner's wishes (the owner cannot override the policy) which is what distinguishes it from owner-controlled discretionary access control. The lattice ordering is what gives "up" and "down" their meaning in the read/write rules.
Trap Thinking the object owner can grant or override access under these lattice models. That is discretionary access control; MAC enforces the policy regardless of the owner's wishes.
5 questions test this
- A defense contractor needs to implement an access control system where access decisions are made by a central authority based on security…
- A government agency requires that access decisions be based on the sensitivity level of information and users' formal clearance levels,…
- A government defense contractor is implementing access controls for a classified information system that requires users to possess formal…
- A security administrator at a defense contractor is implementing an access control system where data is classified as Confidential, Secret,…
- A government agency is implementing a new document management system that must prevent users from sharing classified information with…
- Match the model to the scenario's pillar, not to a keyword
Choose the model from the goal in the stem: confidentiality with clearance levels selects Bell-LaPadula; integrity with levels selects Biba; integrity via controlled transactions and separation of duties selects Clark-Wilson; conflict of interest among competing parties selects Brewer-Nash. The common distractor is the other CIA pillar's model: offering Biba when the scenario is about secrecy, or BLP when it is about preventing corruption.
- The classic models address confidentiality and integrity, never availability
None of Bell-LaPadula, Biba, Clark-Wilson, or Brewer-Nash addresses the availability pillar: they govern who may read or write what, not whether the system stays reachable. Availability is handled through resilience, redundancy, and continuity design instead. A stem that frames any of these models as protecting uptime or availability is using a framing trap.
Trap Selecting a confidentiality or integrity model as the answer to an availability requirement: these models say nothing about uptime.
- Bell-LaPadula's tranquility property governs whether labels can change during operation
Bell-LaPadula adds a tranquility property about label stability: strong tranquility means security labels never change while the system runs, whereas weak tranquility allows labels to change only in ways that do not violate the security policy. This matters because allowing a subject or object to be relabeled mid-operation could otherwise sidestep the no-read-up / no-write-down rules.
Trap Swapping the definitions so that weak tranquility forbids all label changes. It is strong tranquility that bars any change during operation, while weak tranquility permits policy-safe relabeling.
Controls Selection
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
System Security Capabilities
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Architecture Vulnerabilities
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cryptographic Solutions
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Pick the cryptographic class by the property the asset needs, not by strength
Cryptography splits into three classes that preserve different properties: symmetric and asymmetric ciphers give confidentiality, hash functions give integrity, and a digital signature gives integrity plus authenticity plus non-repudiation together. Reason from the required property first, then choose the class whose primary effect is that property. The recurring exam trap is offering a strong control for the wrong property, so fit beats strength.
Trap Choosing the strongest-sounding algorithm rather than the one whose property matches the requirement, e.g. answering with encryption when the question asks for integrity.
- AES is a symmetric block cipher specified in FIPS 197
The Advanced Encryption Standard (AES) is a symmetric block cipher (one shared secret key both encrypts and decrypts) specified in NIST FIPS 197 and used for bulk confidentiality such as full-disk, database, and transport encryption. Symmetric is fast, which is why it carries the data payload rather than asymmetric crypto. Its weakness is not the math but distributing the shared key safely.
Trap Classifying AES as an asymmetric algorithm because it is the headline standard, when the same secret key both encrypts and decrypts.
- Symmetric key distribution does not scale, which is the problem asymmetric solves
A symmetric cipher needs both endpoints to hold the same secret, and there is no safe way to hand that secret across an open channel; n parties talking pairwise need about n(n-1)/2 keys, which explodes. Asymmetric cryptography exists precisely to break this: a published public key lets anyone encrypt while only the private key decrypts, so no secret crosses the wire. That is the single reason real protocols pair the two.
Trap Picking weak algorithm strength as symmetric crypto's main weakness when the actual scaling problem is safely distributing the shared secret.
- Never use ECB mode; it leaks plaintext structure
A block cipher needs a mode of operation, and Electronic Codebook (ECB) is the wrong choice because it encrypts identical plaintext blocks to identical ciphertext, leaking patterns in the data. Prefer an authenticated mode such as GCM, which provides confidentiality and integrity at once. The fact that two ciphertext blocks match should never reveal that the underlying plaintext matched.
Trap Treating ECB as acceptable because the cipher (e.g. AES) is strong: the mode, not the cipher, leaks repeating-block structure.
- ECC gives RSA-equivalent security at a far smaller key size
Elliptic-curve cryptography (ECC) reaches the same security level as RSA with much shorter keys (roughly a 256-bit ECC key matches a 3072-bit RSA key) so it costs less compute and bandwidth and is preferred on mobile and constrained devices. Both are asymmetric and far slower than symmetric ciphers, so both are used on small data like keys and hashes, not bulk payloads.
Trap Reading ECC's shorter key as weaker than RSA, when a 256-bit ECC key matches a 3072-bit RSA key at the same security level.
- Diffie-Hellman exchanges a shared secret without sending it
Diffie-Hellman is an asymmetric primitive that neither encrypts nor signs; it lets two parties derive a shared symmetric secret over a public channel. Using ephemeral Diffie-Hellman keys per session provides perfect forward secrecy, meaning a later compromise of a long-term private key cannot decrypt previously recorded sessions. That property is why modern TLS favors ephemeral key exchange.
Trap Treating Diffie-Hellman as an encryption or signing algorithm, when it only establishes a shared secret and neither encrypts nor signs data.
4 questions test this
- A security engineer is hardening the encrypted sessions a bank uses to exchange transaction data with partners over the internet. The…
- A security engineer is configuring cipher suites for a TLS 1.2 implementation protecting financial transactions. The configuration must…
- A security architect is configuring TLS for a new web application that handles sensitive financial data. The organization wants to ensure…
- A security administrator is hardening TLS configurations and must disable cipher suites that do not provide adequate security. According to…
- Real systems are hybrid: asymmetric ships the key, symmetric carries the data
A hybrid cryptosystem like TLS generates a random one-time symmetric session key, encrypts the bulk data with that fast key, and encrypts only the small session key with the recipient's public key. The recipient uses its private key to recover the session key, then decrypts the data symmetrically. Asymmetric crypto touches just the tiny key, never the payload: that is how systems get both safe key distribution and speed.
Trap Believing asymmetric encryption protects the whole file: it encrypts only the session key; the symmetric cipher encrypts the data.
- A hash gives integrity, not confidentiality
A cryptographic hash (SHA-2 or SHA-3) is a one-way function producing a fixed-length digest, so any change to the input changes the digest: that is integrity. It uses no key, so on its own it proves nothing about who produced the data, and being one-way it does not hide data from someone who already has it. Use encryption when secrecy is the goal and a hash when tamper detection is.
Trap Selecting hashing to keep data secret, when a keyless one-way digest provides integrity and does nothing for confidentiality.
- A MAC proves authenticity but cannot provide non-repudiation
A Message Authentication Code (MAC), including its hash-based form HMAC, uses a secret key shared by both parties to prove integrity and authenticity between them. But because both hold the same key, either could have produced the tag, so a MAC cannot give non-repudiation: an outside party can't attribute the act to one signer. Reach for a MAC when two known parties just need to trust each other's messages.
Trap Crediting a MAC or HMAC with non-repudiation, when the shared key means either party could have produced the tag and a third party cannot attribute it.
- Only an asymmetric digital signature provides non-repudiation
A digital signature hashes the message and encrypts the hash with the signer's private key; a verifier checks it with the signer's public key. Per FIPS 186-5 it delivers data integrity, origin authenticity, and signatory non-repudiation at once, and non-repudiation holds only because the private key is held by exactly one party, letting a third party attribute the act. When a question wants the signer unable to deny it to an auditor or court, the answer is a digital signature.
Trap Answering MAC or HMAC for non-repudiation: the shared key means either party could have produced the tag, so it fails third-party attribution.
- FIPS 186-5 approves RSA, ECDSA, and EdDSA for signatures
The Digital Signature Standard, FIPS 186-5 (2023), specifies the approved signature algorithms RSA, ECDSA, and EdDSA, and supersedes FIPS 186-4. It exists to detect unauthorized modification, authenticate the signatory, and provide non-repudiation. Knowing the standard's name and that signatures are asymmetric is the testable core, not the algorithm internals.
- Encryption, hashing, and encoding are three different things
Encoding such as Base64 is reversible and keyless and is not a security control; encryption is reversible with a key and gives confidentiality; hashing is one-way and gives integrity. Conflating them is a classic distractor, especially treating Base64 or a hash as if it were encryption. Name the operation by whether it is reversible and whether it uses a key.
Trap Calling Base64 encoding or a hash digest 'encryption': neither hides data with a key.
- Most cryptographic failures are key-management failures, so govern the lifecycle
Algorithms rarely break in practice; keys do, through poor handling. Treat every key as moving through generation, distribution/exchange, storage, use, rotation, and destruction, and put a control on each phase. Generate from a vetted random source, distribute without exposing the secret, store private keys in hardware separated from the data, rotate on schedule, and destroy retired keys so they cannot be recovered.
Trap Hardening the algorithm or key length when the BEST control is governing the key's whole lifecycle, where real-world failures happen.
- A key is authorized only for its cryptoperiod, then it must be rotated
A cryptoperiod is the time span during which a specific key is authorized for use (NIST SP 800-57); at its end the key is retired and replaced. Bounding the cryptoperiod limits the damage of a compromise to a single window of data rather than everything the key ever protected. This is why key rotation is a policy requirement, not an optional hygiene step.
- Store private keys in an HSM, separated from the data they protect
A Hardware Security Module (HSM) generates and holds keys inside tamper-resistant hardware so the private key never leaves it in the clear, and keys are kept separate from the data they encrypt so one compromise does not yield both. When a question asks the BEST way to protect keys, the lifecycle answer (HSM storage, rotation, destruction) beats simply picking a longer key.
Trap Fixating on a larger key size while leaving the private key poorly stored. Key handling, not key length, is usually the weak point.
- Key escrow and split knowledge govern recovery and custody
Key escrow stores a copy of a key with a trusted third party so the organization, or law enforcement under proper authority, can recover encrypted data if the key is lost. Split knowledge with M-of-N control requires several custodians to act together to use a critical key, so no single person can wield or expose it alone. The two address different risks: escrow is about recoverability, split knowledge about insider control.
Trap Reaching for key escrow to stop a single insider from misusing a key, when recoverability is escrow's purpose and split knowledge is what enforces dual control.
- A public key becomes trustworthy only through a PKI-issued certificate
A public key is just a number; trust comes from an X.509 certificate that binds the key to an identity and is signed by a Certificate Authority the relying party already trusts. Public Key Infrastructure (PKI) is the framework that issues, maintains, and revokes those certificates, with a Registration Authority vetting identity before the CA signs. Without a trusted issuer in the chain, the binding means nothing.
Trap Trusting a public key on its own because it works mathematically, when trust requires a CA-signed certificate binding that key to a verified identity.
- Trust flows down a chain from a protected root through intermediate CAs
PKI layers its authorities: a tightly guarded, usually offline root CA signs intermediate (subordinate) CAs, which in turn sign end-entity certificates. A relying party trusts a certificate by validating the chain up to a root already in its trust store. The layering means a root compromise stays rare and an intermediate can be revoked without reissuing every certificate beneath it.
Trap Assuming the root CA directly signs end-entity certificates, when it signs intermediate CAs and stays offline so a compromise can be contained at the intermediate level.
- A valid certificate must chain to a trusted root, be unexpired, and not be revoked
A verifying signature alone is not enough; a certificate is trustworthy only if all three hold: it chains to a trusted root, has not expired, and has not been revoked. Because a private key can be lost or stolen before expiry, revocation checking is mandatory, not optional. A self-signed certificate fails the first condition and should not be accepted as proof of identity.
Trap Accepting a certificate because its signature verifies, while ignoring that it is expired, self-signed, or revoked.
- Use OCSP for real-time revocation; a CRL is the periodic-download fallback
A Certificate Revocation List (CRL) is a CA-signed list of revoked serial numbers that clients download, but it goes stale between publications and grows large at scale. The Online Certificate Status Protocol (OCSP) answers the status of a single certificate in real time, and OCSP stapling has the server attach a recent signed status so the client need not contact the CA. Choose OCSP when freshness matters.
Trap Picking a CRL when the requirement is real-time revocation status, since a downloaded list goes stale between publications and OCSP answers per certificate.
- Quantum breaks asymmetric crypto but only weakens symmetric and hashing
Shor's algorithm on a large quantum computer efficiently factors integers and solves discrete logs, defeating RSA, ECC, and Diffie-Hellman. Grover's algorithm only roughly halves the effective strength of symmetric ciphers and hashes, which is countered by doubling key or output size, so AES-256 and SHA-384 stay strong. The asymmetric algorithms are the ones that need replacing.
Trap Assuming a quantum computer breaks AES and SHA outright, when Grover only halves their strength (fixed by larger sizes) while Shor defeats RSA, ECC, and DH.
2 questions test this
- Migrate to NIST post-quantum standards now against harvest-now-decrypt-later
NIST finalized its first post-quantum standards in August 2024: ML-KEM (FIPS 203) for key encapsulation and ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) for signatures. Because adversaries can record encrypted traffic today and decrypt it once quantum computers arrive (the harvest-now-decrypt-later threat), data with a long confidentiality lifetime should adopt these algorithms now rather than waiting for a quantum computer to exist.
Trap Deferring post-quantum migration until quantum computers exist, when harvest-now-decrypt-later means long-lived secrets are already at risk from recorded traffic.
4 questions test this
- A security architect is planning the organization's migration to post-quantum cryptography. The organization uses RSA and ECDH extensively…
- A CISO is presenting the quantum computing threat to the executive board and needs to explain why the organization should begin migrating…
- A government agency's security architect protects classified records that carry a twenty-five-year retention requirement and are exchanged…
- A CISO is prioritizing the organization's post-quantum cryptography migration efforts and must determine which systems require immediate…
- QKD detects eavesdropping but does not replace authentication
Quantum key distribution (QKD) uses quantum physics rather than math to detect any eavesdropper on a key exchange, but it requires special hardware and provides no source authentication on its own. NIST and NSA guidance therefore favor post-quantum algorithms over QKD for general use. Treating QKD as a drop-in replacement for the whole cryptographic stack is the misconception to avoid.
Trap Assuming QKD by itself replaces authentication or post-quantum algorithms. It only secures key exchange and needs dedicated hardware.
- Store passwords with a slow, memory-hard, per-user-salted hash
Fast general-purpose hashes (MD5, SHA-1, SHA-256) are unfit for passwords because GPUs compute billions per second and unsalted ones fall to precomputed rainbow tables. Use a deliberately slow, memory-hard algorithm (Argon2id, bcrypt, scrypt, PBKDF2) with a unique random salt per password. A salt defeats rainbow tables and forces one-at-a-time cracking; a pepper (a secret added via a keyed derivation step and held separately, e.g. in an HSM) adds protection if only the database is stolen.
Trap Salt defeats precomputation (rainbow tables) but does NOT slow brute force. Only a slow/memory-hard function does; both are needed.
8 questions test this
- During a security assessment, a penetration tester discovers that an application stores password hashes using bcrypt with a work factor of…
- An organization's security team has discovered that attackers equipped with GPU clusters are attempting to crack their password database…
- A security analyst is investigating a breach where attackers obtained password hashes stored using SHA-1 without salting. The analyst needs…
- During a penetration test, an attacker obtains a copy of a password database containing unsalted MD5 hashes. The attacker wants to recover…
- A financial institution is selecting a password hashing algorithm to protect customer credentials against offline brute force attacks using…
- A financial institution stores customer passwords using SHA-256 with unique per-user salts. After a security assessment, the CISO wants to…
- An organization discovered that an attacker obtained their password database containing unsalted MD5 hashes. The security team wants to…
- A security architect is evaluating password storage mechanisms for a new enterprise application. The organization is concerned about…
Cryptanalytic Attacks
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Site & Facility Design
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Facility Security Controls
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
System Lifecycle
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Communication & Network Security
Secure Network Architecture
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Map any protocol, threat, or control to its OSI layer first
The OSI model's seven layers - Physical (1), Data Link (2), Network (3), Transport (4), Session (5), Presentation (6), Application (7) - exist so you can place any protocol, attack, or control at the layer it operates on. CISSP questions pair a threat to its layer and ask for the countermeasure that belongs there, so naming the layer is the move that selects the answer. Lower-numbered layers are closer to the physical medium; higher-numbered are closer to the application.
- The four-layer TCP/IP model is what the wire actually uses
TCP/IP collapses OSI's seven layers into four: Link (OSI 1-2), Internet (OSI 3), Transport (OSI 4), and Application (OSI 5-7). The protocols you run follow TCP/IP, but the exam phrases threats and controls in OSI's seven-layer vocabulary, so you must hold both models and the mapping between them. The Internet layer is where IP and IPsec live; the Application layer absorbs OSI's session, presentation, and application functions.
Trap Mapping the TCP/IP Application layer to OSI Layer 7 alone - it actually absorbs OSI's Session, Presentation, and Application layers (5-7).
- A control at a lower layer protects everything carried above it
Encapsulation means each layer wraps the data of the layer above, so security added at a lower layer covers all the protocols riding on top of it without per-application changes. That is exactly why network-layer IPsec protects every application's packets while transport-layer TLS protects only one application's session. The corollary for attackers: a filter that inspects only an outer wrapper cannot see traffic hidden in an inner layer.
Trap Assuming a higher-layer control protects the layers beneath it - protection flows upward from a lower layer, so a higher-layer control covers only its own session, not the traffic carrying it.
- Defense-in-depth layers only count if they fail independently
Defense in depth places controls across multiple layers so defeating one does not defeat the rest, but the CISSP qualifier is that the layers must be independent. Two controls that share one chokepoint or one credential store fail together and count as a single layer, not two, so adding a second firewall that trusts the same management plane buys little real depth. Genuine depth puts controls that fail for different reasons in the attacker's path.
Trap Counting two controls behind one shared credential store or management plane as two layers - one compromise drops both, so they are really one layer.
- IPsec secures at Layer 3, so it covers all IP traffic between endpoints
IPsec operates at the Network layer, so it protects every IP packet between two endpoints or gateways regardless of the application that produced it - that breadth is why it underpins site-to-site VPNs. When a requirement is to protect all traffic between two locations transparently to applications, IPsec is the layer-correct answer. Per-application encryption cannot deliver that transparent, all-traffic coverage.
Trap Reaching for per-application TLS to cover all traffic between two sites - only network-layer IPsec protects every IP packet transparently regardless of the application.
- Use ESP when you need confidentiality; AH gives integrity only
IPsec has two protocols: AH (Authentication Header) provides integrity and data-origin authentication but no encryption, while ESP (Encapsulating Security Payload) provides confidentiality plus optional integrity. So a requirement for confidentiality forces ESP, never AH. RFC 4301 even downgraded AH to optional because ESP alone meets most needs.
Trap Choosing AH to encrypt traffic - AH never provides confidentiality, only integrity and authentication; ESP is the encrypting protocol.
- IPsec tunnel mode hides the original IP header; transport mode keeps it
Tunnel mode adds a new outer IP header and encapsulates the entire original packet, hiding the inner addresses - this is the gateway-to-gateway VPN case. Transport mode adds no new IP header and protects only the payload, leaving the original IP header exposed, which fits host-to-host protection where the endpoints route the packets themselves. The deciding question is whether the original addressing must be concealed across an intermediate link.
Trap Assuming transport mode hides the original IP header - it does not add an outer header, so the original source and destination remain visible; tunnel mode is what conceals them.
- TLS protects one application's session above the Transport layer
TLS sits just above the Transport layer and secures a single application session - HTTPS is TLS protecting HTTP - giving per-application confidentiality and integrity with no change to the underlying network. It is the right tool when one service needs protection and re-architecting the network is unwarranted. Because it is per-session, it does not transparently protect every protocol the way network-layer IPsec does.
Trap Picking TLS to secure all traffic between two sites - TLS only protects per-application sessions, so blanket site-to-site protection is IPsec's job at the network layer.
- Segmentation contains a breach by limiting lateral movement
Segmentation divides a network into zones and controls traffic at the boundaries, so an attacker who compromises one zone cannot freely reach the next. It is the architectural answer to limiting lateral movement after an initial foothold. The design heuristic is that the higher a zone's value or the lower its trust, the finer the segmentation it warrants.
Trap Expecting segmentation to prevent the initial breach - it contains and limits lateral movement after a foothold, it does not stop the first compromise.
- Logical segmentation shares hardware; physical segmentation shares nothing
Physical segmentation uses separate hardware or an air gap and shares no common component, giving the strongest isolation at the highest cost. Logical segmentation - a VLAN splitting one switch into separate broadcast domains - is cheaper and far more common but rides shared hardware, so a compromise or misconfiguration of that device (for example VLAN hopping) can defeat it. When a stem demands true isolation of a high-value system, physical separation is the stronger answer because there is no shared component to subvert.
Trap Treating a VLAN as equivalent to physical isolation for a high-value system - the VLAN shares switch hardware an attacker could subvert via VLAN hopping or a device compromise.
- Micro-segmentation pushes the boundary down to a single workload
Micro-segmentation enforces policy at the granularity of an individual host or workload rather than a whole subnet, so even server-to-server traffic inside one zone must pass a policy check. This is the mechanism that makes zero trust enforceable inside a data center, because there is no implicitly trusted inside if every workload-to-workload flow is mediated. The cost is the larger number of policies to define and maintain compared with subnet-level rules.
Trap Equating micro-segmentation with ordinary subnet or VLAN segmentation - micro-segmentation mediates every workload-to-workload flow, not just traffic crossing a zone boundary.
4 questions test this
- A security team is designing network access policies for their zero trust implementation using microsegmentation. Which traffic flow does…
- A company is implementing a zero trust network architecture and must decide between traditional network segmentation and microsegmentation.…
- A security architect is implementing microsegmentation to support zero trust principles. Which traffic flow pattern does microsegmentation…
- A security architect is evaluating microsegmentation as part of the organization's zero trust strategy. Which security objective is…
- Zero trust grants no access based on network location
Zero trust assumes the network is already compromised and grants nothing based on where a request originates, so being inside the perimeter earns no access. NIST SP 800-207 frames it as least-privilege, per-request access decisions made in the face of a network viewed as compromised; every session is authenticated, authorized, and granted least privilege against a dynamic policy weighing identity, device posture, and context. Authenticating to one resource never automatically grants access to another.
Trap Assuming a request from inside the firewall is trustworthy - zero trust explicitly removes location-based trust and verifies every session regardless of origin.
- Zero trust enforces with a Policy Decision Point and a Policy Enforcement Point
NIST SP 800-207 structures zero-trust enforcement as a Policy Decision Point (PDP) that evaluates each access request against policy and a Policy Enforcement Point (PEP) that actually allows or blocks the connection. Separating the decision from the enforcement lets one policy engine govern many enforcement points consistently. The standing design goal is to keep any implicit-trust zone as small as possible.
Trap Swapping the roles of the PDP and PEP - the Policy Decision Point evaluates the request against policy, while the Policy Enforcement Point is what actually permits or blocks the connection.
- SDP and ZTNA hide a resource until the requester is verified
A software-defined perimeter (SDP), the mechanism behind zero-trust network access (ZTNA), hides resources from the network and brokers a connection only after the requester is authenticated, so an attacker cannot even see a resource they have not authenticated to, let alone attack it. This shrinks the attack surface to nearly nothing for unauthenticated parties. It contrasts with a traditional VPN that places a verified user broadly onto a network segment.
Trap Treating a traditional VPN as equivalent to ZTNA - the VPN drops a verified user broadly onto a network segment, whereas SDP keeps each resource hidden and brokers access per request.
- SASE is a delivery architecture for zero trust, not the principle itself
SASE (Secure Access Service Edge) is a cloud-delivered model that converges SD-WAN networking with security functions such as secure web gateway, CASB, and firewall-as-a-service to enforce zero-trust access at the edge near the user. It is a way to deliver zero-trust controls, so adopting the zero-trust principle does not require buying a SASE product, and buying SASE is not the same as having implemented zero trust. Treat SASE as the convergence of networking and security at the edge, not as a synonym for zero trust.
Trap Equating buying a SASE product with having achieved zero trust - SASE is a delivery architecture; the zero-trust principle still has to be designed and enforced.
- SDN splits the control plane from the data plane, centralizing risk
Software-defined networking decouples the control plane (the logic deciding where traffic goes) from the data plane (the devices that forward it), centralizing policy in a controller so the network is programmable from one place. This enables consistent, automated segmentation but concentrates risk: compromising the SDN controller compromises the whole network's forwarding decisions, making the controller a crown-jewel asset to protect. SD-WAN applies the same control-plane abstraction across wide-area links and is the networking half of SASE.
- A VPC is a logically isolated software-defined network in the cloud
A virtual private cloud (VPC) is the cloud expression of a logically isolated network carved from a provider's shared infrastructure, which you then segment with subnets and security groups. It is software-defined and logical, so the same logical-vs-physical caution applies: isolation is enforced by the provider's software, not by separate hardware you own. You design VPC segmentation the way you would design VLAN and zone boundaries on premises.
Trap Treating VPC isolation as physical, dedicated-hardware separation - it is logical isolation enforced by the provider's software over shared infrastructure, carrying the same caveats as a VLAN.
- Multilayer protocols enable tunneling but also let traffic be smuggled
Multilayer protocols such as TCP/IP permit encapsulation, carrying one protocol inside another, which is what makes tunneling and VPNs possible. The same property lets an attacker smuggle disallowed traffic inside an allowed protocol or evade a filter that inspects only the outer layer. Each layer of encapsulation is therefore a layer your controls must be able to inspect through, not assume is benign.
Trap Trusting a filter that inspects only the outer protocol - encapsulation lets disallowed traffic ride inside an allowed protocol, so controls must inspect through each layer.
- Converged protocols inherit the data network's threats and must be segmented
Converged protocols carry traditionally separate traffic over the data network: VoIP puts voice on IP, while FCoE and iSCSI put storage traffic onto Ethernet/IP. Once voice or storage rides the data network it inherits every threat of that network, so it must be segmented from general data traffic rather than trusted as a separate medium. Convergence is a reason to add segmentation and inspection, not a reason to assume the carried traffic is safe.
Trap Treating VoIP or iSCSI storage traffic as a trusted, separate medium once it shares the IP network - it now carries the same exposure as any other data traffic and needs segmenting.
- Private VLAN isolated ports reach only the promiscuous port, never each other
A private VLAN gives Layer 2 isolation inside one IP subnet. Isolated ports can talk only to promiscuous ports (where the gateway, DHCP, or shared services sit) and never to other isolated or community ports, ideal for multi-tenant or web-server hosting where peers must not see each other but all need the gateway.
Trap VLAN-to-VLAN separation alone does not stop same-subnet peer traffic; that is what isolated private-VLAN ports add.
8 questions test this
- A data center architect needs to isolate web servers so that each server can only communicate with the default gateway and not with other…
- A cloud service provider hosts multiple tenants on shared infrastructure and needs to isolate web servers so they cannot communicate with…
- A managed service provider hosts servers for multiple customers on the same physical network infrastructure. The provider needs to ensure…
- An organization deploying a multi-tenant hosting environment wants to prevent hosts within the same IP subnet from communicating directly…
- An organization needs to isolate customer traffic on a shared network infrastructure where customers should not communicate directly with…
- A data center administrator needs to provide Layer 2 isolation between web servers belonging to different customers while still allowing…
- A data center administrator needs to ensure that web servers on the same subnet cannot communicate directly with each other but can all…
- A hosting provider needs to isolate multiple customer web servers that share the same IP subnet while allowing all servers to communicate…
- VLANs are Layer 2 only; restrict inter-VLAN traffic with a routed firewall, ACLs, or VACLs
VLANs segment broadcast domains at Layer 2 but do nothing to filter traffic routed between them. Unauthorized cross-VLAN reachability means a Layer 3 device is routing without controls; the fix is to route inter-VLAN traffic through a firewall or apply ACLs / VLAN ACLs (VACLs) that default-deny and log, so traffic between segments is explicitly authorized.
Trap Traffic crossing VLANs without passing a router points to a Layer 2 leak (e.g. trunk misconfiguration), but the standard control to enforce policy is still a VACL or routed ACL.
4 questions test this
- A healthcare organization uses VLANs to segment its network into administrative, clinical, and medical device zones. After a security…
- An organization operates a network with multiple security zones including an external-facing DMZ, internal corporate network, and a…
- A network administrator discovers that traffic from one VLAN can unexpectedly reach devices in another VLAN without passing through a…
- A network security team is implementing segmentation controls and wants to ensure that traffic cannot flow between VLANs without explicit…
- Pick uRPF mode by routing symmetry: strict for symmetric, loose/feasible for asymmetric
Unicast Reverse Path Forwarding drops spoofed packets by checking the source address against the FIB. Strict mode requires the source route to point back out the arrival interface (best anti-spoofing, symmetric routing only). Loose mode accepts the packet if any route to the source exists, and feasible-path mode accepts it via any valid alternate path, both tolerate the asymmetric routing of multihomed networks.
Trap Strict uRPF will drop legitimate traffic on asymmetric/multihomed links; that is when loose or feasible-path mode is required.
7 questions test this
- A security engineer is configuring ACLs on border routers and must decide on the appropriate uRPF mode for a network with asymmetric…
- A network engineer is implementing source address validation on border routers for a multihomed enterprise network. The engineer is…
- A network administrator wants to implement anti-spoofing controls on a border router to prevent attackers from using forged source…
- A network administrator wants to implement anti-spoofing controls on border routers to prevent DDoS attacks that use forged source IP…
- A network security architect is implementing anti-spoofing controls on edge routers connecting to the Internet. The organization has…
- A security administrator needs to implement anti-spoofing controls on routers but is concerned about asymmetric routing in the multihomed…
- An organization is configuring unicast Reverse Path Forwarding (uRPF) on its border router to prevent IP address spoofing. In strict mode,…
- SDP has three components: Controller, Initiating Hosts, and Accepting Hosts
Per the CSA Software-Defined Perimeter spec, the Controller makes the policy/authentication decisions, Initiating Hosts (clients) request access, and Accepting Hosts (protected resources/gateways) reject all connections until the Controller authorizes them. This delivers zero-trust 'authenticate first, connect second' access.
Trap Resources stay invisible to scanning via Single Packet Authorization (SPA). The Accepting Host stays dark until it receives a valid SPA packet.
4 questions test this
- A security architect is implementing a Software-Defined Perimeter (SDP) architecture to support zero trust principles. The architect needs…
- An organization is implementing Software-Defined Perimeter (SDP) to achieve zero trust network access. Which component is responsible for…
- An enterprise is deploying a Software-Defined Perimeter solution. The security team needs to understand the core architectural components.…
- An organization is implementing a Software-Defined Perimeter (SDP) solution to achieve zero trust network access. Which three components…
- A DMZ sits between two firewalls; DMZ hosts may reach out but never initiate into the internal network
Place public-facing servers (web, mail) in a DMZ between an external and an internal firewall. Permitted flows are external-to-DMZ and internal-to-DMZ; DMZ hosts may only initiate connections outward to the external network, never inward to the internal network, so a compromised DMZ host cannot pivot to internal systems.
5 questions test this
- An organization is designing a screened subnet architecture using two firewalls. The security team is determining the appropriate rules for…
- An organization is designing its network architecture and wants to deploy public-facing web servers that external users can access while…
- A company needs to provide access to its web application from the internet while protecting backend systems. The security team is designing…
- An organization operates a web application that requires public internet access. The security architect is designing the network…
- A security engineer is designing a DMZ architecture for an organization that hosts critical web applications. The design must provide…
Network Components
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Securing a network component means hardening the hardware layer, not the topology
Network Components owns the physical and near-physical pieces inside a network (power and support, transmission media, the NAC gate, and the endpoint) while segments, zones, and protocol layers belong to Secure Network Architecture. Treat each component as both a defense-in-depth layer and a potential single point of failure, so the goal for each is to make it resilient (keeps working through faults) and trustworthy (only authorized, healthy devices and signals pass). The exam tests these as engineering and operational decisions, not device configuration.
- Redundancy runs from N+1 to 2N, and the level is a cost-versus-downtime call
Component redundancy is expressed from N+1 (one spare beyond what the load actually needs) up to 2N, a fully duplicated and independent path with no shared single point of failure. The level you pick is a cost-versus-availability decision driven by the cost of downtime, not a fixed standard, with intermediate options like N+2 or 2N+1. At the device level the same idea appears as high-availability clustering with failover (a partner takes over when the active unit dies) and load balancing (traffic spread so no one device is a bottleneck or sole failure point).
Trap Picking N+1 redundancy believing it removes the single point of failure, when only 2N gives a fully independent path with no shared component to fail.
- A UPS bridges seconds to minutes; only a generator survives a prolonged outage
Redundant power is built in order: dual feeds and redundant supplies remove single-feed failure, power conditioning smooths noise and clamps spikes, a UPS (uninterruptible power supply) carries the load on battery through the seconds-to-minutes gap until the generator spins up, and the generator supplies sustained power for a prolonged outage from stored fuel. The UPS is bridge power, not long-run power, so its job is only to keep things alive until the generator takes over.
Trap Installing a larger UPS to ride out a prolonged blackout. More battery still cannot replace a generator, because a UPS only bridges the brief gap until sustained power arrives.
- An out-of-support device is an unpatchable vulnerability. Plan its replacement
Once a vendor reaches end-of-life / end-of-support for a device, it stops receiving security patches and firmware, so it becomes an unfixable vulnerability no matter how high its uptime. The security-driven action is to plan the replacement before that date rather than wait for it to fail, which makes support contracts and lifecycle planning security controls, not just procurement hygiene. A maintained warranty matters because it guarantees an SLA-bound response window and a supply of spare parts.
Trap Keeping a high-uptime appliance in service past end-of-support because it still works. Uptime says nothing about whether it can still be patched against new vulnerabilities.
- Copper carries electricity, so it radiates, suffers EMI and crosstalk, and attenuates
Twisted-pair copper carries an electrical signal, which has three security consequences: it radiates electromagnetic emanations a nearby attacker can read without touching the wire (the concern behind the U.S. TEMPEST emanation-security program), it is susceptible to electromagnetic interference (EMI) and to crosstalk where one pair's signal bleeds into an adjacent pair, and it attenuates so an unrepeated run is limited to roughly 100 meters. It can also be tapped by splicing the conductor.
- Fiber carries light, so it emits nothing, ignores EMI, and is hardest to tap
Fiber-optic cable transmits pulses of light, inverting copper's weaknesses: it emits no electromagnetic signal (nothing to read at a distance), is immune to EMI and crosstalk, carries far greater bandwidth over far greater distance (kilometers for single-mode versus copper's ~100 m), and is the hardest medium to tap because intercepting the light means bending or breaking the fiber, which degrades the signal and is detectable. That makes fiber the strongest confidentiality and availability choice for backbone runs and links crossing space you do not physically control.
Trap Choosing shielded copper (STP) for an eavesdropping-sensitive run because shielding cuts emanation. It still carries an electrical signal and can be spliced, whereas a fiber tap degrades the light and is detectable.
- STP and coax reduce EMI but stay electrical and tappable; only the shield differs from UTP
Unshielded twisted pair (UTP) has no electromagnetic shield, while shielded twisted pair (STP) and coaxial cable add a conductive shield that reduces EMI, crosstalk, and emanation at higher cost and stiffness. The shield is the only real difference: all of them still carry an electrical signal that can be tapped by splicing the conductor, so shielding hardens copper against interference and eavesdropping but never makes it tap-proof the way fiber is.
Trap Assuming shielded copper (STP or coax) is tap-proof because the shield blocks emanation, when the conductor still carries an electrical signal that can be spliced.
- Cabling is a confidentiality control, so its physical plant is locked and logged
Because the medium itself carries data, its physical security is a control: cabling terminates in the central MDF (main distribution facility) and floor-level IDF (intermediate distribution facility) closets, and an open patch panel is an unmonitored tap onto the network, so those closets are locked, access-logged restricted areas. Runs through uncontrolled space go in locked conduits; NIST calls a hardened wireline/fiber cabling run with electromagnetic, acoustical, and physical safeguards a protected distribution system (PDS). Signal propagation quality (keeping runs within distance limits, away from EMI sources, and properly terminated) is both an availability and an integrity control.
- NAC admits a device only after it answers two questions: who are you and are you healthy
Network Access Control (NAC) is the gate that decides whether a device may join the network at all, and it enforces two independent checks at connection time: authentication (who/what is this device?) and posture assessment (is it healthy?). A device must satisfy both to reach production resources; passing one is not enough. NAC admits devices, which is distinct from Identity & Access Management proving a human user's identity.
Trap Admitting a device the moment it authenticates, when NAC also requires a passing posture check and authentication alone is not enough to reach production.
- 802.1X holds the port closed until the supplicant authenticates through the RADIUS server
IEEE 802.1X port-based network access control authenticates a device before its switch port or wireless association opens. Three roles cooperate: the supplicant (software on the connecting device), the authenticator (the switch or access point controlling the port), and the authentication server (typically RADIUS, holding policy and credentials). Until the supplicant authenticates (carried over EAP (Extensible Authentication Protocol)) the authenticator keeps the port closed to everything except the authentication exchange, moving the trust decision to the network edge.
4 questions test this
- A security architect at a manufacturing firm is closing a gap exposed by an audit: an attacker plugged a rogue device into an unused…
- A network security lead at a university is replacing flat, statically assigned VLANs with a NAC deployment. The objective is that the same…
- An organization is deploying 802.1X network access control to enforce endpoint compliance before granting network access. Which component…
- An organization wants to implement 802.1X authentication with dynamic VLAN assignment. Which component architecture correctly describes…
- A device that authenticates but fails its health check goes to a quarantine VLAN, not denied
Authentication proves identity but says nothing about hygiene, so posture assessment separately evaluates patch level, antivirus/EDR state, firewall status, and configuration against policy. A device that authenticates yet fails the health check is steered into a quarantine / remediation VLAN with access limited to what it needs to fix itself (patch and AV servers), then re-checked and admitted once compliant, neither locked out entirely nor let onto production dirty.
Trap Outright blocking a known corporate device that fails its health check. It is owned and authenticated, so the correct move is remediation in a quarantine VLAN, not denial.
4 questions test this
- A network security manager at a hospital is hardening access for the clinical network after discovering that contractor laptops, often…
- A security engineer at an insurance company operates NAC that assesses endpoint posture at the moment of connection. Many employee laptops…
- An organization is deploying a NAC solution that should quarantine devices failing compliance checks until remediated. The NAC system…
- An organization implements NAC with 802.1X to dynamically assign devices to VLANs based on their compliance status. A laptop fails the…
- Use agent-based NAC for managed fleets and agentless NAC for devices that can't run an agent
NAC reads posture two ways. Agent-based NAC installs a client (persistent or dissolvable) on the endpoint, giving deep, continuous posture data, the right call for managed corporate devices. Agentless NAC reads the device from the network (scanning, fingerprinting, DHCP/RADIUS attributes) with no software on it, which is the only option for unmanaged, BYOD, or IoT devices that cannot run an agent, at the cost of shallower, point-in-time inspection. Match the method to what you control, not to which inspects more.
Trap Mandating an agent for IoT or BYOD devices to get deeper posture. Those devices often cannot run one, so agentless inspection is the only way to admit them under policy.
- Posture is checked at the door, so strong NAC re-assesses continuously
Posture is assessed at connection time, which means a device healthy when admitted can drift out of compliance afterward, a time-of-check versus time-of-use gap. Strong NAC deployments therefore re-assess continuously rather than only at admission, which is where NAC overlaps with the continuous-verification spirit of zero trust, though the zero-trust model itself belongs to Secure Network Architecture.
Trap Treating the admission-time posture check as sufficient, when a device can drift out of compliance after it is admitted and only continuous reassessment closes the time-of-check to time-of-use gap.
- Hardening reduces attack surface up front via the least-functionality principle
Hardening is the provisioning-time work of removing what an attacker could use: uninstall unnecessary software, disable unused ports and services, close default accounts, and apply a secure configuration baseline such as a CIS Benchmark or DISA STIG. This is the least-functionality principle (configure a system to provide only mission-essential capabilities) and it pays off before any monitoring is installed because fewer enabled features means fewer flaws to exploit.
Trap Reaching for monitoring or detective controls to lower risk when the scenario calls for reducing attack surface up front, since hardening removes the vulnerable feature rather than just watching it.
- A host-based firewall enforces rules at the device, even when network segmentation is bypassed
Where network firewalls and segmentation police traffic between zones, a host-based (personal) firewall enforces traffic rules at the individual device. That keeps a host protected when it is moved to an untrusted network or when internal segmentation is bypassed by a threat already inside. It is a per-device layer that complements the network firewall rather than replacing it.
Trap Treating a host-based firewall as redundant once network segmentation is in place, when it still protects the device on an untrusted network or after internal segmentation is bypassed.
- EDR records and analyzes endpoint activity to catch what signature antivirus misses
Traditional antivirus matches files against signatures of known malware and misses novel or fileless attacks. Endpoint Detection and Response (EDR) instead continuously records endpoint activity (process, file, network, and registry events) and applies behavioural analytics to detect, investigate, and respond, giving responders the telemetry to isolate a compromised host and reconstruct what happened. The escalation questions reward: signature antivirus → EDR (behavioural, single endpoint) → XDR / managed detection (correlated across endpoints, network, and cloud).
Trap Reaching for signature antivirus when the scenario describes a novel, fileless, or behaviour-only threat. Signatures only catch known malware, so EDR is the tool that detects and contains the unknown.
- The endpoint is the last independent layer, so it must defend itself after the network is crossed
Defense in depth only counts layers that fail independently. NAC controls whether a device joins, segmentation controls where its traffic goes, and endpoint controls protect the device after both have been crossed, which is exactly why endpoint security is not redundant with them. The endpoint terminates the connection and is where most compromise lands, so hardening, a host firewall, and EDR together make it a self-defending last hop rather than a soft target behind the perimeter.
Trap Treating endpoint controls as redundant with NAC and segmentation, when they fail independently and defend the device after both of those layers have already been crossed.
- A stateful firewall lets return traffic in via its state table, not an inbound rule
Stateful inspection records each permitted outbound connection (source/destination IP, ports, connection state) in a state table. Reply packets are allowed because they match an existing session entry, and packets that falsely claim to belong to an established connection are dropped because no entry exists. State entries also let the firewall enforce HA failover via session-state replication and expire on idle timeout.
Trap If permitted return traffic is suddenly blocked, the state-table entry likely timed out (idle timeout). For UDP there is no handshake, so the firewall tracks only addresses/ports as a pseudo-session.
10 questions test this
- A security engineer is evaluating stateful firewall technologies for an organization that requires high availability. The engineer is…
- A security administrator notices that an internal host received a DNS response from an external server. When investigating the stateful…
- An organization's firewall administrator notices that when an internal host initiates an outbound TCP connection to an external server,…
- Marcus is troubleshooting why a client's response packet from an external web server is being blocked by the corporate stateful firewall.…
- An organization notices that its stateful firewall is experiencing performance degradation during peak traffic hours. Investigation reveals…
- A network administrator is reviewing a firewall's state table and notices entries containing source IP, destination IP, source port,…
- A stateful firewall maintains a state table to track network connections. Which information is MOST essential for the firewall to include…
- A security administrator notices that response traffic from external servers is automatically allowed through the organization's stateful…
- A network engineer is troubleshooting connectivity issues and discovers that long-running TCP sessions through a stateful firewall are…
- What is the key advantage that stateful inspection firewalls provide over stateless packet filtering firewalls when protecting against…
- A correct firewall ends in implicit deny. Anything not explicitly permitted is blocked
Best practice is deny-by-default: the firewall blocks all inbound and outbound traffic not expressly permitted by an allow rule, implementing least privilege. This implicit deny sits at the end of the ruleset, so only traffic matching a specific permit statement passes.
Trap Default-deny is the policy; rule ordering is separate. A too-broad permit placed before a specific deny can still let unwanted traffic through despite the final implicit deny.
8 questions test this
- A network administrator is reviewing the firewall policy for a new enterprise firewall deployment. When a packet arrives that does not…
- A network security team is implementing segmentation controls and wants to ensure that traffic cannot flow between VLANs without explicit…
- An organization is implementing a defense-in-depth strategy for its router infrastructure. CISA recommends implementing a specific ACL…
- An organization is implementing firewall rules and the security team debates the proper default policy. According to security best…
- A security administrator is configuring firewall rules and wants to ensure that any traffic not explicitly permitted is blocked. Which…
- An organization is configuring its stateful firewall ruleset. The security team wants to ensure traffic not explicitly permitted will be…
- An organization is configuring a new stateful firewall to protect its network perimeter. Which firewall configuration approach aligns with…
- A security architect is designing firewall rules for a new network segment. According to NIST guidelines, which approach should be…
- Firewall and ACL rules are terminating and evaluated top-down. Order specific before general
Rules are processed sequentially (or by priority, lowest number first) and the first match wins, stopping further evaluation. Place specific rules (e.g. deny a malicious IP) before broader permits, and put high-hit rules early for performance. Layered firewalls also process by rule type (NAT first, then network, then application) so an early network-rule match can prevent Layer 7 application rules from ever running.
Trap A general permit placed above a specific deny silently overrides it; and a network-rule match terminates processing before application-layer filtering applies.
7 questions test this
- When configuring router ACLs, rules are processed sequentially and the first matching rule determines the action taken on the packet. A…
- An organization's firewall processes rules in the following order: DNAT rules first, then network rules, and finally application rules. A…
- During a firewall rule review, a security analyst discovers that a rule with priority 250 is matching traffic before a more specific rule…
- A security administrator is configuring ACLs on an enterprise router and needs to control which deny rule should be processed first when a…
- An organization is configuring firewall rule collections in a hierarchical policy structure. The firewall has multiple rule types including…
- When reviewing stateful firewall rule processing logic, a security architect discovers that network rules are applied before application…
- A firewall administrator is optimizing rule performance on a stateful firewall that processes rules sequentially. Which rule placement…
- Signature detection catches known attacks; anomaly detection catches the unknown
Signature-based IDS/IPS matches traffic against a database of known attack patterns, so it has low false positives but cannot see zero-day or novel attacks with no signature. Anomaly-based detection flags deviations from a learned baseline, catching unknown attacks at the cost of more false positives. Combine both for the best coverage; counter known signature evasions with protocol normalization (decode encodings) and packet reassembly (defragment) before matching.
11 questions test this
- An organization has deployed a signature-based intrusion detection system (IDS) to monitor their network perimeter. The security team…
- A security analyst is investigating why the organization's network-based IDS failed to detect a recent attack. Upon review, the analyst…
- An organization's NIDS has detected a sophisticated attack that was not identified by signature-based detection but was caught by…
- A security architect is designing a defense-in-depth strategy for network threat monitoring. The organization faces threats from both…
- A financial institution is evaluating detection methodologies for their new intrusion detection system deployment. The security team wants…
- An attacker is attempting to evade network IDS detection by fragmenting malicious packets into smaller pieces that individually do not…
- An organization's security team discovers that attackers are using never-before-seen malware to infiltrate their network. Their current IDS…
- A security analyst is evaluating detection methodologies for the organization's new intrusion detection system. The analyst is concerned…
- A security analyst notices that the organization's IDS generates many alerts for legitimate deviations from normal behavior, requiring…
- An organization needs to detect sophisticated zero-day attacks from nation-state actors against their network infrastructure. Which IDS…
- An organization wants to improve detection accuracy while reducing false positives in their intrusion detection capabilities. Which…
- Anomaly detection only works after a representative training baseline
Anomaly-based detection compares activity to a profile of normal behavior built during a training period. Excessive false positives usually mean the baseline was too short or unrepresentative. Extending the training period to capture more legitimate variation is the fix before disabling alerts.
Trap A dynamic/auto-adjusting profile is exploitable: an attacker can ramp malicious activity slowly so the baseline drifts and accepts it as normal (baseline poisoning).
4 questions test this
- A security analyst notices that the organization's newly deployed anomaly-based IDS is generating an excessive number of alerts for…
- After deploying a new anomaly-based IDS, a security team is experiencing an overwhelming number of alerts. Investigation reveals that most…
- A security analyst is implementing an anomaly-based IDS for network monitoring. What is the MOST critical step required before the system…
- Before deploying an anomaly-based IDS in a production environment, what critical step must be completed to ensure accurate detection…
- Stateful protocol analysis detects protocol misuse using vendor profiles
Stateful protocol analysis tracks the state of network, transport, and application protocols against vendor-developed profiles of how each protocol should behave, flagging deviations such as malformed requests or over-long arguments that span multiple events. It is the most resource-intensive detection method because of the per-session state tracking and deep inspection.
Trap It is not the same as a stateful firewall's connection table. Protocol analysis understands Layer 7 protocol semantics, not just connection state.
4 questions test this
- A network administrator is configuring a network-based IDPS that uses multiple detection methodologies. The administrator wants to enable a…
- A network security engineer is configuring an IDPS to detect HTTP protocol violations where attackers attempt to send malformed requests to…
- The security team notices their network-based IDPS is experiencing high resource consumption and processing delays during peak traffic…
- A network security engineer is evaluating IDPS detection methodologies for monitoring HTTP traffic. Which characteristic makes stateful…
- WPA3-Personal uses SAE (dragonfly) to stop offline dictionary attacks and give forward secrecy
Simultaneous Authentication of Equals (SAE), the dragonfly handshake, replaces WPA2's PSK four-way handshake. Because authentication is interactive rather than derived from a captured handshake, attackers cannot run offline password guessing, and SAE provides forward secrecy so a later password compromise cannot decrypt previously captured traffic.
Trap SAE protects the password exchange and gives forward secrecy; protecting management frames against deauth is a separate WPA3 feature (PMF).
5 questions test this
- A security administrator is configuring wireless access points and wants to protect against offline dictionary attacks where attackers…
- A company has captured encrypted wireless traffic from their WPA3 network for legitimate monitoring purposes. An attacker later compromises…
- A security architect is upgrading corporate wireless access points to WPA3-Personal. Which authentication mechanism does WPA3-Personal use…
- A security architect is evaluating WPA3-Personal for a corporate wireless deployment. What authentication mechanism in WPA3-Personal…
- A security consultant is explaining the benefits of WPA3-Personal to stakeholders. Which security feature does SAE provide that WPA2-PSK's…
- WPA3 makes Protected Management Frames mandatory, blocking deauth/disassociation attacks
Protected Management Frames (PMF, IEEE 802.11w) are mandatory in WPA3 (optional in WPA2). PMF adds integrity protection to management frames so attackers cannot forge deauthentication or disassociation frames to knock clients off the network or force a WPA2 downgrade.
Trap PMF defends management frames; offline-dictionary and forward-secrecy protection come from SAE, not PMF.
4 questions test this
- A security analyst discovers that wireless access points in transition mode are vulnerable to downgrade attacks where clients can be forced…
- A wireless network administrator notices that users are being forcibly disconnected from the network through deauthentication attacks.…
- A network administrator notices that WPA3-Enterprise has specific requirements beyond WPA2-Enterprise. What mandatory security feature does…
- A security architect is evaluating WPA3 security features for a new corporate wireless deployment. Which mandatory WPA3 requirement…
- Harden SSH: disable v1, set PermitRootLogin no, use 3072-bit+ RSA keys
SSH v1 has known cryptographic weaknesses, so disable it and use only SSH v2 (modern OpenSSH supports protocol 2 only). Set PermitRootLogin no to force admins to log in as named users and escalate with sudo (accountability + least privilege), and use minimally 3072-bit RSA host keys (CISA/NSA guidance; FIPS requires at least 2048-bit) with SHA-2 signatures.
11 questions test this
- A security administrator is hardening SSH access on Linux servers across the enterprise. Which sshd_config directive should be configured…
- A security architect is configuring SSH for remote server management and wants to ensure the protocol meets current security requirements.…
- A security administrator is hardening SSH servers across the organization. According to security best practices, which configuration…
- A security administrator is hardening SSH configurations across the organization's Linux servers. According to security best practices,…
- During a security assessment, an auditor finds that the PermitRootLogin directive is set to 'yes' in the sshd_config file on production…
- A security architect is selecting SSH key algorithms for enterprise deployment. The organization requires FIPS compliance while maximizing…
- A security engineer is hardening SSH servers across the enterprise. According to CISA and NSA guidance, which configuration change is MOST…
- According to current CISA guidance on SSH hardening, which minimum RSA key size should be configured when implementing SSH for secure…
- A security team discovers that attackers have been exploiting SSH version 1 vulnerabilities to intercept administrative sessions. Which…
- An enterprise security team is implementing SSH hardening based on CISA recommendations. Which combination of settings represents the MOST…
- When hardening SSH servers for FIPS 140-2 compliance, which statement about cryptographic algorithm selection is CORRECT?
- Prefer SSH key authentication: PubkeyAuthentication yes, PasswordAuthentication no
Replace passwords with key-based auth by setting PubkeyAuthentication yes and PasswordAuthentication no, which eliminates brute-force password attacks since the private key never crosses the network. Store public keys in the user's ~/.ssh/authorized_keys (recommended 0600), and protect private keys with a passphrase so a stolen key is still useless without it.
Trap If the authorized_keys file, the ~/.ssh directory, or the home directory is group- or world-writable, sshd's StrictModes refuses key auth as a precaution against key injection.
7 questions test this
- An organization requires administrators to protect their SSH private keys stored on workstations. Which control provides the MOST effective…
- An organization is implementing SSH key-based authentication across its infrastructure. According to security best practices, what…
- An organization is implementing SSH key-based authentication to replace password authentication for administrator access. Where should the…
- An organization is implementing SSH key-based authentication to eliminate password-related vulnerabilities. Which configuration directive…
- A security administrator is hardening SSH configurations on Linux servers. Which configuration change provides the MOST effective…
- An organization wants to implement SSH key-based authentication and eliminate password authentication entirely. Which combination of…
- An enterprise security team is implementing SSH hardening based on CISA recommendations. Which combination of settings represents the MOST…
- 802.1X dynamic authorization places the same port into a VLAN by identity and posture
After 802.1X authentication, the RADIUS server returns Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID (the VLAN ID) so the switch dynamically assigns the port to a VLAN based on user identity and device compliance. The same physical port can land staff, students/guests, or non-compliant devices in different access levels; a failed or non-compliant device is steered to a guest/auth-fail/remediation VLAN rather than simply denied.
Trap Per-device certificates (not a shared network password) are what bind admission to enrolled, approved devices and stop credential sharing.
6 questions test this
- A network security lead at a university is replacing flat, statically assigned VLANs with a NAC deployment. The objective is that the same…
- An organization is deploying a NAC solution that should quarantine devices failing compliance checks until remediated. The NAC system…
- An organization implements 802.1X port-based network access control with a RADIUS server. When devices successfully authenticate, they need…
- An organization implements Network Access Control with 802.1X authentication on all switch ports. When the RADIUS server returns an…
- An organization implements NAC with 802.1X to dynamically assign devices to VLANs based on their compliance status. A laptop fails the…
- A company implements 802.1X port-based network access control. When a device fails authentication, it should still receive limited network…
Secure Communication Channels
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Identity & Access Management
Access Control
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Access control is one process governing both information and physical facilities
Access control is the process of granting or denying specific requests to obtain and use information and processing services, and to enter specific physical facilities. The reason it spans both is that a request to read a file and a request to badge into a data center are the same kind of event: each is evaluated against an authorization decision before the resource is reached. So a security leader runs one access program with one control vocabulary, not separate logical and physical regimes that can leave one surface open.
Trap Treating logical access control and physical access control as two unrelated programs governed by separate teams and policies, when CISSP frames them as one access-control process applied to different surfaces.
- A subject is the requester; an object is the thing being protected
The subject is the active entity requesting an operation (usually a user, but possibly a process or device acting for one); the object is the passive entity being protected from unauthorized use: a file, record, device, process, facility, or service. The distinction is load-bearing because the authorization models are defined by who controls the subject-to-object permission, so mislabeling the data as the subject inverts the whole picture.
Trap Treating the data or resource as the subject. The data is the object; the subject is whoever or whatever is requesting access to it.
- Every access reduces to subject, object, and an access-control system between them
Between the subject and object sits the access-control system: a policy stating allowable operations, a decision point that evaluates each request against that policy, and an enforcement point that admits or blocks it. This model is universal: identification, authentication, authorization, and accountability are stages within that decision, and DAC/MAC/RBAC/ABAC are simply different policies the decision point applies. Anchoring every mechanism to a place in this picture is what keeps the IAM domain coherent.
Trap Confusing the policy decision point that evaluates a request with the policy enforcement point that admits or blocks it. The PDP decides, the PEP enforces, and conflating them obscures where a control actually lives.
- AAA runs in fixed order: identify, authenticate, authorize, then account
An access decision proceeds as identification (the subject claims an identity), authentication (it proves the claim with one or more factors), authorization (the now-proven subject is granted specific operations on the object), and accountability (the action is logged and attributed). The first three are the classic AAA triad; accountability is the fourth pillar that makes them auditable. The order is not arbitrary: it is strictly forward-dependent.
Trap Reading the AAA triad as authentication, authorization, accounting and dropping identification, or reordering the stages. Identification must precede authentication, which must precede authorization, which must precede accountability.
- You cannot authorize an identity you have not authenticated
Authorization decides what a subject may do, but only after authentication has proven the subject is who it claims to be. Granting permissions to an unproven claim is precisely the gap that impersonation exploits, which is why authentication always precedes authorization in the sequence. Identification merely asserts an identity; it carries no trust until authentication validates it.
Trap Treating a presented identifier (a username or claimed identity) as sufficient to grant access. Identification asserts who you are but proves nothing, so authorization must wait until authentication validates the claim.
- Accountability requires unique identification, so shared accounts defeat it
Accountability is the ability to tie an action back to one individual through logging, and it depends on each subject having a unique, authenticated identity. When several people share one credential, the logs attribute every action to the account rather than to a person, so attribution (and therefore accountability) is lost. A scenario demanding traceability to an individual must use unique identities, not a strong password on a shared account.
Trap Hardening a shared account with a stronger password or MFA to satisfy an accountability requirement. Strength does not restore attribution; only unique per-person identities do.
- Default-deny means a policy gap is safe, not permissive
A sound access posture starts closed: absent an explicit grant, the request is denied (default-deny, also called fail-closed). The benefit is that a missing or incomplete policy results in no access rather than open access, so gaps fail safe instead of exposing the asset. New systems and new rules should therefore inherit a deny baseline before any allow is added.
Trap Assuming an unconfigured or undefined access rule defaults to allow. A secure access-control system denies by default, so the absence of a grant is a denial.
- Privilege creep is a least-privilege failure fixed by access reviews, not stronger auth
When subjects change roles and keep their old access, permissions accumulate beyond what any current task needs: privilege creep, a direct violation of least privilege. The remedy is periodic access reviews and recertification that strip access no longer justified, plus removing access at role change. Stronger authentication does not help, because the problem is excess authorization, not a weak login.
Trap Reaching for stronger authentication or more frequent password changes to fix privilege creep. The defect is accumulated authorization, remedied by access reviews and recertification, not by a tougher login.
- Controls are classified on two independent axes: function and type
Any access control carries one label for what it does (function) and one for how it is implemented (type), and the two are independent. Function is preventive, detective, or corrective; type is administrative, technical (logical), or physical. A question asking to categorize a control is testing whether you can place it on the correct axis, so read whether the stem wants function or type before answering.
Trap Answering with a function label (e.g. preventive) when the stem asks for the implementation type (e.g. physical), or vice versa. The answer set deliberately mixes the two axes.
- Preventive stops before, detective reveals after, corrective restores after
On the function axis, a preventive control stops an unwanted action before it happens (a lock, a deny rule, separation of duties); a detective control reveals an action after it happens (an access log, IDS alert, CCTV recording); and a corrective control restores the expected state after an incident (revoking a credential, restoring from backup). The defining question is timing relative to the event: before, after-to-reveal, or after-to-restore.
Trap Picking a stronger preventive control (a better lock) when the stem asks what would best detect access after the fact. Detection calls for a log, review, or alert, not prevention.
- Administrative, technical, and physical name how a control is implemented
On the implementation-type axis, administrative (managerial) controls are policies, procedures, standards, training, and screening; technical (logical) controls are software and hardware mechanisms such as authentication, access-control lists, and encryption; physical controls are tangible barriers such as locks, fences, mantraps, guards, and badge readers. NIST SP 800-53 organizes safeguards into families and tags each as managerial, operational, or technical: the same dimension.
Trap Classifying a security-awareness training program or background screening as a technical control because it concerns computer use. Staffing, training, and policy are administrative controls regardless of what they govern.
- One mechanism carries one label per axis, so the same control is named twice
Because the two axes are independent, a single mechanism is described by both at once. A badge reader at a door is a preventive, physical control; the recording it feeds is a detective, physical control; the policy requiring badges is a preventive, administrative control. So the correct answer often depends entirely on which axis the question is probing, not on the mechanism alone.
Trap Assuming a mechanism has only one fixed category, so that a CCTV camera is always just detective. The same device can be deterrent, preventive, or detective depending on which axis and role the stem is asking about.
- Defense in depth layers controls across functions and types
Defense in depth deliberately spreads controls across different functions and implementation types so no single failure exposes the asset: for example a preventive technical control (authentication) backed by a detective technical control (logging) and a preventive physical control (a locked room). The two-axis classification is useful precisely because it shows which cells of the grid are not yet covered. Layering, not any one perfect control, is the goal.
Trap Treating several instances of the same control (more firewalls, more passwords) as defense in depth. Layering means diverse controls across different functions and types, not redundant copies of one mechanism.
- Logical and physical objects need the same access process on different surfaces
A logical object (record, application, service, API) is reached through software, so its enforcement is a technical control; a physical object (building, cage, equipment) is reached through space, so its enforcement is a physical control. An asset with both attack paths (a server holding regulated data in a colocation cage) must be protected on both surfaces at once. Securing only one surface leaves the other fully open.
Trap Assuming strong logical controls (encryption, authentication) on a server make its physical placement irrelevant. An attacker with physical access to the cage bypasses or undermines the logical surface, so both must be enforced.
- RFID asset tracking: metal causes interference, passive tags can't protect data, segment the readers
In metal-dense data centers, detuning and multipath interference cause RFID false positives and negatives, addressed with anti-metal tags plus power-mapping to find dead zones. Passive tags have too little compute/storage to support authentication or encryption, leaving them open to eavesdropping and cloning (replica tags that fool the reader); active tags can carry mutual authentication. NIST advises firewalling RFID databases off from other IT systems so IP-enabled readers can't become a network entry point.
Trap assuming passive RFID tags can be secured with encryption/authentication, or ignoring metal-environment interference
8 questions test this
- A data center manager is evaluating RFID solutions for tracking IT equipment in a metal-dense environment. The security team reports that…
- A security manager is selecting RFID technology for tracking high-value IT equipment in a data center environment. The primary concern is…
- A logistics company needs to track assets across a large warehouse with real-time location capabilities. The security team must balance…
- An organization discovers that an attacker has created replica tags that behave exactly like genuine tags in their RFID asset tracking…
- A security architect is designing an RFID-based asset tracking system for a data center. Which characteristic of passive RFID tags presents…
- An organization is integrating its RFID asset tracking system with its enterprise IT asset management platform. According to NIST…
- According to NIST guidance on securing RFID systems, which control is MOST effective for preventing unauthorized access to an…
- When deploying RFID readers for asset tracking in a data center environment, which challenge is MOST likely to impact tracking accuracy…
Identification & Authentication
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Identification is a claim; authentication is the proof. They are separate, ordered steps
Identification is presenting an identifier the system already knows (a username, account number, employee ID), and it carries no trust on its own because an identifier is usually public and guessable. Authentication is then proving that the claimed identity belongs to you by presenting evidence the system can verify. The exam tests these as distinct, ordered steps: you identify first, then authenticate, and only a proven identity feeds authorization.
Trap Treating a presented username, email, or account number as having authenticated the subject. An identifier is a public claim, never proof.
- Keep the chain straight: identify, authenticate, authorize, account
The full access sequence is identification (claim who you are) then authentication (prove it) then authorization (decide what the proven subject may do) then accounting/auditing (the logged record tying actions back to the identity). Accounting is what makes accountability and ultimately non-repudiation possible. The chain only holds if the first links are sound, because a weak authentication step makes every downstream authorization decision and audit record attribute actions to the wrong person.
Trap Placing authorization before authentication, or treating accounting as an optional add-on rather than the link that delivers accountability and non-repudiation.
- Authentication evidence comes in three classic factor types: know, have, are
The three classic factors are something you know (a password, PIN, or passphrase; NIST's neutral term is a memorized secret), something you have (a token, smart card, registered phone, or FIDO2 key; a possession factor), and something you are (a biometric such as fingerprint, iris, face, or voice; an inherence factor). Two weaker modern categories are sometimes added: somewhere you are (geolocation/network context, useful as a risk signal in adaptive authentication) and something you do (behavioral biometrics like keystroke dynamics).
Trap Classifying 'somewhere you are' (location) as one of the three classic factors, when the canonical three are only know, have, and are.
- Multi-factor authentication is defined by combining different factor CATEGORIES, not by counting secrets
MFA requires evidence from two or more different factor categories, so a password plus a one-time code from a possession device (know + have) is genuine two-factor. Stacking two secrets of the same category is still single-factor no matter how many you add. This is the single most-tested distinction in the subtopic because candidates instinctively count secrets instead of categories.
Trap Calling a password plus a security question (or password plus PIN) multi-factor. Both are 'something you know,' so it is still single-factor.
4 questions test this
- A security architect is designing an MFA solution for a financial services organization. The business requires that the authentication…
- Maria's organization requires her to authenticate using a 6-digit PIN on her smartphone, then provide a fingerprint scan on the same device…
- A security manager at an insurance company must quickly reduce the risk that stolen or reused passwords give attackers remote access to a…
- An organization currently authenticates users with a password followed by an email-based one-time passcode sent to the user's cloud email…
- A leaked biometric cannot be revoked the way a password or token can
Each factor type fails differently, which is why a leader combines categories so one breach does not defeat the whole login. Knowledge factors are phished, guessed, reused, and shared; possession factors are lost, stolen, or cloned; inherence factors carry a unique liability: a compromised biometric template cannot be revoked or reissued because you cannot change your fingerprint. That irrevocability is why biometrics are usually paired with a possession factor (a fingerprint unlocking a key on a device) rather than used as the sole credential.
Trap Assuming a compromised biometric can simply be reset or reissued like a leaked password or replaced token, when the trait itself cannot be changed.
- A false ACCEPT is the security-critical biometric error, not a false reject
A biometric matcher can fail two opposite ways. A false accept admits an impostor and is the Type II error, measured as the False Acceptance Rate (FAR); a false reject wrongly denies a legitimate user and is the Type I error, measured as the False Rejection Rate (FRR). The false accept is the security breach because an impostor has been authenticated as someone else, while a false reject is merely an inconvenience the user retries, so a security-conscious deployment accepts a higher FRR to keep FAR low.
Trap Swapping the Type numbers. False accept is Type II / FAR, false reject is Type I / FRR; the exam reverses them to catch you.
4 questions test this
- A security administrator is configuring a fingerprint biometric system to protect a high-security data center. The administrator wants to…
- A security manager needs to select a biometric system for a nuclear research facility where preventing unauthorized access is the HIGHEST…
- An organization is deploying biometric authentication for physical access control at a high-security research facility. The security team…
- A security architect is configuring a biometric fingerprint system for a high-security data center. The system must minimize the risk of…
- Compare biometric systems by the lower Crossover Error Rate (CER / EER)
Because FAR and FRR both depend on the matching threshold and trade off against each other, you cannot compare two systems by quoting one rate. The single comparison metric is the Crossover Error Rate (CER), also called the Equal Error Rate (EER): the threshold setting where FAR equals FRR. A lower CER means a more accurate system overall, independent of how any one deployment is tuned, so the more-accurate system is the one with the lower CER.
Trap Claiming a low FRR alone proves a system is more accurate. Only the CER compares systems independent of how the threshold is tuned.
4 questions test this
- A security architect is selecting a biometric system for a high-security government facility. The vendor provides performance metrics…
- A security architect is evaluating biometric authentication systems for a high-security facility. The vendor provides documentation showing…
- An organization is evaluating biometric authentication systems and wants to find the point at which the system provides the optimal balance…
- An organization is evaluating biometric authentication systems and wants to select one with optimal balance between security and usability.…
- Tightening the matcher lowers FAR but raises FRR. You cannot minimize both at once
FAR and FRR are linked by one tunable threshold and move in opposite directions: tighten the matcher and false accepts fall while false rejects rise; loosen it and the reverse happens. On a fixed system you choose where on the curve to sit, not how to zero out both. A separate enrollment metric, the failure-to-enroll rate (FER), counts users whose trait cannot be captured well enough to enroll at all: a usability and inclusivity concern distinct from the two matching errors.
Trap Loosening the threshold to drive false rejects to zero so users stop being annoyed. That raises FAR, the security-critical error, and is the wrong call for a high-security gate.
7 questions test this
- A security administrator is configuring a fingerprint biometric system to protect a high-security data center. The administrator wants to…
- A security architect is evaluating biometric authentication systems for a high-security facility. The vendor provides documentation showing…
- An organization is evaluating biometric authentication systems and wants to find the point at which the system provides the optimal balance…
- A security manager needs to select a biometric system for a nuclear research facility where preventing unauthorized access is the HIGHEST…
- A biometric access control system administrator notices that legitimate employees are frequently being denied access while the system…
- An organization is deploying biometric authentication for physical access control at a high-security research facility. The security team…
- A security architect is configuring a biometric fingerprint system for a high-security data center. The system must minimize the risk of…
- Identity proofing runs resolution, validation, then verification, before any credential is issued
Identity proofing (also called registration or enrollment), governed by NIST SP 800-63A, establishes the real-world identity before an authenticator is bound to it. It has three ordered steps: resolution uniquely distinguishes the person within a population, validation confirms the presented evidence is genuine and current against its issuing source, and verification binds the live person to that validated evidence (e.g. by biometric or physical comparison). Strong authentication on a weakly-proofed account is worthless because you are confidently authenticating the wrong person.
Trap Reordering the steps so verification (binding the live person) comes before validation (confirming the evidence is genuine), when validation must establish the evidence is real first.
- Identity Assurance Level (IAL) grades how rigorously the identity was proofed
IAL measures proofing rigor under NIST SP 800-63A: IAL1 attributes are self-asserted with no evidence, IAL2 requires validated evidence collected remotely or in person, and IAL3 requires in-person or supervised-remote proofing by an authorized representative. The higher the IAL, the more confident you are that the account maps to a real, distinct person. IAL governs enrollment, not the strength of any individual login.
Trap Treating IAL as a measure of how strongly the user logs in, when IAL grades proofing rigor at enrollment and AAL grades login strength.
- Authenticator Assurance Level (AAL) grades login strength and is set independently of IAL
AAL, defined in NIST SP 800-63B, grades how strongly the login proves possession of the authenticator: AAL1 permits single-factor, AAL2 requires two distinct factors and approved cryptography, and AAL3 requires a hardware-based authenticator plus verifier-impersonation (phishing) resistance proven by possession of a cryptographic key. The exam-critical point is that IAL and AAL are independent: a self-asserted IAL1 account can still demand AAL2 login, and an IAL3-proofed identity can carry an AAL1 credential.
Trap Assuming a strong login (AAL3) implies a well-proofed identity (IAL3) or vice versa. They are set separately from the transaction's risk.
- AAL3 requires a hardware authenticator AND verifier-impersonation resistance
AAL3 is the phishing-resistant tier: it demands a hardware-based authenticator and proof against verifier impersonation, demonstrated by proving possession of a cryptographic key through a protocol bound to the verifier. A software-only or push-approval second factor does not reach AAL3 because it can be relayed by an attacker-in-the-middle. When a stem requires resistance to credential phishing or verifier impersonation, the answer points to a hardware FIDO2/WebAuthn authenticator.
Trap Picking a push-approval or app-generated TOTP second factor as AAL3-compliant, when those can be relayed by an attacker-in-the-middle and only a hardware key bound to the verifier qualifies.
4 questions test this
- A CISO is hardening workforce authentication for a privileged group whose accounts are repeatedly targeted by credential-phishing and…
- An enterprise security team is evaluating authentication methods that provide strong resistance to remote phishing attacks. The team wants…
- According to NIST SP 800-63B, which type of multi-factor authentication provides the strongest protection against phishing attacks?
- A financial services organization wants to implement phishing-resistant MFA for privileged administrators accessing critical systems. Which…
- Passwordless FIDO2/WebAuthn binds the credential to the origin, so a phished credential cannot be replayed
Passwordless authentication replaces the memorized secret with a possession factor: a cryptographic key held in a hardware authenticator or device secure element, typically unlocked locally by a biometric or PIN so the biometric authorizes local use and never travels. FIDO2/WebAuthn is the canonical model: the private key never leaves the authenticator and each credential is bound to a specific relying-party origin, so a signature captured on a look-alike phishing site will not validate against the real origin. This origin-binding is exactly the verifier-impersonation resistance NIST requires at AAL3.
Trap Assuming the local biometric or PIN that unlocks a FIDO2 authenticator is transmitted to the server, when it only authorizes local key use and never travels off the device.
8 questions test this
- A security manager at a regional bank is hardening access to a customer-facing online banking portal after a wave of credential-stuffing…
- A security manager at a professional services firm with a largely remote workforce faces two persistent problems: credential phishing…
- A CISO is hardening workforce authentication for a privileged group whose accounts are repeatedly targeted by credential-phishing and…
- An enterprise security team is evaluating authentication methods that provide strong resistance to remote phishing attacks. The team wants…
- An organization is implementing FIDO2 hardware security keys for phishing-resistant authentication across its enterprise. During the…
- A CISO is evaluating MFA solutions and learns that some methods are vulnerable to real-time phishing attacks where attackers intercept…
- According to NIST SP 800-63B, which type of multi-factor authentication provides the strongest protection against phishing attacks?
- A financial services organization wants to implement phishing-resistant MFA for privileged administrators accessing critical systems. Which…
- NIST now discourages forced periodic password expiry and composition rules
Modern NIST SP 800-63B guidance overturns two legacy password habits: verifiers should not force memorized secrets to be changed arbitrarily (e.g. periodically) but must force a change on evidence of compromise, and they should not impose composition rules requiring mixed character classes. Instead, screen candidate passwords against lists of known-compromised secrets and allow long passphrases. When a stem asks the BEST modern password practice, the breach-list-screening answer beats the old rotation/composition habits.
Trap Choosing '90-day rotation' or 'mandate mixed character classes' as best practice. NIST now advises against both absent evidence of compromise.
3 questions test this
- An organization's security architect is updating the enterprise password policy to align with current NIST SP 800-63B guidelines. The…
- An organization is reviewing its password policy in preparation for aligning with current NIST SP 800-63B recommendations. The security…
- A security architect is reviewing the organization's password policy that mandates password changes every 60 days regardless of…
- NIST classifies SMS/PSTN one-time codes as a RESTRICTED authenticator
One-time codes delivered over SMS or the public telephone network are usable but RESTRICTED under NIST SP 800-63B because of SIM-swap and number-porting risk; a verifier using them must warn subscribers and offer a non-restricted alternative. SMS codes also provide no phishing resistance, so they are the wrong answer when a question asks for verifier-impersonation-resistant or AAL3 authentication. Treat SMS OTP as a weak possession factor, not a phishing-resistant one.
Trap Offering an SMS one-time code as a phishing-resistant or AAL3 answer, when it is a RESTRICTED authenticator exposed to SIM-swap and provides no verifier-impersonation resistance.
- Session management bounds how long a single authentication stays valid
A successful authentication produces a session that must not live forever, because a long-lived session is an authentication that can be hijacked long after the user left. NIST SP 800-63B sets concrete bounds tied to AAL: at AAL2, reauthenticate at least every 12 hours regardless of activity and after 30 minutes of inactivity (a single factor may resume); at AAL3 the inactivity limit tightens to 15 minutes and resuming the session requires both factors. Sound session management also means binding the session to the subject, regenerating the session identifier on privilege change, and invalidating it server-side on logout.
Trap Allowing a single factor to resume an AAL3 session after inactivity, when AAL3 tightens the inactivity limit to 15 minutes and requires both factors to resume.
- Single sign-on trades reduced password fatigue for concentrated blast radius
SSO lets a user authenticate once to a central identity provider and reach many connected applications without re-entering credentials, which reduces password fatigue, centralizes MFA enforcement, and gives one switch to disable an account everywhere on termination. Its risk is concentration: a stolen SSO session is access to every connected system at once, which is why SSO is always paired with strong authentication at the identity provider and disciplined session controls. The wire protocols that carry SSO assertions belong to authentication-systems; this subtopic owns the strategy and the risk trade-off.
Trap Selecting SSO as a control that reduces the blast radius of a credential compromise, when it concentrates risk so one stolen session reaches every connected system.
3 questions test this
- A security manager at a retailer is addressing employee frustration and inconsistent security caused by twelve internally owned web…
- A security lead at a hospital network is responding to clinician complaints that logging in separately to a dozen distinct clinical…
- A security architect is implementing Single Sign-On (SSO) for an enterprise with multiple cloud and on-premises applications. Which of the…
- Just-in-time provisioning issues short-lived credentials so there is no standing target
A credential management system governs the full authenticator lifecycle: issuance, binding to a proofed identity, renewal, rotation, suspension, and revocation. The lifecycle principle a leader applies is to minimize standing credentials: just-in-time (JIT) provisioning grants access only at the moment of need and for a bounded time, so no long-lived privileged credential sits idle to be stolen. JIT is most valuable for privileged or rarely-used access, where a standing administrator credential is a high-value, always-available target.
Trap Issuing a permanent standing administrator credential and relying on rotation alone, when JIT provisioning removes the always-available target entirely.
- Regenerate the session ID at login to defeat session fixation
Session fixation occurs when an application keeps the same session identifier before and after authentication, letting an attacker who planted or knows the pre-login session ID ride the authenticated session. The mandatory remediation is to generate a fresh session ID immediately upon successful authentication, invalidating any pre-set value.
Trap confusing session fixation (reuse of a pre-set ID) with session hijacking of a token already in use
4 questions test this
- During a security review, an analyst discovers that the web application maintains the same session identifier before and after user…
- A security analyst discovers that when users authenticate to a web application, the server continues using the same session identifier that…
- A web application security team discovers that attackers are successfully accessing user accounts by setting session identifiers in…
- A web application developer needs to prevent session fixation attacks. Which control is mandatory to implement according to OWASP session…
- Use a slow memory-hard KDF, and store any pepper in an HSM/vault separate from the database
Salting (a unique per-password random value stored with the hash) defeats precomputed rainbow tables but not targeted cracking. For offline-cracking resistance use a deliberately slow function: Argon2id (memory-hard, resists GPU/ASIC) when there is no FIPS constraint, or PBKDF2 with HMAC-SHA-256 at a high iteration count when FIPS-140 validation is required. A pepper is a single secret shared across all hashes, so it must live in an HSM or secrets vault, never alongside the password database.
Trap storing the pepper with the hashes like a salt, or picking a fast general-purpose hash (MD5/SHA-256) instead of a tuned KDF
6 questions test this
- A development team is implementing password storage security controls and wants to add an additional layer of protection beyond salting.…
- A security engineer is selecting a password hashing algorithm for a new web application that does not require FIPS-140 compliance. The…
- An organization must implement password storage that meets federal security requirements including FIPS-140 certification. The security…
- An organization is enhancing their password storage security by implementing a peppering strategy alongside salted password hashing. Where…
- During a security assessment, an analyst discovers that a legacy application stores passwords using unsalted MD5 hashes. What is the…
- An organization is implementing a new password storage system and must comply with FIPS-140 requirements. Which hashing algorithm should…
- Sessions end at whichever timeout hits first; zero trust adds continuous evaluation
Configure both an inactivity timeout and an overall (absolute) reauthentication timeout; the session terminates when either limit is reached first. NIST SP 800-63B sets AAL2 limits of reauthentication at least once every 12 hours regardless of activity, and reauthentication after any inactivity period of 30 minutes or longer. Beyond static timers, zero trust uses continuous access evaluation, reassessing session validity at each access point on live risk signals.
Trap treating the two timeouts as alternatives (only one applies) or relying on static timeouts alone under a zero-trust mandate
3 questions test this
- An organization is implementing session management for a healthcare application containing protected health information. The security team…
- An organization is implementing a zero trust architecture and wants to ensure that access decisions are continuously evaluated throughout…
- A security architect is designing an access control system that evaluates session security in real-time rather than relying on static…
Federated Identity
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Authorization Mechanisms
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Authorization decides what an already-authenticated subject may do
Authorization is the access decision a system makes after authentication has proven the subject's identity, determining whether that subject may take a requested action on an object. Authentication answers who you are; authorization answers what you may do. A scenario where a logged-in user still cannot open a resource is an authorization problem, not an authentication one.
Trap Treating a denied-access-after-login symptom as a failed login. The identity was already proven, so the fix is the authorization policy, not the credential.
- The reference monitor enforces the policy; the model only defines the rules
A security model such as RBAC, MAC, or ABAC is a set of access rules and does not enforce anything by itself: enforcement is the job of the reference monitor, the conceptual mediator that must be always invoked (non-bypassable, giving complete mediation), tamperproof, and verifiable. Every authorization model assumes some reference-monitor implementation underneath it. Distinguishing the rule set from its enforcer is a recurring exam framing.
Trap Picking the access model itself as what enforces the decision when a question asks for the always-invoked, tamperproof mediator; the model is only the rule set, and the reference monitor is the enforcer.
- The authorization models differ on who holds the discretion to set the permission
The single discriminator that separates the models is who decides the permission and on what basis: the owner (DAC), the system via labels (MAC), an administrator via roles (RBAC), an administrator via global rules (rule-based), a policy over attributes (ABAC), a live risk score (RAdAC), or a time-boxed grant at moment of need (JIT). Identifying who owns the decision in a scenario resolves most model-selection questions. Reading each model as an answer to who-decides-and-how keeps similar choices distinct.
- DAC lets the resource owner grant access at their discretion via ACLs
Discretionary access control puts the access decision in the hands of the object's owner, who grants or revokes permissions, typically through an access control list attached to the object enumerating which subjects get read, write, or execute. Standard commercial operating-system file permissions are DAC. Its weakness is structural: any owner can pass access to anyone, so a compromised owner or a Trojan running with the owner's rights can leak data, which is why DAC is unsuitable for data that must be protected regardless of an owner's choices.
Trap Choosing DAC when the requirement says data must be protected regardless of the owner's wishes. Owner discretion is exactly what that requirement forbids.
5 questions test this
- A financial services company has a document management system where department managers control access to their respective folders. During…
- An organization implements a file sharing system where resource owners can grant access permissions to other users at their discretion. A…
- An organization relies exclusively on discretionary access control using ACLs for protecting sensitive data. The security team has…
- An organization is reviewing its access control strategy. The security team needs to implement a solution where they can easily answer the…
- A data owner in an organization creates a new confidential project folder and wants to ensure that only specific team members can access…
- MAC enforces access from system-set labels and clearances that no owner can override
Mandatory access control removes owner discretion: the system decides access by comparing a subject's clearance against an object's classification under a central policy that not even the data's creator can override. This is the model for classified, military, and multilevel-secure systems holding data at several sensitivities at once. The exam tell is system-enforced labels plus the explicit absence of owner control.
Trap Confusing MAC with DAC because both deal with file access. The discriminator is discretion: MAC is system-enforced and non-overridable, DAC is owner-controlled.
3 questions test this
- A defense contractor is implementing a system where access decisions must be made based on the security clearance of personnel and the…
- A government agency uses mandatory access control with security labels for all classified documents. A project manager with Secret…
- A defense contractor is implementing a MAC policy where information labeled as Confidential can only be accessed by users with Confidential…
- A security label is machine-enforced; a security marking is human-applied metadata
MAC runs on labels, not markings: a security label is the machine-readable association between a sensitivity level and a subject or object that the system parses and enforces, whereas a security marking is human-applied metadata that informs people but is not self-enforcing. Marking is human-enforced; labeling is system-enforced. MAC's mechanism depends on labels because the reference monitor must read sensitivity programmatically to mediate every access.
Trap Assuming a human-applied marking is what the reference monitor mediates on; only a machine-readable label is system-enforced, whereas a marking merely informs people.
- Bell-LaPadula is MAC's confidentiality model: no read up, no write down
The formal confidentiality model behind MAC is Bell-LaPadula, whose Simple Security Property forbids reading above one's clearance (no read up) and whose Star property forbids writing below one's level (no write down), so classified data cannot flow down to a lower classification. For the authorization decision, the practical takeaway is that MAC enforces these label comparisons; the lattice mathematics itself is studied under security models. The pairing of 'no read up' with 'no write down' is the most testable detail.
Trap Swapping the two rules: 'no write down' is the Star property (protects against leaking down), and 'no read up' is the Simple Security Property; reversing them is a classic distractor.
3 questions test this
- A defense contractor is implementing a system where access decisions must be made based on the security clearance of personnel and the…
- In a MAC environment, a user with a 'Secret' clearance attempts to write data to a file classified as 'Confidential', which is a lower…
- A defense organization uses a MAC system implementing the Bell-LaPadula model. An analyst with Top Secret clearance has created a new…
- Even MAC can leak through covert channels by inference
Mandatory access control constrains explicit information flows between labels but does not stop covert channels, where higher-classified information is deduced by combining lower-classified observations. Labels govern direct access, not every inference a subject can draw. This is why a multilevel system needs covert-channel analysis beyond its label policy, and why 'MAC fully prevents data leakage' is an overstatement.
Trap Assuming label enforcement alone makes a multilevel system leak-proof; MAC controls explicit flows but not covert channels or inference, which need separate analysis.
- RBAC assigns permissions to roles that mirror job functions, and users inherit them
Role-based access control grants permissions to roles modeled on job functions, and a subject acquires exactly the permissions of the roles they are assigned, nothing more. The administrative payoff is scale: a hire, transfer, or departure is handled by changing role assignments rather than editing thousands of individual permissions, making RBAC the default for large enterprises with stable job functions. Managed by role, it is also the natural control against privilege creep when assignments are reviewed.
Trap Assigning permissions directly to individual users and calling it RBAC; in RBAC permissions attach to roles and users inherit them through role membership, never via one-off grants.
- RBAC role hierarchies and separation-of-duty constraints are part of the standard model
The authoritative RBAC standard (ANSI/INCITS 359) defines role hierarchies, where senior roles inherit the permissions of junior roles, and separation-of-duty constraints, which forbid one user from holding a conflicting pair of roles such as create-vendor and approve-payment. Separation of duty can be enforced statically at assignment time or dynamically at role-activation time. These constraints are how RBAC encodes least privilege and anti-fraud controls beyond simple role assignment.
Trap Treating separation of duty as only an assignment-time check; RBAC also supports dynamic SoD enforced at role-activation time, so a user may hold conflicting roles but not activate both at once.
10 questions test this
- An organization is implementing Role-Based Access Control (RBAC) to manage access for its financial systems. The security team wants to…
- An organization is implementing the NIST RBAC model and wants to establish a role structure where senior accountants inherit all…
- A financial services organization wants to ensure that the same employee cannot both create purchase orders and approve them. The security…
- An organization is implementing RBAC and needs to ensure that no single user can both initiate and approve purchase orders. The security…
- A healthcare organization is designing its RBAC implementation and needs to ensure that a Cardiology Specialist automatically receives all…
- During an access control audit, a reviewer discovers that an internal auditor has been assigned to both the Internal Auditor role and the…
- A financial institution's access control policy requires that the same employee cannot both initiate a payment transaction AND authorize…
- An organization is implementing RBAC and needs to prevent employees from being assigned to both the 'Accounts Payable Clerk' and 'Internal…
- An organization has implemented RBAC and wants to ensure that a teller at a bank can be assigned to both the Teller role and the Teller…
- A security architect is designing an access control system for a financial services company. A user who is authorized for both the 'Loan…
- Rule-based access control applies the same global conditions to everyone, ignoring identity
Rule-based access control decides by whether a request matches a global rule, applied uniformly to all subjects regardless of who they are: a firewall ACL like 'deny inbound port 23 from any source' or a 'no logins outside business hours' policy gates everyone identically. Its defining trait is that the decision does not depend on the subject's identity, only on the request matching a rule. That identity-independence is the discriminator separating it from role-based control.
Trap Mistaking rule-based for role-based because the acronyms rhyme. Role-based decides by who you are (your role), rule-based decides by what the request is, ignoring identity entirely.
- ABAC evaluates a policy over subject, object, action, and environment attributes
Attribute-based access control makes the decision by evaluating a policy over attributes of four categories: the subject (clearance, department), the object (classification, type), the action (read vs. delete), and the environment (time, location, device posture). Combining many attributes in one rule makes ABAC the most granular and dynamic model, able to express decisions like 'a nurse may read records of patients on her ward, on a managed device, during her shift' without RBAC's role explosion. NIST frames RBAC and ABAC as complementary, with a role usable as one attribute among many.
Trap Treating ABAC and RBAC as mutually exclusive; NIST frames them as complementary, with a role usable as just one subject attribute inside an ABAC policy.
5 questions test this
- An organization is designing an ABAC system that uses federated identity attributes for access decisions. The security team wants to ensure…
- A financial services organization is implementing ABAC for their loan processing system. When a loan officer submits a request to access a…
- An enterprise is implementing access control for a new cloud-based application. The security team has identified that access decisions need…
- A healthcare organization has experienced significant administrative overhead as they continue to create new roles for every possible…
- An organization is implementing dynamic authorization using ABAC. A contractor needs access to project files, but the policy requires…
- ABAC and zero trust enforce via a Policy Decision Point and Policy Enforcement Point
ABAC and zero-trust authorization are architected around two components: a Policy Decision Point (PDP) that evaluates the policy against the request's attributes and returns a verdict, and a Policy Enforcement Point (PEP) that actually allows or blocks the access. Separating the decision from the enforcement lets one policy engine govern many enforcement points. The PDP/PEP split is the same pattern NIST SP 800-207 uses for zero-trust access.
Trap Swapping the PDP and PEP roles; the PDP evaluates the policy and returns the verdict, while the PEP is the component that actually allows or blocks the access.
7 questions test this
- During ABAC implementation, a security engineer configures the XACML policy engine to return additional directives along with permit or…
- A financial services company is implementing an ABAC solution using the XACML architecture. When an employee requests access to a customer…
- A financial services organization is implementing ABAC for their loan processing system. When a loan officer submits a request to access a…
- During an ABAC implementation with federated identity, an organization discovers that access policies are not being enforced correctly when…
- An organization is implementing attribute-based access control (ABAC) and needs to understand where authorization decisions are computed.…
- A financial services company is implementing an ABAC solution using XACML. The security architect needs to identify which component is…
- In an ABAC implementation following the XACML architecture, a user requests access to a sensitive document. The request is intercepted and…
- Risk-based (RAdAC) access adapts the decision to a live risk score within a session
Risk-adaptive access control computes a real-time risk score from contextual signals (device health, anomalous location, behavior deviation, sensitivity of the request) and adapts the decision moment to moment: permit, deny, or step up to additional authentication. Its distinguishing property is adaptivity within a single session: the same user with the same role can be allowed one moment and challenged the next because the computed risk changed. RAdAC is typically realized as ABAC with risk treated as a first-class environmental attribute, underpinning adaptive authentication and zero-trust designs.
Trap Reading RAdAC as a one-time decision fixed at login; its defining trait is re-evaluating risk within a live session, so access can change moment to moment for the same user.
- Just-in-time access grants privilege only for the task and revokes it automatically
Just-in-time access control grants elevated or privileged rights only for the duration of a specific task and removes them automatically afterward, so accounts hold no standing privilege for an attacker to hijack. It is least privilege applied to time and the foundation of zero standing privilege, where a privileged role carries no rights at rest until a scoped, time-boxed, usually approved activation. JIT layers over whatever base model is in use, shrinking the exposure window rather than changing who may decide access.
Trap Believing permanent least-privilege admin roles solve the standing-privilege risk. A never-revoked role is still standing privilege; JIT's point is to remove the standing part, not just shrink the role.
3 questions test this
- A cloud security manager at a fintech is hardening an automated deployment pipeline that pushes code to a sensitive production environment.…
- A security manager at an energy company must grant an external audit firm temporary elevated read access to specific production systems for…
- An organization is implementing Just-in-Time (JIT) privileged access to reduce its attack surface. A security analyst requests temporary…
- Least privilege caps the maximum; need-to-know decides which specific data within it
Least privilege restricts each entity to the minimum access required to accomplish its assigned tasks, and need-to-know is least privilege applied to information: a clearance sets the ceiling of what a subject could see, and need-to-know decides which specific data within that ceiling they actually require. The two work together: a Top Secret clearance does not grant access to every Top Secret document, only those the subject needs. Every authorization model is a mechanism for implementing least privilege.
Trap Assuming a clearance level alone grants access to all data at that level; clearance sets the ceiling, but need-to-know still gates which specific items the subject may see.
- ABAC, RAdAC, and JIT extend an underlying model rather than replace RBAC
The modern models are additive, not rival: ABAC adds attribute-level granularity, RAdAC adds session-level adaptivity, and JIT adds a time limit, each layered on top of an underlying grant rather than substituting for RBAC or MAC. Treating them as mutually exclusive alternatives misreads how real systems combine them, e.g., roles expressed as ABAC attributes, with JIT controlling when privileged roles activate. The exam contrasts them on their distinct contribution, not as either/or.
Trap Reading ABAC, RAdAC, and JIT as either/or replacements for RBAC; they are additive layers that combine, such as roles expressed as ABAC attributes with JIT gating activation.
- ABAC roles: PIP supplies attributes, the Context Handler orchestrates, obligations are mandatory
In an ABAC/XACML pipeline the Policy Information Point (PIP) acts as the source of attribute values the PDP lacks, drawn from directories and other sources, and the Context Handler coordinates the workflow, building the request context and requesting attributes from the PIP. The PDP returns Permit/Deny plus directives: an obligation MUST be carried out by the PEP (which denies access if it cannot discharge it), while advice MAY be safely ignored; if required attributes cannot be obtained the decision is Indeterminate.
Trap confusing the PIP (fetches attributes) with the PDP (decides) or treating advice as mandatory like an obligation
11 questions test this
- An enterprise is implementing attribute-based access control (ABAC) with a federated identity system. When configuring their IdP to send…
- A healthcare organization implements ABAC to control access to patient records. The authorization decision for a physician accessing…
- A security architect is designing an ABAC system for a microservices environment. When the Policy Decision Point (PDP) returns an…
- During ABAC implementation, a security engineer configures the XACML policy engine to return additional directives along with permit or…
- An organization implements ABAC for cloud resources and federates with multiple identity providers. During access decisions, the Policy…
- An architect is designing an ABAC system using XACML for a healthcare application. The PDP returns a Permit decision along with a directive…
- An enterprise is deploying an ABAC solution and needs to understand how the Policy Decision Point obtains attribute values during access…
- An organization is implementing ABAC with federated identity to enable partner access to internal resources. During initial testing, the…
- An organization implements ABAC using a centralized Policy Decision Point. During access requests, the PDP requires additional user…
- During an ABAC implementation with SAML-based federation, the Policy Decision Point requires additional subject attributes that were not…
- When a Policy Decision Point (PDP) evaluates an access request but finds that required attributes are missing from the request and cannot…
- ABAC cures RBAC role explosion by deciding on attributes at request time
Role explosion happens when an organization mints thousands of narrow roles to cover every combination of department, location, time, and project. ABAC eliminates this by evaluating subject, object, and environment attributes dynamically at access time, so no capability has to be pre-assigned to a subject or role before the request, collapsing many static roles into a few attribute policies.
Trap trying to fix role explosion by adding still more fine-grained RBAC roles instead of switching to attribute-based decisions
5 questions test this
- An enterprise is transitioning from RBAC to ABAC to support dynamic authorization across multiple business units. The security team needs…
- An enterprise is implementing access control for a new cloud-based application. The security team has identified that access decisions need…
- A healthcare organization has experienced significant administrative overhead as they continue to create new roles for every possible…
- An organization using RBAC is experiencing management challenges because they have over 3,500 roles to accommodate various combinations of…
- An organization is experiencing administrative challenges because they have created over 2,000 distinct roles to accommodate various…
- Capability tables are matrix rows (subject-centric); ACLs are matrix columns (object-centric)
An access control matrix can be stored two ways: a capability table is a row attached to a subject listing every object it may access, so it answers 'what can this user reach?' efficiently. An ACL is a column attached to an object listing every subject that may access it, so it answers 'who can reach this file?' and makes object-centric revocation/decommissioning simple.
Trap swapping the two: ACLs are object-centric (columns), capability tables are subject-centric (rows)
9 questions test this
- A security architect is documenting an organization's access control model using a matrix structure. In this matrix, subjects are…
- During an access control review, a security analyst discovers that the organization's capability table implementation makes it difficult to…
- A security architect is designing an RBAC system and needs to choose between implementing access control lists (ACLs) or capability tables.…
- A security architect is designing an access control system and needs to determine the best approach for reviewing all resources that a…
- An organization is reviewing its access control strategy. The security team needs to implement a solution where they can easily answer the…
- When implementing RBAC using an access control matrix framework, a security engineer needs to understand the relationship between different…
- A security architect is implementing RBAC and must decide how to store access control information. What is the PRIMARY difference between…
- An organization is designing an access control system and needs to efficiently determine all resources a specific user can access. Which…
- An organization is evaluating whether to implement capability tables or access control lists (ACLs) for their new RBAC system. The primary…
- In DAC/ACL systems, explicit deny beats group allow, and the creator owns the object
ACL evaluation is order-sensitive: an explicit deny ACE for an individual overrides an allow granted via group membership (canonical order: explicit deny, explicit allow, inherited deny, inherited allow). Under DAC the creator of a new object becomes its owner regardless of the parent's owner. On Windows the DACL holds the access permissions while the SACL configures audit logging of access attempts.
Trap assuming a group allow grants access despite an individual explicit deny, or confusing the DACL (permissions) with the SACL (auditing)
4 questions test this
- In a file system using ACL-based discretionary access control, a user named Janet has been explicitly denied access to a specific file.…
- A project manager creates a shared folder on a network drive and grants her team members read and write permissions. When a team member…
- A security administrator needs to audit who has access to a critical file on a Windows server and also track access attempts to that file.…
- A security administrator is configuring access control lists (ACLs) on a Windows file server. When multiple ACEs exist for the same user…
Identity Provisioning Lifecycle
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Authentication Systems
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Assessment & Testing
Assessment Strategies
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Assessment, test, and audit are three altitudes, not synonyms
A security assessment is the broad determination of how effectively an object meets its security objectives, drawing on testing, examination, and interviewing. A test is the narrow act of exercising an object under specified conditions to compare actual versus expected behavior. An audit is a formal, evidence-driven verification of conformance to a standard whose defining trait is independence and a reportable opinion, not technical depth. Designing a strategy means picking the right altitude per objective rather than treating the words as interchangeable.
Trap Calling a thorough internal self-review an audit. Without an independent party rendering a conformance opinion against a standard, it is an assessment, not an audit.
- An assessment combines testing, examination, and interviewing because no one method is complete
NIST SP 800-115 names three assessment methods: testing (exercise an object and compare actual vs expected), examination (check, inspect, review, observe, or analyze objects for evidence), and interviewing (discussions with people to clarify or locate evidence). No single method gives a comprehensive picture, so a designed assessment deliberately combines them: examination catches policy and configuration gaps a test misses, and a test proves the exploitability examination only suspects. Knowing which exact word a stem uses is itself testable.
Trap Treating a vulnerability scan or penetration test as a complete assessment by itself, when examination and interviewing must also run to catch the policy and configuration gaps a test alone never surfaces.
- Design the strategy before any tool runs: objectives, scope, methodology, frequency
A defensible assessment strategy is a plan authored before execution that fixes four things: the objectives each assessment must satisfy, the scope of objects in and out of bounds, a repeatable documented methodology, and a risk-based frequency. The plan, not the assessor's on-the-day improvisation, decides what gets measured and how often, which is exactly what makes it a strategy rather than a reflex. Objectives trace back to the organization's risks and obligations and drive technique selection downstream.
Trap Reaching for an execution-level fix (buy a scanner, hire a pen tester) when the stem's defect is that nobody decided up front what to measure and how often: that root cause is a missing strategy, not a missing tool.
- Assessment is a management responsibility; the assessor executes within the plan
CISSP frames assessment design as a leadership decision: management authors the program (an assessment policy plus a repeatable methodology fixing objectives, scope, roles, frequency, and reporting) and the assessor works inside it. This is why an inconsistent, unrepeatable, or after-the-fact-disputed program signals an absent strategy rather than an unskilled tester. Deriving the methodology from an established source such as SP 800-115 or SP 800-53A keeps the approach recognized and the findings defensible.
Trap Blaming the assessor's skill for an inconsistent or disputable program, when the missing piece is management's repeatable methodology and policy that the assessor is supposed to execute within.
- Set assessment frequency by risk and material change, with a regulatory floor
Frequency is risk-based first: higher-risk systems are assessed more often, and any material change triggers reassessment rather than waiting for the next calendar date. Many regimes impose a floor: under FISMA, U.S. federal systems require periodic testing and evaluation of controls no less than annually. The calendar is the backstop, not the driver; a system that changed materially last week needs reassessment now, not at its scheduled annual review.
Trap Treating a fixed annual cadence as sufficient on its own: frequency follows risk and material change first, the calendar only as a minimum.
- Who assesses trades depth and context for independence
Internal assessors know the environment and cost the least but assess work they or their peers performed, so their objectivity is structurally limited: no one credibly grades their own homework. External (hired-in) assessors still act on behalf of the sponsor, while an independent third party is a separate firm whose value is precisely having no stake in the result. The single trade-off across all three is depth-and-context versus independence, and the strategy assigns each objective to the assessor whose independence matches the assurance the audience demands.
Trap Assuming the internal team's deeper knowledge of the environment also makes them the most objective choice, when their stake in the work they assess is exactly what limits that objectivity.
4 questions test this
- A retail bank's regulator requires that the institution undergo an independent penetration test of its internet-facing banking systems each…
- A manufacturing company faces a mandatory regulatory compliance examination in nine months. The security manager wants to repeatedly…
- A security operations manager at a manufacturing firm wants to verify, every month, that server build configurations still match the…
- A security manager at a mid-sized firm needs to confirm, on a monthly cadence, that engineering teams are actually closing the…
- Independent third parties are required when an outside audience must rely on the result
When a regulator, a customer's vendor-risk team, or a board needs credible assurance, the work goes to an independent third party because internal or hired assessors cannot produce a result an outsider can trust. Formal attestations like a SOC 2 report and certifications like ISO/IEC 27001 require an accredited outside party: a self-assessment structurally cannot produce them. Reserve internal self-assessment for continuous internal improvement, where the audience is the organization itself.
Trap Choosing the cheaper, deeper internal team when the stem demands a result credible to an external audience: they have the most context but the least independence, so the finding fails the credibility test.
4 questions test this
- A holding company's board has approved a tentative acquisition of a smaller competitor and wants an objective evaluation of the target's…
- A SaaS startup competing for enterprise contracts is repeatedly asked by prospective customers to prove that its information security…
- A SaaS provider that hosts regulated customer data is facing repeated requests from enterprise prospects for documented, independent…
- A retail bank's regulator requires that the institution undergo an independent penetration test of its internet-facing banking systems each…
- Location caps what you are even allowed to assess
Where a system runs legally and contractually limits what the customer may test. On premises the organization owns the whole stack and can assess any layer; in the cloud the shared-responsibility model splits ownership, with the provider securing the infrastructure of the cloud and the customer securing their data, identity, and configuration in the cloud. The boundary slides toward the provider from IaaS to PaaS to SaaS, but data classification and access control almost always remain the customer's responsibility, so the strategy must scope direct testing to the customer-controlled layers.
Trap Assuming a move to the cloud hands data classification and access control to the provider, when those remain the customer's responsibility to assess across IaaS, PaaS, and SaaS alike.
- You cannot test the provider's layers: inherit assurance from their attestation
You cannot penetration-test or scan a cloud provider's hypervisor, hardware, or physical facility; that work is out of scope and usually contractually prohibited. For those provider-controlled layers you do not run your own test: you inherit assurance from the provider's own independent third-party attestation, such as their SOC 2 report or ISO 27001 certificate. Moving to the cloud does not remove the assessment obligation; it splits it, leaving the customer accountable for assessing everything on the customer side of the line.
Trap Scheduling your own penetration test or audit of the provider's data center or hypervisor. Review the provider's third-party attestation instead, because that layer is theirs and testing it is prohibited.
- A hybrid strategy blends direct assessment with inherited attestation
A hybrid estate spans on-premises and customer-controlled cloud layers you assess directly and provider-controlled layers you cannot touch. The strategy is therefore a blend: direct testing, scanning, and examination for the on-prem and customer-side cloud layers, and inherited third-party attestation for the provider-controlled layers. The recurring point is that the customer-owned data and access configuration must be assessed in every service model, since misconfiguration of that customer layer is the dominant cloud-breach cause.
Trap Applying one uniform approach across a mixed estate, either trying to directly test everything or inheriting attestations for everything, when a hybrid demands direct assessment of customer-controlled layers and inherited assurance for provider-controlled ones.
- Validate the strategy itself before trusting its results
Design is not finished until the strategy is stress-tested against reality: does the declared scope actually cover the systems that matter, do the objectives map to real risks and obligations, is the frequency defensible against risk and any regulatory floor, and does the combination of planned methods close the blind spots each single method leaves? A strategy no one has validated can pass every step and still fail to tell leadership whether security works: it is a checklist, not a control.
Trap Trusting a strategy because it passed every documented step, without validating that its declared scope, objectives, and method mix actually cover the systems and risks that matter.
- The auditor's value is independence and an opinion, not technical depth
What distinguishes an audit from a deep technical assessment is not how intrusive or expert the work is but that an independent party renders a reportable conformance opinion against an external standard or framework. The same hands-on testing performed by the system owner is an assessment; performed and opined on by an accredited independent party against a defined benchmark, it becomes an audit. Stems that stress an outside party and a formal opinion are pointing at an audit even when the underlying activity looks technical.
Trap Calling the deepest, most intrusive technical test the audit, when what makes work an audit is an independent party's conformance opinion against a standard, not its technical depth.
- Objectives and acceptable risk drive technique selection
SP 800-115 is explicit that the assessment objectives and the organization's acceptable level of risk determine which techniques to use, and that because no single technique gives a comprehensive picture, the strategy combines them. This is why the design starts from objectives rather than from a favorite tool: the goal a leader needs answered dictates whether examination, testing, or interviewing (or some mix) is commissioned. A strategy built tool-first instead of objective-first measures what is easy rather than what matters.
Trap Selecting techniques from the team's favorite or most capable tool, when the objectives and the organization's acceptable level of risk are what should dictate which methods are commissioned.
- An attestation is the deliverable that proves independent assurance
When the strategy's audience is external, the output that satisfies them is a formal attestation or certificate produced by an accredited outside party: a SOC 2 report attesting to controls, or an ISO/IEC 27001 certificate of a conforming information security management system. These deliverables exist precisely because a self-assessment cannot carry weight with an outside relier. Choosing the assessor therefore also chooses what evidence the engagement can produce, so map the required deliverable back to the assessor's independence when designing the strategy.
Trap Offering an internal self-assessment report to satisfy an external relier, when only a formal attestation or certificate from an accredited outside party carries weight with that audience.
Security Control Testing
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A vulnerability assessment identifies weaknesses; a penetration test exploits them
A vulnerability assessment enumerates and ranks weaknesses but stops at reporting that a flaw may exist; a penetration test goes further and exploits the flaw to confirm it is real and show how far an attacker reaches. NIST puts it directly: a vulnerability scanner checks only for the possible existence of a vulnerability, while the attack phase of a pen test exploits it to confirm its existence. Pick the assessment by the question asked: "what is exposed?" wants an assessment, "can it be breached?" wants a pen test.
Trap Choosing a penetration test for broad, repeatable enumeration across many hosts: that low-risk coverage is a vulnerability assessment, not an exploit-and-confirm pen test.
6 questions test this
- A security manager at an insurer has received a scanner finding rating a flaw on an internet-facing claims portal as critical, but the…
- A CISO has just completed acquisition of a smaller competitor whose network must be integrated within ninety days. Little reliable…
- A security manager at a water-treatment utility must obtain a prioritized view of known weaknesses across its industrial control network,…
- A CISO at a retailer has a large backlog of scanner-reported weaknesses, but executive leadership is skeptical that any of them pose real…
- A healthcare CISO is reviewing the output of a recent automated scan that flagged hundreds of weaknesses on clinical systems. Remediation…
- A bank's board has approved a new internet-facing wealth-management portal and wants evidence, before launch, of whether a determined…
- A penetration test runs four phases: Planning, Discovery, Attack, Reporting
NIST SP 800-115 divides a pen test into Planning (set rules of engagement, scope, written authorization, no testing happens here), Discovery (information gathering and scanning to find targets), Attack (exploit the weaknesses), and Reporting (deliver findings and risk ratings). Reporting runs concurrently with the other phases rather than only at the end, and Attack loops back to Discovery whenever a new foothold reveals more targets.
Trap Assuming Reporting happens only at the very end after Attack finishes, when NIST has reporting run concurrently throughout the engagement.
- Get written authorization before any penetration test begins
The first action in a penetration test is the Planning phase: obtain documented management authorization and rules of engagement defining scope, timing, and a point of contact before any tool runs. Without that written authorization the same activity is indistinguishable from a real attack and is potentially illegal. No actual testing occurs during Planning.
Trap Starting scanning or exploitation before authorization is signed: in CISSP framing an unauthorized test is an attack, regardless of intent.
4 questions test this
- An organization contracts with a third-party security firm to conduct a penetration test. The contract specifies that the testers may…
- An organization is planning its first penetration test and wants to ensure proper authorization and boundaries are established. According…
- A penetration testing firm has been contracted to perform physical security testing that includes attempting to gain unauthorized access to…
- Before beginning a penetration test, the testing team must ensure proper authorization and define specific boundaries with the client.…
- The attack phase loops back to discovery as new footholds appear
When an exploit succeeds, the tester often gains a foothold that exposes new internal targets, so the Attack phase feeds back into Discovery: escalating privileges, pivoting to other systems, and re-scanning from the new vantage point. This loopback is why a pen test measures how far an attacker could chain access, not just whether one isolated flaw is exploitable.
- Black-, white-, and gray-box define how much the tester knows up front
Black-box testing gives the tester zero prior knowledge, simulating an external attacker; white-box gives full knowledge such as architecture, source code, and credentials, for the most thorough coverage; gray-box gives partial knowledge, like a standard user account. More knowledge trades realism of an outsider's view for depth and efficiency of coverage.
Trap Confusing the knowledge levels by picking white-box to simulate an outside attacker, when zero-knowledge black-box is the one that models an external threat.
- A red team emulates the adversary; the blue team defends; purple is collaboration
A red team is authorized to emulate a real adversary's attack capabilities against the organization's defenses, while the blue team is the defenders who monitor, detect, and respond. A purple team is not a separate group but a mode where red and blue work together so each attack technique immediately drives a detection or response improvement. The defining feature of a red-team engagement is that, unlike a scheduled scan, it also tests whether defenders can detect and respond.
Trap Calling every penetration test a "red team": the red-team label specifically means adversary emulation that also exercises the blue team's detection and response.
7 questions test this
- The CISO of a bank wants a realistic measurement of how long it takes the security organization to detect and respond to a determined…
- A SOC at a streaming-media company recently deployed a new endpoint detection platform and authored detection rules mapped to known…
- An organization conducts a Purple Team exercise where the Red Team uses an exploitation framework to execute specific tactics, techniques,…
- The CISO of a pharmaceutical company wants to learn whether a motivated outsider could chain technical exploitation, phishing of employees,…
- A financial services company wants to evaluate whether their Security Operations Center can effectively detect and respond to adversarial…
- An organization wants to improve collaboration between its security operations team and offensive security testers to enhance detection…
- A bank's board wants assurance that, beyond technical flaws, the organization's people, processes, and detection capabilities would…
- SAST analyzes code without running it; DAST tests the running app from outside
Static application security testing (SAST) examines source, bytecode, or binaries without executing them, so it runs early and points to the exact vulnerable line, but it misses runtime and configuration flaws and produces false positives. Dynamic application security testing (DAST) tests the running application from the outside with no source access, so it catches runtime and deployment issues but cannot pinpoint the offending code. Interactive testing (IAST) instruments the running app to combine both views.
Trap Picking SAST to catch a runtime or misconfiguration flaw it structurally cannot see, or DAST when the stem wants the exact offending line that only source analysis reveals.
4 questions test this
- A security architect is selecting a tool to assess web application security during the testing phase of the SDLC. The tool must scan the…
- An organization wants to reduce false positives in their application security testing program while gaining deeper insight into how…
- A security architect is designing an application security testing strategy for a web application with REST APIs. The team needs to identify…
- A development team wants to implement security testing early in the SDLC to identify vulnerabilities in source code before the application…
- Fuzzing feeds malformed input to a running target to expose input-handling defects
Fuzz testing submits invalid, unexpected, or random input to a running program to reveal how it responds, surfacing input-handling defects such as buffer overflows and crashes. It is a dynamic technique run by tools called fuzzers, and it is most valuable for code paths that parse external input where validation may be incomplete.
Trap Classifying fuzzing as a static, source-analysis technique, when it is a dynamic technique that requires actually executing the target against malformed input.
- Misuse-case testing verifies behavior under abuse, not just intended use
Where a use case describes how a system should behave for a legitimate user, a misuse case models what an attacker would deliberately do to abuse it, and misuse-case testing verifies the system resists that abuse. It complements normal functional testing by asking how the system fails under hostile input rather than only confirming it works under expected input.
Trap Confusing a misuse case with a use case, treating it as just another positive functional scenario instead of the adversary's deliberate abuse of the system.
4 questions test this
- A product security analyst at a bank is validating a new self-service account-recovery feature that lets customers regain access using…
- A security analyst supporting an e-commerce platform is defining test cases for a new promotional-coupon redemption workflow. A threat…
- During development of a new self-service feature that lets customers update their payout bank details, a product security lead concludes…
- A product security analyst at a property-insurance company is validating a new self-service claims portal that lets policyholders submit…
- Synthetic transactions script known interactions; RUM captures real user activity
Synthetic transactions run scripted, pre-defined interactions (a login, a search, a checkout) against a live system on a schedule to confirm it responds correctly and on time, independent of real traffic. Real user monitoring (RUM) instead passively captures actual user interactions as they happen. Use synthetic transactions to proactively verify availability and behavior even when no real users are active.
Trap Reaching for real user monitoring to proactively verify availability when no real users are active, a job only scheduled synthetic transactions can do.
- Interface testing exercises the connection points between components
Interface testing targets the boundaries where components connect (APIs, web service endpoints, and inter-system handoffs) to confirm they accept, reject, and fail securely. These integration points are a common source of defects because each side may assume the other validated the data, so testing them directly catches gaps neither component's internal tests would find.
Trap Reading interface testing as exercising the graphical user interface, when it targets the API and inter-system connection points between components.
- Test coverage analysis measures how much of the target the tests exercised
Test coverage analysis quantifies how much of a target the tests actually exercised (statement, branch, or condition coverage for code, or requirements coverage for controls) so the gaps in what was not tested become visible. It answers "what did we miss?" rather than "did the tested parts pass?"
Trap Treating high test coverage as proof the system is secure: coverage measures only what was examined, not that the exercised code is free of flaws.
- Breach-and-attack simulation continuously replays adversary techniques against live defenses
Breach-and-attack simulation (BAS) tools automatically and continuously replay known adversary techniques against production defenses to verify on an ongoing basis that controls detect and block them. BAS closes the gap left by point-in-time penetration tests, which capture only a single moment, by turning detection-and-response validation into a continuous, repeatable check.
Trap Equating breach-and-attack simulation with a point-in-time penetration test, when its defining value is continuous, repeatable validation rather than a single snapshot.
- Log review verifies controls record the right events, not that they block attacks
Log review is an examination technique that determines whether security controls are logging the proper information and whether the organization adheres to its logging policy, for example, confirming that all authentication attempts to critical servers are recorded at the required detail. It can also surface misconfigurations, unauthorized access, and intrusion attempts after the fact, but it evaluates evidence rather than actively exploiting a weakness.
Trap Classifying log review as a testing technique that actively exploits or blocks attacks, when it is an examination method that evaluates recorded evidence after the fact.
3 questions test this
- A security manager at a consultancy implemented a control requiring that all third-party contractor VPN logins use multifactor…
- A compliance officer at a bank must produce evidence for an external auditor that a specific control is operating effectively: privileged…
- A security manager at a retailer recently implemented a control requiring that all outbound file transfers route through an inspection…
- Compliance checks verify the implemented state matches a required baseline
A compliance check compares a system's actual configuration against a mandated baseline or benchmark and reports where they diverge, confirming the implemented state matches the required one. It is a verification of conformance to a defined standard, distinct from a vulnerability assessment that hunts for unknown weaknesses regardless of any baseline.
Trap Treating a compliance check as a vulnerability assessment, when it measures conformance to a defined baseline rather than hunting for unknown weaknesses.
- Testing, examination, and interviewing are the three assessment methods
NIST SP 800-115 defines three assessment methods: testing exercises an object under specified conditions to compare actual against expected behavior; examination checks, inspects, reviews, or analyzes objects to obtain evidence; interviewing holds discussions with people to clarify or locate evidence. Because no single technique gives a complete picture, a sound assessment deliberately combines methods rather than relying on one.
Trap Confusing examination with testing, when only testing actively exercises an object under specified conditions while examination merely inspects and reviews it for evidence.
- Credentialed scanning sees patch and configuration state; unauthenticated scanning only probes
A credentialed (authenticated) vulnerability scan logs into the target and reads installed patch levels and configuration, yielding far fewer false positives than an unauthenticated scan that only probes from the network. Either way scanner output flags possible flaws and always needs human triage to separate true findings from false positives before remediation.
Trap Assuming an unauthenticated network scan is more accurate than a credentialed one, when reading patch and configuration state from inside the host is what cuts false positives.
8 questions test this
- During the configuration of an enterprise vulnerability scanning solution, the security administrator must determine the appropriate scan…
- During a vulnerability assessment, a security analyst performs two separate scans of the same server - one using administrative credentials…
- An organization's vulnerability management team discovers that their automated scans are reporting significantly fewer vulnerabilities than…
- A security analyst is configuring vulnerability scans for an enterprise network containing both managed workstations and legacy systems…
- A CISO has just completed acquisition of a smaller competitor whose network must be integrated within ninety days. Little reliable…
- A security analyst is configuring vulnerability scans for a large enterprise network. During the planning phase, they need to choose…
- An organization wants to improve the accuracy of their vulnerability scanner in identifying missing patches and software versions on…
- A security team is collecting vulnerability scan data and notices that 30% of findings are false positives. Which practice would BEST…
- Combine techniques because no single one gives a complete security picture
NIST is explicit that no individual testing technique provides a comprehensive view of a system's security, so assessments should layer them: review to understand a control, scanning to find candidate weaknesses, and validation to confirm the ones that matter. Relying on a single method (only a scan, or only a pen test) leaves predictable blind spots.
Trap Assuming a single thorough method such as a penetration test gives a comprehensive security picture, when NIST says no individual technique covers all blind spots.
- SCAP standardizes machine-readable config and vulnerability checking
The Security Content Automation Protocol (SCAP) is a NIST suite of interoperable specifications that lets tools from different vendors express and check security configuration and vulnerability data in machine-readable form. XCCDF describes the checklist and benchmark of requirements, while OVAL defines the low-level technical checks that determine whether a system meets them.
Trap XCCDF is the human-level checklist language; OVAL is the low-level check logic the scanner executes.
8 questions test this
- An organization's security team is selecting a configuration assessment tool to validate compliance against established security baselines.…
- An organization wants to standardize its vulnerability management program to use a common format for expressing security configuration…
- A security analyst is configuring the organization's vulnerability management system to use standardized data formats for correlating scan…
- A security team is implementing an automated vulnerability assessment program that must support interoperability between multiple security…
- A security analyst is implementing automated vulnerability scanning to ensure machine-readable content can be exchanged and processed…
- A security team is implementing automated vulnerability management and needs to ensure interoperability between multiple security tools for…
- A security architect is designing an enterprise vulnerability management program that requires standardized, machine-readable formats for…
- When conducting a security assessment, an organization compares the current state of system configurations against established baselines…
- CIS Benchmark Level 1 is a usable baseline; Level 2 is defense-in-depth
CIS Benchmarks ship two profiles. Level 1 is the base recommendation that lowers attack surface with minimal performance or usability impact, suitable for general systems. Level 2 is intended for environments where security is paramount, adding more stringent settings that may require application changes and can affect functionality.
Trap Level 2 is not 'better and always preferred'; its stricter settings can break functionality, so general workstations use Level 1.
4 questions test this
- A security team is configuring automated baseline assessments using CIS Benchmarks for their Windows server environment. They need to…
- An organization is implementing CIS Benchmarks to validate security configurations across their Windows server infrastructure. The security…
- An organization is implementing automated configuration compliance checking using CIS Benchmarks. The security team needs to balance…
- An organization wants to ensure that its systems comply with industry-recognized secure configuration standards. The security team selects…
- SIEM correlation requires normalizing logs to a common schema first
Different log sources name and format the same data differently (for example a user as 'jsmith' versus 'john.smith@company.com', or varying timestamp and IP field names). A SIEM must normalize these into a standardized schema or common information model so events can be compared and correlated across sources; without normalization, cross-source correlation rules fail.
Trap Normalization fixes inconsistent field names/formats; out-of-order or skewed timestamps are a separate problem solved by time synchronization (NTP).
6 questions test this
- An organization's SIEM receives logs from multiple vendors' firewalls, intrusion detection systems, and endpoint protection platforms.…
- An organization is implementing a SIEM solution and needs to ensure logs from different systems can be effectively correlated. The security…
- An organization is integrating IDS/IPS alerts with a SIEM platform and discovers that different products use varying log formats. According…
- An organization is implementing a new SIEM solution and wants to ensure effective correlation of security events across their diverse…
- An organization is implementing a SIEM solution and discovers that logs from different sources use inconsistent formats, including varying…
- A security team is implementing a SIEM solution and must correlate events from multiple sources including Active Directory logs, cloud…
- SIEM event correlation turns isolated events into a single incident
Event correlation links related events from multiple sources by common attributes (user, host, IP, time window) so that activity that looks benign in isolation becomes a recognizable incident when combined. It is what enables detection of multi-stage attacks and timeline reconstruction across diverse logs.
Trap An alert that looks weak alone is not necessarily a false positive; the cure is correlation for context, not suppression.
7 questions test this
- A security analyst notices that the organization's SIEM is generating numerous alerts that require extensive manual investigation to…
- During an incident investigation, a security analyst needs to reconstruct the timeline of a multi-stage attack that traversed several…
- A security analyst reviewing SIEM output notices that correlation rules are generating alerts when evidence of a compromised account…
- During penetration testing, a security team detects suspicious activity through their SIEM where an account was created with elevated…
- A security team is testing their SIEM implementation by reviewing detection capabilities. The team observes that rule-based event…
- A security operations center is implementing indirect IDPS integration using SIEM software to collect and analyze alert data from multiple…
- During a security assessment, a SOC analyst notices the SIEM has correlated a failed authentication event on a web server with unusual…
- Tune correlation rules and add exceptions to cut SIEM false positives
When a rule floods analysts with alerts that investigation confirms are benign (for example a service account doing legitimate automated work), the right fix is to tune the rule and add a scoped exception or allow-list for the validated source, adjusting thresholds to the organization's use cases. This preserves detection while reducing alert fatigue.
Trap Tune or scope an exception for the validated source; do not disable the whole rule, which would blind the control.
3 questions test this
- A SIEM administrator notices that an analytics rule is generating numerous alerts for a specific service account that performs legitimate…
- An organization's security operations center (SOC) is experiencing significant alert fatigue, with analysts unable to investigate the…
- A security analyst notices that the organization's SIEM generates numerous alerts from a single correlation rule, but investigation reveals…
- Pivoting routes through a compromised host to reach internal segments
After gaining a foothold, a tester uses pivoting to route traffic through the compromised system and reach internal networks that are not directly accessible from the attack platform (for example via a Meterpreter session). In PTES this enumeration of additional subnets and onward access happens in the post-exploitation phase.
Trap Pivoting reaches otherwise unreachable internal segments; it is a post-exploitation activity, not the initial exploitation step.
5 questions test this
- During a penetration testing engagement, after successfully exploiting a vulnerable web server in the DMZ, the security analyst needs to…
- During a penetration test, the tester has successfully compromised a system on the DMZ network and needs to access systems on an internal…
- A security team is using Metasploit Framework during an authorized penetration test. After successfully exploiting a vulnerability, they…
- According to the Penetration Testing Execution Standard (PTES), which phase involves using a compromised system's network configuration to…
- After completing a penetration test using an exploitation framework, a tester successfully gained access to a system through an SMB…
- Scope defines WHAT is tested; rules of engagement define HOW
In pre-engagement, two distinct documents govern a penetration test. The scope document explicitly identifies which systems, networks, and IP ranges are authorized targets, while the rules of engagement (RoE) set the constraints on how testing is conducted, including the degree of exploitation permitted and procedures after a system is compromised. NIST treats the RoE as the authority that lets the team act without seeking further permission mid-test.
Trap Scope = what; rules of engagement = how. The degree of exploitation allowed belongs in the RoE, not the scope.
7 questions test this
- An organization contracts with a third-party security firm to conduct a penetration test. The contract specifies that the testers may…
- A penetration tester has successfully compromised an internal workstation and discovers it is a multi-homed system connected to both the…
- An organization is preparing to engage a third-party firm for a penetration test of their web applications. During the pre-engagement…
- During a penetration testing engagement, the tester discovers a critical vulnerability and wants to exploit it further to demonstrate…
- A security manager is preparing documentation for an upcoming penetration test engagement. According to the Penetration Testing Execution…
- During the pre-engagement phase of a penetration test, the client asks the testing team to document what actions are permitted if a system…
- During pre-engagement planning, a penetration testing firm must establish rules of engagement with the client organization. According to…
- An out-of-scope discovery means stop, document, and notify, not exploit
If a tester encounters a system or vulnerability outside the authorized scope (for example a third-party-owned host), professional standards require ceasing activity against it, documenting only what was already observed without further probing, and notifying the engagement authority so additional authorization or a new statement of work can be obtained before any further testing.
Trap Exploiting an out-of-scope finding to prove impact; testing outside the agreed scope creates legal exposure regardless of intent.
4 questions test this
- A penetration tester discovers during an engagement that certain systems on the network are owned by a third-party business partner rather…
- During a penetration testing engagement, a security consultant discovers a critical vulnerability in a third-party payment processing…
- During an authorized internal penetration test of its own customer portal, a tester following defined rules of engagement notices that an…
- During a penetration testing engagement, a tester discovers a critical vulnerability in a production database that was explicitly excluded…
Security Process Data
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Test Output & Reporting
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Audits
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Operations
Investigations
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Logging & Monitoring
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Logging records events; monitoring is the review that turns them into detection
Logging writes an event down when it happens, while monitoring is the continuous review of those records and live telemetry to spot what matters: the two form a pipeline, not a synonym pair. Logs that accumulate without anyone analyzing them are the most common detective-control failure, because the control that was supposed to catch the attack (review) never actually runs. The whole subtopic exists to extract signal from logs, so every tool here is a way to analyze records rather than to generate more of them.
Trap Treating exhaustive logging as detection on its own. Collection without review detects nothing.
- Centralize logs off the host so a compromise cannot erase the evidence
Logs left on the host that generated them are deleted or altered the moment that host is compromised, so forward them to a central, access-controlled store as close to real time as possible. Centralization also enables correlation: an event that looks innocuous in one server's log is obvious when many sources are read together. NIST SP 800-92 frames this as the core of security log management, and a write-once or append-only store further protects the record so even an intruder with admin rights cannot rewrite history.
Trap Leaving logs only on the originating host because they are also forwarded later in batch, giving an attacker a window to wipe them before they ship.
- Synchronize all clocks with NTP, or correlation and forensic ordering break
Every correlation depends on a shared, trustworthy clock, so synchronize all devices to a common time source using the Network Time Protocol (NTP). If two systems' timestamps disagree, no SIEM can correctly order their events and the true sequence of an attack is lost. Skewed clocks also weaken logs as forensic evidence because the ordering of records cannot be trusted.
Trap Blaming a SIEM's correlation rules for an incoherent timeline when the real cause is unsynchronized clocks.
- Signature detection catches known threats but is blind to anything novel
Signature-based detection matches activity against a database of known-bad patterns (hashes, exploit packet shapes, malicious URLs), making it precise and low-noise for known threats. Its structural weakness is that a zero-day or never-seen variant has no signature, so it passes straight through. Reach for anomaly/behavior-based detection instead when the threat may be previously unseen.
Trap Choosing signature-based detection to catch a zero-day. No signature exists yet for an attack nobody has seen.
- Anomaly detection catches the unknown by modeling normal, at the cost of false positives
Anomaly- (behavior-) based detection first learns a baseline of normal, then flags statistically significant deviations from it, which lets it catch novel attacks that no signature covers. The trade-off is false positives: legitimate activity that drifts outside the baseline triggers alerts that must be tuned out. This is the right side of the signature-vs-anomaly choice whenever a stem says 'detect a previously unseen attack.'
Trap Picking anomaly-based detection for its low false-positive rate, when its strength is catching the unknown and it actually generates more false positives than signature matching, not fewer.
- An IDS detects and alerts; an IPS sits inline and can block
An Intrusion Detection System (IDS) observes activity and raises an alert (a detective control that does not stop the attack) while an Intrusion Prevention System (IPS) sits inline in the traffic path and can drop or reset malicious connections, making it a preventive control. The placement is the whole difference: an IDS can tap a passive span/mirror port out of band, but an IPS must be inline, so a false positive or outage in an IPS can break legitimate traffic. NIST SP 800-94 treats them together as IDPS because most products now do both.
Trap Expecting an out-of-band IDS to stop an attack. It only alerts; only an inline IPS can block.
- NIDS sees the wire, HIDS sees the host, so critical environments run both
A network IDS/IPS (NIDS/NIPS) inspects traffic on a segment and catches attacks crossing the wire, but is blind inside encrypted tunnels and to activity that never leaves the host. A host IDS/IPS (HIDS/HIPS) runs on the endpoint and sees local file changes, process behavior, and post-decryption activity, but only for that one machine. Because each covers the other's blind spot, defense in depth places network sensors at chokepoints and host sensors on critical systems rather than choosing one.
Trap Relying on a NIDS alone to detect an attack inside an encrypted session or one confined to the host, where only a HIDS can see it.
- A SIEM aggregates and correlates logs so scattered events become one alert
A Security Information and Event Management (SIEM) platform aggregates logs from many sources, normalizes them to a common format, and correlates them with rules so individually innocuous events combine into one high-fidelity alert. Its value is the centralized cross-source view that reconstructs an attack timeline no single host log reveals, which is exactly why it depends on NTP-synchronized clocks. SIEM correlation rules are usually signature-style, with anomaly analytics (UEBA) layered on for behavioral detection.
Trap Treating a SIEM as a detection engine that finds threats on its own, when its value is correlating the logs other tools generate and its rules are only as good as the sources and clocks feeding it.
9 questions test this
- A security operations manager at a retailer must satisfy auditors who require that authentication events, firewall denials, and endpoint…
- An organization's SIEM ingests logs from multiple sources including vulnerability scanners, patch management systems, and endpoint…
- A security operations team is implementing a SIEM solution to correlate vulnerability scanner data with security events. They want to…
- A security analyst at a manufacturing firm is investigating signs of a stealthy intrusion in which the attacker's individual actions each…
- An organization is implementing a SIEM solution to centralize security monitoring. The security team discovers that firewall logs use…
- An organization has deployed multiple honeypots across different network segments and wants to leverage the collected data for proactive…
- During the implementation of a SIEM solution, the security team discovers that logs from different network devices use inconsistent field…
- A security administrator is configuring a new SIEM solution and notices that firewall logs use a different timestamp format than Windows…
- A SIEM analyst observes that a single user account generated failed login attempts from three different geographic locations within a…
- UEBA detects the compromised insider by baselining behavior, not matching signatures
User and Entity Behavior Analytics (UEBA) builds a behavioral baseline per user and per entity (servers, devices, service accounts) and flags significant deviations: a mass download, an off-hours login from a new location, lateral movement never seen before. It is the answer for a compromised credential or malicious insider whose individual actions are authorized but whose pattern is abnormal. Signature tools miss this because no malware is involved; the account is legitimate, only its behavior is wrong.
Trap Reaching for antivirus or signature tools against a compromised valid account. No malware is present, so they see nothing wrong.
- Egress monitoring and DLP watch what leaves, because exfiltration is the loss event
Most monitoring focuses inbound, but the damage in a breach happens when data flows out, so egress monitoring and Data Loss Prevention (DLP) inspect outbound traffic for sensitive content. DLP enforces across data in motion (network), data in use (endpoints), and data at rest (storage). Egress filtering, allowing only expected destinations and protocols outbound, complements DLP by limiting command-and-control channels and blocking traffic to unexpected destinations.
Trap Concentrating monitoring and firewall rules on inbound traffic, leaving outbound exfiltration and command-and-control channels unwatched.
- DLP only acts on content it can read, so network DLP must decrypt TLS first
DLP can inspect only content it can actually read, so strong end-to-end encryption or an unrecognized format defeats inspection entirely. That is why network DLP typically performs TLS termination/decryption at the egress point before examining the payload. Without it, an encrypted exfiltration channel passes uninspected. This makes decryption infrastructure, not the DLP engine itself, the usual missing piece when sensitive data still leaks.
Trap Assuming DLP transparently inspects encrypted traffic. It cannot read the payload until TLS is terminated and decrypted.
- Continuous monitoring (ISCM) replaces the annual snapshot with ongoing awareness
Information Security Continuous Monitoring (ISCM), defined in NIST SP 800-137, is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk-management decisions. It replaces the once-a-year audit snapshot so authorization decisions rest on current data and control drift is caught in days rather than at the next assessment. Logging and monitoring are the data sources; ISCM is the governance program that consumes them.
Trap Reading 'continuous' as fully automated and tool-only, when ISCM is a governance program that consumes monitoring data to drive risk decisions, not just a real-time scanner.
- IOCs are easy to load but go stale; TTPs are durable, so hunt on behavior
Threat feeds deliver Indicators of Compromise (IOCs), malicious IPs, file hashes, domains, that are easy to load into a SIEM or IDS but trivially changed by the attacker, so they go stale fast. Tactics, Techniques, and Procedures (TTPs), catalogued in frameworks like MITRE ATT&CK, describe how an adversary operates and are far more durable because behavior cannot be rotated as cheaply as an IP. Detection built on TTP behavior is therefore more resilient than detection chasing individual IOCs.
Trap Relying solely on IOC feeds for detection. Attackers change indicators trivially, so IOC-only detection ages out quickly.
- Threat hunting is the proactive, hypothesis-driven search for an attacker already inside
Threat hunting is the human-led search for adversaries who already slipped past automated detection, starting from a hypothesis ('if an attacker used this technique, here is the trace it would leave') and querying centralized logs to confirm or refute it. It assumes compromise has already happened rather than waiting for an alert to fire, which makes it the human counterpart to the automated pipeline. Hunting leans on TTP-level intelligence because behavior is what survives an attacker's evasion of indicator-based controls.
Trap Treating threat hunting as waiting for and triaging the alerts the SIEM fires, when it is a proactive hypothesis-driven search that assumes the alert never came.
- Threat intelligence is contextual adversary knowledge that tells detectors what to look for
Threat intelligence is curated, contextual knowledge about adversaries, delivered through threat feeds, that sharpens every detector by supplying what to watch for. It is the input layer to the SIEM and IDS, not a detection method itself: feeds carry both IOCs and TTPs. Good intelligence is timely and relevant to the organization's actual threat landscape, not just a raw firehose of indicators.
Trap Treating threat intelligence as a detection control in its own right, when it is the input that sharpens the SIEM and IDS rather than a tool that fires alerts itself.
- Set log retention by the longest applicable requirement, since breaches surface late
Log retention is driven by the longest of the applicable requirements (regulation, contract, and the organization's own investigation needs) because many intrusions are discovered months after the initial breach. A log already rotated away cannot be investigated, so under-retaining destroys evidence you may not know you need yet. Retention is a policy decision that lands in monitoring as the parameter deciding whether the evidence still exists when an incident is found.
Trap Setting retention to the shortest period that satisfies any single regulation, when the controlling figure is the longest of all applicable legal, contractual, and investigative needs.
- Protect log integrity with write-once storage so the record itself is trustworthy
Logs are only useful as evidence if they have not been tampered with, so a central log store is commonly write-once or append-only to prevent alteration even by an administrator or an intruder with admin rights. Integrity protection is what lets a SIEM alert and a forensic timeline be trusted, since an attacker's first move is often to edit or clear logs. This complements centralization: moving logs off-box keeps them, and write-once storage keeps them honest.
Trap Assuming restrictive file permissions or admin-only access protect log integrity, when a privileged admin or an intruder with those rights can still alter them and only write-once/append-only storage prevents it.
- Match DLP inspection to the data: exact data match for known DB values, corroborating context to cut false positives
Exact data match (EDM) compares content against actual values in a sensitive-source table, so it reliably catches specific records (a known SSN, medical-record number, or patient name) that pattern matching would miss. To suppress false positives on generic patterns like an SSN regex, require supporting evidence in proximity (keywords, corroborating identifiers, or a higher confidence threshold) so a match only fires with real context.
Trap Plain regex/pattern matching (or 'keyword only') flags every nine-digit number; it neither pins to known records like EDM nor carries the context that kills false positives.
4 questions test this
- A security administrator is implementing a DLP solution to protect patient health records. The organization maintains a database containing…
- A security analyst is configuring a DLP solution to protect sensitive patient records at a healthcare organization. The organization needs…
- An organization is experiencing a high false positive rate with their DLP policies that detect Social Security Numbers. Many legitimate…
- An organization is configuring DLP content inspection policies to detect protected health information. The security team wants to minimize…
- Cut alert fatigue by continuously tuning detections to the environment's baseline, not by disabling them
A flood of benign alerts buries real intrusions, so the durable fix is continuous tuning of detection rules and thresholds against the organization's normal baseline. Specific levers: granular per-protocol allowlists/whitelists for known-benign activity, entity exclusions for a specific service account that generates legitimate noise (while still detecting the same behavior from other accounts), and risk-based prioritization so the highest-criticality alerts surface first. The goal is a better signal-to-noise ratio with detection capability intact.
Trap Turning off a noisy rule entirely. That restores quiet by creating a blind spot; tune or scope the exclusion instead.
4 questions test this
- A security analyst notices that the organization's IPS is blocking legitimate business transactions, causing customer complaints. The…
- A security analyst notices that a SIEM analytics rule is generating numerous false positive alerts for a specific service account that…
- A security operations team is experiencing alert fatigue from their SIEM deployment. Many alerts for patch compliance violations are being…
- A SOC manager at an insurance company finds that analysts are overwhelmed by a high volume of detection alerts, the vast majority of which…
Configuration Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Operations Concepts
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Least privilege grants the minimum access a task needs, then revokes it
Least privilege restricts every subject (user, process, or service) to the minimum access required to accomplish an assigned task, and removes that access when the task ends (NIST SP 800-53 AC-6). It is a preventive administrative control: by keeping grants small and temporary, it limits the blast radius of a compromised account or a malicious insider. Think of it as the default posture for every access decision, not a one-time configuration.
Trap Picking 'need-to-know' when the stem only describes holding access down to what a task requires; that broad minimum-access posture is least privilege, while need-to-know is its narrower information-level application.
- Need-to-know is least privilege applied to specific information, not to roles
Need-to-know narrows least privilege to information: a clearance or role sets the ceiling of what a subject could access, and need-to-know decides which specific records within that ceiling they actually require for the job at hand. So a person with the correct clearance can still be denied a particular file because they have no job-related need for it. The exam phrasing 'has the clearance but not the need' is asking for need-to-know, not least privilege in general.
Trap Answering 'least privilege' when a stem says someone with the right clearance is denied a specific file. The precise control being tested is need-to-know, the information-level gate under the clearance ceiling.
2 questions test this
- Separation of duties means no one person can complete and conceal a sensitive task
Separation of duties (SoD) splits a critical process across different people so that abusing it requires collusion. Its defining objective (NIST SP 800-53 AC-5) is reducing malevolent activity without collusion. The textbook case is that whoever requests or prepares a payment must not also approve it. SoD is preventive and administrative; it structurally removes any single person's ability to subvert the process alone, rather than detecting abuse afterward.
Trap Calling separation of duties a detective control. It is preventive: it stops a solo actor up front rather than discovering misuse after the fact.
- The access-control administrators must not also administer the audit logs
A specific SoD requirement is that the staff who administer access-control functions must not also administer the audit functions that would catch their misuse (NIST SP 800-53 AC-5). If the same person controls both, they can grant themselves access and then erase the evidence. CISSP stems that put log administration and access administration in one role are testing this exact conflict-of-duties split.
Trap Accepting one person holding both access administration and audit administration as long as their actions are logged; those very logs are what such a person can alter, so the duties themselves must be separated.
- SoD can be static (roles never co-held) or dynamic (enforced at execution)
Static separation of duties bars conflicting roles from ever being assigned to the same person, while dynamic separation of duties allows the assignments but blocks the conflicting actions at execution time. For example a two-person rule that prevents one user from performing both halves of a transaction in the same session (NIST SP 800-192). Static is simpler to audit; dynamic is more flexible where one person may hold both roles but must never exercise them together.
Trap Labeling the variant that lets one person hold both conflicting roles but blocks using them together as 'static'; that runtime enforcement is dynamic SoD, whereas static forbids the conflicting assignments outright.
- Dual control requires two authorized people to approve one sensitive action
Dual control (also called two-person control or two-person integrity, and named dual authorization in NIST SP 800-53 AC-3(2)) requires the approval of two authorized individuals before a sensitive action executes, which reduces insider-threat risk. It governs an action: two people must agree for the event to happen. It is the most common concrete mechanism used to enforce a separation-of-duties requirement on an approval step.
Trap Reaching for 'split knowledge' when the stem requires two people to authorize an action; split knowledge fragments a secret, whereas dual control gates an action behind two approvals.
- M-of-N control needs any M of N holders so the process survives an absent holder
M-of-N control generalizes dual control: instead of requiring all holders, it requires any M of N trusted parties to agree, for example 3 of 5. This trades a little exclusivity for resilience, because the action still proceeds if one or two holders are unavailable. Reach for M-of-N over plain two-person control when you need the protected action to keep working despite a missing custodian.
Trap Picking plain two-person dual control when the requirement is that the action still proceed despite an unavailable custodian; strict dual control stalls if either holder is absent, which is exactly what M-of-N is built to survive.
- Split knowledge divides a secret so no one person holds the whole thing
Split knowledge divides a single secret (an encryption key, a master password, a safe combination) into parts so that no individual holds the complete value and reconstructing it requires the parties to combine their fragments. It protects a secret, which is what distinguishes it from dual control's protection of an action. The two are often combined: split a key into N parts and require M of them to reconstruct it.
Trap Confusing split knowledge with dual control. Split knowledge fragments a secret so no one holds it whole, while dual control requires two people to approve an action; the stem's noun (a key/combination vs. an approval) tells you which.
- Job rotation is a detective personnel control that surfaces a predecessor's hidden abuse
Job rotation moves staff between roles so a successor eventually performs the predecessor's duties and would notice an irregularity, and it reduces any one person's long-term lock on a sensitive position. NIST SP 800-53 AC-3(2) explicitly suggests rotating dual-authorization duties to reduce collusion, which is the authoritative basis for rotation as an anti-collusion control. It is administrative and detective: it assumes access was legitimate and creates conditions that expose ongoing misuse.
Trap Classifying job rotation as a preventive control; it does not block the abuse up front, since a successor inheriting the role is what later surfaces it, making it detective.
- Mandatory vacation forces coverage that uncovers a scheme needing daily presence
Mandatory vacation requires an employee to be out of their function for a continuous period (commonly one to two weeks) so a substitute must perform the work. A fraud that depends on the perpetrator's daily presence to stay concealed tends to unravel while they are away and someone else handles the duties. Like job rotation it is an administrative detective control, aimed at exposing abuse of access rather than restricting the access itself.
Trap Treating mandatory vacation as merely an employee-wellbeing or HR perk. On the exam it is a fraud-detection control whose security value is forcing a substitute to cover the role.
- Privileged accounts get extra controls because they can override the others
Privileged accounts (administrator, root, domain admin, service, and emergency break-glass accounts) can bypass or disable normal security controls, so they require management beyond ordinary users. The two operational goals are constraining when that privilege is active and watching every use of it. This is why privileged access management and privileged-session monitoring exist as a distinct discipline rather than being folded into routine account administration.
- PAM removes standing admin rights with just-in-time, time-bound, approved activation
Privileged access management (PAM) replaces always-on standing admin rights with access that is requested, time-bound (a defined start and end), approved, and often MFA-gated, so privilege exists only while a task is being performed. The control objective is to eliminate standing privilege: the window an attacker or insider can exploit. A reference implementation grants role activation just-in-time with approval, notifications, and downloadable audit history.
Trap Believing strong passwords and MFA on an always-on admin account remove standing privilege; they harden authentication but the rights stay permanently active, and only just-in-time, time-bound activation eliminates the standing window.
4 questions test this
- A security operations manager at a hosting company finds that a dozen systems administrators all share a single built-in root credential to…
- A security architect is designing access controls for a system that must enforce the principle that users should only access the minimum…
- A security administrator is implementing a privileged access management solution for a financial services organization. The administrator…
- An organization has identified that several database administrators retain elevated privileges continuously, even when performing routine…
- Naming an admin account fixes attribution, not standing privilege
Assigning a named human owner to an administrator or service account improves accountability because you know who acted, but on its own it does nothing about the account being permanently privileged. A named-but-always-on admin still carries standing privilege and remains a prime attacker target. Removing standing privilege requires PAM's just-in-time activation, not just a better name on the account.
Trap Choosing 'give each admin account a named owner' as the fix for standing privilege. Naming solves attribution only; the account is still always-on until just-in-time PAM activation is applied.
- Monitoring privileged use is the inseparable second half of managing it
Constraining privilege is only half the job; every privileged session and every break-glass activation must generate logs and alerts that are actually reviewed, because the whole reason to misuse such an account is to act unseen. Break-glass emergency accounts in particular should alert on every sign-in and get a post-use review to confirm the access was authorized. An unmonitored privileged or break-glass account is standing admin under another name.
Trap Assuming just-in-time PAM activation alone secures privileged accounts; constraining when privilege is active still leaves its use invisible unless every session and break-glass event is logged, alerted, and reviewed.
- An SLA is a measurable, enforceable commitment about how a service will perform
A service level agreement (SLA) documents measurable service commitments (uptime, response and resolution times, breach-notification windows, patch timelines) with remedies when targets are missed. Because you cannot directly configure a third party's systems, the SLA is how security and recovery obligations are enforced on services you do not control. For continuity, external dependencies must carry SLAs aligned to the dependent process's recovery time objective (RTO), so the vendor's promised response fits inside your recovery window.
Trap Accepting a vendor SLA whose response time merely exists, without checking it fits inside the dependent process's RTO; a promised response longer than your recovery window leaves the SLA unable to meet continuity needs.
- SLA faces the customer, OLA faces internal teams, UC faces the supplier
Keep three agreements straight by who each one faces: an SLA is the externally-visible promise to the customer about service performance, an operational level agreement (OLA) commits internal supporting teams to the targets that let the SLA be met, and an underpinning contract (UC) holds an external supplier to commitments backing the SLA. The distinguishing axis the exam tests is internal versus external: an OLA is internal team-to-team, a UC is your organization to a third party.
Trap Swapping OLA and UC. An OLA is an internal commitment between teams in your own organization, while an underpinning contract (UC) is the external agreement with a third-party supplier.
Resource Protection
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Incident Management
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Recite the (ISC)² incident lifecycle in order: Detect, Respond, Mitigate, Report, Recover, Remediate, Lessons Learned
The (ISC)² seven-step incident management lifecycle runs in a fixed order (Detection, Response, Mitigation, Reporting, Recovery, Remediation, Lessons Learned) and that order is the single most testable fact in this subtopic. Detection classifies an event as an incident; Mitigation is containment; Remediation is eradicating the root cause; Lessons Learned closes the loop back into preparation. Anchor the sequence cold, because the most common question simply scrambles it and asks you to restore order.
Trap Placing Recovery or Remediation before Mitigation. You contain (Mitigate) before you eradicate or restore.
3 questions test this
- An e-commerce company's incident response team has fully eradicated a credential-stealing malware infection from a cluster of web servers.…
- A retailer's incident team has already been activated and is investigating after confirming an attacker planted a web shell on an…
- A managed detection analyst at a media company receives a SIEM alert correlating several failed-then-successful logins to a finance…
- Map the (ISC)² seven steps onto NIST's four phases: they are the same lifecycle at two resolutions
NIST SP 800-61's four phases (Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity) are the same work the (ISC)² seven steps describe, just grouped coarser. Detection and Response sit inside NIST Detection and Analysis; Mitigation, Recovery, and Remediation all collapse into the single NIST Containment-Eradication-Recovery phase; Lessons Learned is Post-Incident Activity. Preparation wraps the whole cycle and is the implicit foundation rather than a numbered (ISC)² step.
Trap Treating NIST containment, eradication, and recovery as three separate phases. NIST bundles all three into one phase.
- An event is any observable occurrence; an incident is the subset that breaches CIA or policy
NIST defines an event as any observable occurrence in a system or network (a login, a web request, a firewall block) and most events are harmless. An incident is the narrower set: a violation or imminent threat of violation of security policy, or an occurrence that actually or potentially jeopardizes confidentiality, integrity, or availability. Detection is the act that draws this line, which is why it is step one: you cannot respond to something not yet classified as an incident.
Trap Treating every alert, or every adverse event, as automatically an incident. An adverse event is only an incident once it crosses the CIA / policy-violation line.
- On an active compromise, contain first: never eradicate or rebuild while the attacker is still live
When a host is actively compromised, the correct first action is containment: isolate or disconnect the host and disable the abused function to stop the spread before building a considered fix. NIST states containment matters before an incident overwhelms resources or increases damage, and that it buys time to develop a tailored remediation strategy. Eradication and recovery come after the threat can no longer expand.
Trap Jumping straight to rebuilding the server or patching the vulnerability while the attacker still has live access and can spread to other systems.
- Base the containment strategy on predetermined, per-incident-type criteria, not improvisation
NIST says containment decisions are far easier when strategies are predetermined per incident type, because an email-malware containment differs sharply from a DDoS containment. The documented criteria for choosing a strategy are potential damage and theft of resources, need for evidence preservation, service availability, time and resources to implement, effectiveness, and duration of the solution. Defining these in advance turns a crisis decision into a checklist lookup.
Trap Selecting a containment strategy using the prioritization factors (functional impact, information impact, recoverability) instead of the containment criteria such as evidence-preservation need and solution duration.
- Delayed containment (letting a known compromise run to watch the attacker) is dangerous and needs legal sign-off
Some teams redirect an attacker into a sandbox to gather evidence, but NIST warns that any delayed containment is dangerous because the attacker could escalate access or compromise other systems, and that knowingly allowing a compromise to continue can make the organization liable if the attacker pivots to attack third parties. Such monitoring must be cleared with the legal department first; other ways of watching an attacker without containing should not be used.
Trap Leaving a compromised host online to observe the attacker without legal approval. It can create downstream liability if the attacker uses it to hit others.
- Prioritize incidents by impact and recoverability, never first-come, first-served
NIST calls prioritization the most critical decision point in incident handling and explicitly rejects first-come, first-served when resources are limited. Rank by three factors: functional impact (effect on business operations), information impact (effect on the confidentiality, integrity, and availability of data), and recoverability (the time and effort recovery will take). A high-impact incident jumps ahead of a low-impact one reported earlier.
Trap Handling the incident reported first, or the technically most interesting one, instead of the one with the highest business impact.
- A precursor warns an incident may come; an indicator signals one may be occurring or has occurred
NIST splits the signs Detection feeds on into two: a precursor is a sign an incident may occur in the future (e.g., a vulnerability scan probing your range), while an indicator is a sign an incident may be happening now or already has (e.g., antivirus alerting on malware). Most detection work is reacting to indicators, since precursors are rare. Both are noisy and not guaranteed accurate, which is why analysis and triage live in the Detection step.
Trap Labeling a live antivirus malware alert a precursor, or a vulnerability scan against your range an indicator, when a precursor warns of a future incident and an indicator signals one now.
- Reporting runs throughout the lifecycle to a stakeholder list set in advance
Once an incident is analyzed and prioritized, the team notifies the predefined individuals so each plays their role; the IR policy fixes what is reported, to whom, and when. Typical recipients run from the CIO and head of information security internally out to senior management, legal, the privacy/DPO office, public relations, and any external regulators or partners that breach-notification law or contract requires. Although shown as one (ISC)² step, reporting is continuous from detection onward, not a single moment.
Trap Treating reporting as a single notification fired once at the end, when it runs continuously from detection onward to a predefined stakeholder list.
- Recovery restores systems to normal and verifies they work, then hardens against the repeat attack
In recovery, administrators restore affected systems to normal operation, confirm they are functioning normally, and remediate any exploited weaknesses by restoring from known-clean backups, rebuilding from scratch, replacing compromised files, patching, rotating credentials, and tightening the perimeter. NIST notes recovery often raises logging and monitoring on the restored systems, because once a resource is successfully attacked it is frequently attacked again.
Trap Calling the act of identifying and closing the exploited vulnerability part of Recovery, when eliminating the root-cause weakness is Remediation/eradication and Recovery restores and verifies normal operation.
2 questions test this
- Remediation (eradication) eliminates incident components and closes the exploited vulnerability
Remediation maps to NIST eradication: deleting malware, disabling breached accounts, and identifying and mitigating every vulnerability the attacker exploited, after first finding all affected hosts. NIST advises a phased approach with prioritized steps; for large-scale incidents recovery can take months, with quick high-value changes first and longer-term infrastructure changes later. For some incidents eradication is unnecessary or folded into recovery.
Trap Assuming eradication is always a mandatory standalone step, when NIST notes it is sometimes unnecessary or folded into recovery.
- Hold the lessons-learned meeting within several days of the incident's end and feed fixes back into preparation
Lessons Learned is the structured post-incident review NIST calls one of the most important and most often omitted steps; the meeting should be held within several days of the incident's end while memory is fresh. It reviews what happened, how well staff and procedures performed, what was needed sooner, and what corrective actions prevent recurrence, then those changes update the plan and controls. Multiple lesser incidents can be covered in a single meeting.
Trap Choosing 'add more monitoring' or 'apply another patch' as the recurrence fix when the question is really testing the review step that decides which control to change.
- Skipping lessons learned is the classic process failure that lets the same incident recur
The most common incident-management failure on the exam is omitting the post-incident review, because without it no control, procedure, or detection rule gets updated and the identical incident returns. NIST flags lessons learned as the step teams most often drop. When a question describes a recurring incident with no process change, the gap being tested is almost always the missing lessons-learned loop.
- Build the CSIRT, plan, and contact tree during Preparation, before any incident
The Computer Security Incident Response Team (CSIRT), also called CIRT or CERT, is the standing capability that runs the lifecycle, and the CISSP point is that it, the response plan, the escalation matrix, and the tooling are all established in NIST's Preparation phase. During a live incident the team executes a plan rather than improvising one. NIST notes containment is far easier with predetermined strategies, and the same holds for escalation and notification.
Trap Assembling the team or writing the notification list during the incident. The middle of a crisis is the worst time to decide who responds and who is told.
- Pick the CSIRT structure to fit the organization: central, distributed, or coordinating
NIST lists three team structures. A central incident response team handles all incidents and suits small or geographically concentrated organizations. Distributed incident response teams assign each team a logical or physical segment and suit large or spread-out organizations, but must roll up to one coordinated entity for consistency. A coordinating team advises other teams without authority over them, a CSIRT for CSIRTs. Staffing is separate: in-house, partially outsourced (often 24/7 monitoring to an MSSP), or fully outsourced.
Trap Assuming a coordinating team holds authority over the teams it advises, or that distributed teams need not roll up to one coordinated entity.
- Escalation follows a predefined path that moves an incident up the severity and authority ladder
Escalation is the documented path that raises an incident to higher severity tiers and decision-makers when it exceeds the current handler's scope or crosses defined thresholds. Like the team itself, the escalation matrix is set in the IR plan in advance so that no one is deciding who has authority mid-crisis. Reporting then walks the predefined notification list rather than figuring out recipients on the fly.
Trap Conflating escalation with reporting, when escalation raises an incident up the severity and authority ladder while reporting walks the predefined notification list.
- NIST SP 800-61 Rev. 3 re-casts incident response onto the CSF 2.0 Functions, but the four-phase model still teaches the exam
The current revision, NIST SP 800-61 Rev. 3 (2025), drops the four named phases and aligns incident response to the Cybersecurity Framework 2.0 Functions (Govern, Identify, Protect, Detect, Respond, Recover) as a CSF Community Profile. For the exam, the four-phase Rev. 2 lifecycle remains the canonical teaching model and tracks the (ISC)² seven steps; the two revisions describe the same activities and do not conflict.
Trap Assuming Rev. 3's move to the CSF 2.0 Functions invalidates the four-phase lifecycle, when both revisions describe the same activities and do not conflict.
Detective & Preventive Controls
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Patch & Vulnerability Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Change Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Recovery Strategies
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Pick the cheapest recovery option that still meets the RTO, not the fastest one available
A recovery strategy is funded against requirements set upstream by the BIA, so the correct choice is the least expensive solution that still satisfies the RTO. NIST SP 800-34 frames this as a cost-balance point: the cost of disruption rises the longer an outage runs, while the cost to recover rises as the RTO shortens, and the optimum sits where the two curves cross. A hot site for a process whose RTO is a week is wasteful over-provisioning, just as tape-only is negligent under-provisioning for a process needing minutes.
Trap Choosing the fastest-recovering site regardless of cost when the stem only asks for a strategy that meets the stated RTO.
3 questions test this
- A regional nonprofit runs its donor management system on aging in-house servers and operates under a severely constrained IT budget. A…
- An organization is evaluating the cost implications of different disaster recovery site strategies. The disaster recovery committee wants…
- A medium-sized company is evaluating disaster recovery options for their non-critical development systems. Budget constraints are…
- RTO drives site choice; RPO drives backup cadence: two dimensions, two controls
Time-to-recover is served by the recovery site (cold/warm/hot/mobile/cloud) and is the RTO dimension; data-loss tolerance is served by the backup or replication regime and is the RPO dimension. A durable design names both targets, then picks a site to meet the RTO and a backup frequency to meet the RPO. Over-investing in one while ignoring the other is a common design gap: a hot site with weekly backups still loses a week of data.
Trap Upgrading the recovery site to shrink the RPO when only the backup or replication cadence moves the RPO; a faster site cuts the RTO but recovers no fresher data.
4 questions test this
- A bank's continuity team is defining the backup approach for a loan-processing database where the business has set a recovery point…
- A security professional is analyzing the results of a parallel simulation test where systems were recovered to an alternate site while…
- A financial services company has completed its Business Impact Analysis and determined that its core trading platform requires a Recovery…
- An organization's business impact analysis indicates that critical financial systems can tolerate a maximum of 4 hours of data loss and…
- Cold, warm, and hot sites are one spectrum: cost and recovery speed rise together
The three classic alternate sites differ only in how much you pre-stage. A cold site has space, power, cooling, and connectivity but no installed hardware or current data, so it is cheapest to keep but takes weeks to activate. A hot site is fully equipped and continuously data-synchronized, so it activates in minutes to hours but costs the most. A warm site stages hardware and connectivity while data restores from backups, activating in hours to days at moderate cost. Faster recovery always costs more, moving cold to warm to hot.
Trap Conflating standing cost with activation speed: cold is cheapest to hold but slowest to activate, while hot is the opposite; they move in opposite directions.
8 questions test this
- A regional nonprofit runs its donor management system on aging in-house servers and operates under a severely constrained IT budget. A…
- The CISO of a high-frequency trading firm is selecting a disaster recovery strategy for its order-matching platform, where the board has…
- A mid-sized insurer is choosing a recovery site for its claims-processing application. The business impact analysis sets a recovery time…
- An organization is selecting an alternate processing site and has determined through their BIA that mission-critical applications require…
- A financial services company has completed its Business Impact Analysis and determined that its core trading platform requires a Recovery…
- An organization is evaluating the cost implications of different disaster recovery site strategies. The disaster recovery committee wants…
- A medium-sized company is evaluating disaster recovery options for their non-critical development systems. Budget constraints are…
- An organization's business impact analysis indicates that critical financial systems can tolerate a maximum of 4 hours of data loss and…
- Use a mobile site when the building or location itself is the problem
A mobile site is a self-contained, transportable shell (often a trailer) fitted with the telecommunications and IT equipment a system needs, delivered to a chosen location. It is the right answer when the primary facility is destroyed or inaccessible, the operation must relocate, or the site is remote: situations a fixed cold/warm/hot site does not address. NIST notes a mobile site can often be delivered within about 24 hours, though installation and setup add to that response time.
Trap Reaching for a fixed hot site when the stem's problem is that the location itself is lost or inaccessible; a transportable mobile site is what addresses relocation, not a faster fixed facility.
- A mirrored or multi-active-site setup gives near-100% availability at the highest cost
A mirrored site is a fully redundant facility with automated real-time data mirroring, identical to the primary in all technical respects, and is the most expensive option but ensures virtually 100% availability. Running across multiple active processing sites the organization already operates achieves the same near-instant failover and earns its keep daily rather than sitting idle. Reach for this only when the RTO is near zero and the process criticality justifies the standing cost.
Trap Selecting a mirrored site for a process whose RTO is hours or days; its near-100% availability is real but the standing cost is unjustified over-provisioning unless the RTO is near zero.
- Cloud and DRaaS are the same site spectrum delivered as pay-per-use capacity
Cloud recovery, including Disaster-Recovery-as-a-Service (DRaaS), is not a separate philosophy but the cold-warm-hot spectrum sold on demand: replicate continuously for a hot-site-like near-zero RTO, or hold images and spin up on failover for a longer RTO, paying mostly for storage until the disaster. Cloud also delivers geographic separation by default through provider regions and zones. The catch is the same as any backup: restore time bounded by network egress must be tested against the RTO.
Trap Assuming cloud or DRaaS guarantees a near-zero RTO by default when a storage-only, spin-up-on-failover tier recovers no faster than the egress and rebuild time it actually takes.
- A reciprocal agreement is cheap but unreliable, so it is rarely the BEST answer
A reciprocal agreement (mutual-aid pact) has two organizations agree to host each other's processing in an emergency; it costs little and needs no dedicated facility. But it is fragile at disaster scale: the partner may lack spare capacity, hardware and software may be incompatible, a regional event can hit both parties at once, and hosting a peer's data raises confidentiality concerns. It is widely treated as a last resort, not a primary strategy.
Trap Selecting a reciprocal agreement as the primary recovery strategy when a dedicated alternate site is among the options: its capacity and availability cannot be relied on in a real disaster.
- Store at least one backup copy offsite, because an onsite-only backup dies with the data it protects
It is standard practice, and NIST guidance, to store backed-up data offsite, because an onsite-only copy is destroyed by the same fire, flood, or site-wide ransomware that destroys production. When selecting an offsite facility the first criterion is geographic distance and the probability of the storage site being hit by the same disaster as the primary. Onsite copies still earn their place for fast everyday restores (a deleted file), but they cannot be the only copy.
Trap Adding more onsite backup copies or a bigger disk array as the fix for a site-wide disaster: neither survives an event that destroys the whole facility.
- Follow the 3-2-1 rule: three copies, two media types, one offsite
The widely taught backup rule is 3-2-1: keep at least three copies of the data, on two different media types, with at least one copy stored offsite. The offsite copy is the load-bearing element that survives a local disaster; the two-media requirement guards against a single media-type failure mode. Cloud storage is the modern way to satisfy the offsite leg while adding geographic separation by default.
Trap Counting three copies on a single disk array or media type as satisfying 3-2-1; the rule also requires two different media and one offsite copy, which a single array meets neither of.
- A backup is only a recovery capability if its restore is tested against the RTO
NIST is explicit that backup tapes should be tested regularly to confirm data is stored correctly and files can be retrieved without errors or loss. A copy that cannot be restored within the RTO, because the media is unreadable, the job was incomplete, or egress is too slow, is not a recovery capability, only a false sense of one. Restore testing belongs to every backup tier, including cloud.
Trap Treating a successful backup job or a green backup log as proof of recoverability when only a tested restore confirms the data is readable and recoverable within the RTO.
- Incremental minimizes backup time but has the slowest restore; differential is the reverse
An incremental backup copies only data changed since the last backup of any kind, so it is the fastest to take but a restore needs the last full plus every incremental replayed in order. A differential copies all data changed since the last full backup, so each one grows over time but a restore needs only the last full plus a single differential. The trade is direct: shortest backup window (incremental) costs the longest restore, and vice versa.
Trap Choosing incremental backups to get a fast recovery: incremental has the slowest restore because you must apply the full plus every increment in sequence.
- Full and incremental backups clear the archive bit; differential does not
The archive bit is the mechanism behind 'since last backup' versus 'since last full.' Full and incremental backups clear the archive bit when they run, so the next incremental only captures what changed afterward. A differential leaves the archive bit set, which is why every differential keeps capturing everything changed since the last full until a new full resets the baseline. A full backup copies everything and gives the fastest, single-set restore.
Trap Assuming a differential backup clears the archive bit like an incremental does; a differential leaves it set, which is exactly why each differential keeps re-capturing everything since the last full.
- RAID protects against disk failure, but it is not a backup
RAID (Redundant Array of Independent Disks) keeps data available across a physical disk failure, but it faithfully replicates deletion, corruption, and ransomware to every mirror in real time, so it cannot stand in for backups. It defends only the disk-hardware layer; logical data loss still requires a restorable, ideally offsite, backup. Treat RAID as availability for disks and backup as the recovery-from-data-loss control: they are not interchangeable.
Trap Treating a RAID array as a substitute for offsite backups: RAID copies a malicious deletion or ransomware encryption to every disk instantly.
- Know the common RAID levels, and that RAID 0 has no redundancy
RAID 0 stripes data for performance and provides no redundancy, so losing one disk destroys the array: a deliberate exam trap because the name implies protection. RAID 1 mirrors; RAID 5 stripes with single parity and survives one disk failure; RAID 6 uses double parity and survives two; RAID 10 mirrors then stripes for both speed and redundancy. Match the level to whether the requirement is performance, fault tolerance, or both.
Trap Assuming RAID 0 adds fault tolerance because it is a RAID level: RAID 0 is pure striping with zero redundancy and a single disk loss wipes the array.
- Fault tolerance means zero interruption; high availability means minimal downtime
Fault tolerance lets a component fail with zero interruption because a redundant element carries the load transparently (mirrored disks, dual power supplies). High availability (HA) instead restores the service fast, typically through clustering and automatic failover, so downtime is minimal but not strictly zero, which NIST scopes as achieving roughly 99.999% uptime or better. The two are not synonyms: a requirement for no interruption at all calls for fault tolerance, while a requirement for fast recovery from failure calls for HA.
Trap Using fault tolerance and high availability interchangeably: the exam rewards distinguishing zero-interruption (fault tolerance) from minimized-but-nonzero downtime (HA).
- Use QoS to keep critical traffic alive when the network is congested
Quality of Service (QoS) is the availability control for the network: it reserves bandwidth for and prioritizes critical traffic so that, under contention, a flood of low-priority traffic cannot starve the systems that must stay up. It protects availability at the transport layer the way RAID and clustering protect it at the storage and compute layers. QoS does not add capacity: it allocates scarce capacity to what matters most.
Trap Reaching for QoS to solve a network that is genuinely under-provisioned; QoS only prioritizes existing bandwidth under contention and adds no capacity, so a saturated link still needs more bandwidth.
- Redundancy at one layer does not eliminate a single point of failure at another
True resilience removes the single point of failure (SPOF) at every layer the service depends on, not just the one that is easy to harden. A fault-tolerant RAID array on a server with one power feed and one network uplink is still a SPOF, because the power or the uplink can take the whole system down regardless of the disks. Audit each dependency (disk, power, network, site) and add redundancy wherever a single failure halts the service.
Trap Declaring a system resilient because one layer is redundant; a fault-tolerant disk array still fails entirely on a single power feed or network uplink that was never made redundant.
- Write-ahead logging plus transaction logs deliver point-in-time recovery and roll back incomplete transactions
Write-ahead logging (WAL) records each change in the log on durable storage before the data file is modified, which is what guarantees committed transactions survive a crash (the durability in ACID). On restart, recovery analyzes the log from the last checkpoint to find transactions in flight, replays committed log records forward to reach a chosen timestamp (point-in-time recovery), and undoes the operations of incomplete transactions to restore a consistent state. A damaged or un-backed-up tail of the log means everything since the last log backup is unrecoverable.
Trap Assuming a full database backup alone enables point-in-time restore: without the transaction-log chain you can only recover to the backup instant, losing every change since.
6 questions test this
- A database administrator discovers that a critical financial database experienced an unexpected shutdown during a large transaction. When…
- During a ransomware incident response, the security team determines they must restore a critical production database to a state from 4…
- An organization needs to implement a database recovery strategy that allows restoration to any point within the last 7 days. The security…
- An organization experiences a server failure during a large batch data import operation. After restoring hardware, the database…
- A database experiences corruption at 3:15 PM. The DBA discovers the active transaction log is damaged but the transaction log backup taken…
- A database transaction that was modifying sensitive customer records failed halfway through execution due to a constraint violation. The…
Disaster Recovery
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
DR Testing
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Business Continuity Planning
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Physical Security
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Personnel Safety
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Software Development Security
Security in the SDLC
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Build security into every SDLC phase, never bolt it on at the end
Security is a property engineered into each phase of the Software Development Life Cycle, not a single test before release. Requirements owns security requirements and abuse cases, design owns threat modeling, coding owns secure standards and static analysis, testing owns security and penetration testing, and operation owns patching and monitoring. A program that only reviews security just before go-live has already lost, because gaps in earlier phases have hardened into vulnerabilities by then.
- A flaw costs more to fix the later it is found, so shift security left
The cost to correct a defect rises sharply across the life cycle: a missing security requirement is cheapest to fix while it is still a sentence in a document and most expensive once it is live code, because a late fix forces reworking design, code, tests, and a re-release. This cost-of-correction curve is the economic case for shifting security left: moving requirements, threat modeling, and testing earlier so defects surface when they are cheap to fix.
Trap Answering that security is cheapest to address during testing or after deployment: that is the expensive end of the curve.
3 questions test this
- A security architect at a SaaS company is embedding security testing into a newly adopted DevSecOps pipeline. Leadership wants defects…
- A development lead at an insurer is integrating security gates into a CI/CD pipeline for an application written in-house. A post-incident…
- A development organization implements threat modeling in their design phase and wants to establish a KPI to measure its effectiveness.…
- Prefer building security in over penetrate-and-patch
Building security in means designing controls into the software proactively from requirements onward; penetrate-and-patch means shipping, waiting to be attacked or scanned, then fixing. Building in is cheaper and safer because it avoids the high end of the cost-of-correction curve and the window of exposure that penetrate-and-patch leaves open. Penetrate-and-patch is reactive and should never be the primary strategy.
Trap Accepting penetrate-and-patch as a legitimate primary strategy because patches still get released, when it is reactive and leaves a window of exposure.
- The methodology sets the cadence; security must adapt to it
Development methodologies differ mainly in how they sequence and repeat the SDLC phases: Waterfall runs them once in strict order, Agile repeats them in short sprints, DevOps runs them continuously in a CI/CD pipeline. There is no single 'most secure' methodology; the secure choice depends on requirement stability and release cadence. Security practices are fitted into whichever model is used rather than the model being chosen for security.
Trap Claiming one methodology (e.g. Waterfall) is inherently the most secure: fit depends on the requirements and cadence.
- Waterfall runs phases once in sequence; its risk is costly late fixes
Waterfall executes the SDLC phases one time in strict order, each phase completing before the next starts, which suits stable, well-understood, fixed-scope requirements such as regulated work. Its security weakness is that a flaw found in a late phase is very expensive to retrofit, because earlier phases are already closed. Security in Waterfall is a defined activity inside each sequential phase.
Trap Assuming Waterfall lets you freely loop back to revise an earlier phase mid-project, when that iterative reworking is the Agile model, not strict Waterfall.
- Agile delivers in sprints, so security must be in each sprint's definition of done
Agile reworks the phases in short iterative sprints, reshaping requirements as feedback arrives, which fits evolving requirements that need frequent delivery. Security can slip between iterations unless it is part of every sprint's definition of done: security user stories, per-sprint review, and testing. The risk is deferring security to a 'later' sprint that never has room for it.
Trap Reading Agile's speed and light documentation as license to skip security activities until a dedicated 'security sprint' later.
- DevSecOps embeds automated security gates into the DevOps pipeline
DevOps fuses development and operations into a continuous integration and delivery (CI/CD) pipeline that releases frequently; DevSecOps is the variant that builds security in as automated, continuous gates inside that pipeline: dependency scanning, static and dynamic analysis, policy checks. The goal is for security to keep pace with a fast release cadence rather than become a manual bottleneck before each release.
Trap Treating DevSecOps as a separate manual security review bolted onto DevOps: its point is automated, in-pipeline, continuous security.
- The SSDF (NIST SP 800-218) is methodology-agnostic and added to your existing model
NIST's Secure Software Development Framework, SP 800-218, is deliberately methodology-agnostic: it states that few SDLC models address software security in detail, so its practices are meant to be added to and integrated with whatever model a team already uses. Its four practice groups are Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW), and Respond to Vulnerabilities (RV). It is guidance to integrate, not a methodology that replaces Waterfall, Agile, or DevOps.
Trap Picking the SSDF as a replacement SDLC methodology a team adopts instead of Waterfall or Agile, when it is guidance layered onto whatever model is already in use.
- The original SW-CMM has five levels: Initial, Repeatable, Defined, Managed, Optimizing
The Software Engineering Institute's original Capability Maturity Model rates process discipline on five ascending levels: 1 Initial (ad-hoc, hero-driven), 2 Repeatable (basic project management), 3 Defined (standardized organization-wide), 4 Managed (measured quantitatively), and 5 Optimizing (continuous improvement). The ladder climbs from chaos to metrics-driven improvement, and an organization benchmarks itself against it to plan improvement.
Trap Mixing in the CMMI names: the original CMM level 2 is 'Repeatable', not 'Managed'.
- CMMI keeps five levels but renames level 2 to Managed and level 4 to Quantitatively Managed
CMMI, the successor to SW-CMM now maintained by ISACA (formerly the SEI), keeps the five-level ladder but changes two names: level 2 becomes Managed (was Repeatable) and level 4 becomes Quantitatively Managed (was Managed). The shape of the ladder is the same; only the labels at levels 2 and 4 moved. This name collision ('Managed' meaning level 2 in CMMI but level 4 in the old CMM) is a frequent exam trap.
Trap Reading 'Managed' as level 4 when the question is about CMMI, where 'Managed' is level 2 and level 4 is 'Quantitatively Managed'.
- OWASP SAMM is prescriptive: it tells you which practices to adopt
OWASP SAMM (Software Assurance Maturity Model) is a prescriptive software-security maturity model: it defines 15 security practices grouped into 5 business functions (Governance, Design, Implementation, Verification, Operations) each with three maturity levels of activities, and tells an organization what to adopt next. It is technology- and process-agnostic, so it works across any methodology. Use it to set target activities and measure progress toward them.
Trap Labeling SAMM as descriptive like BSIMM, when SAMM prescribes target activities to adopt while BSIMM only reports observed practices.
- BSIMM is descriptive: it reports what real firms actually do
BSIMM (Building Security In Maturity Model) is descriptive rather than prescriptive: instead of an ideal to aim at, it observes and reports the activities a large pool of real organizations actually perform, across four domains (Governance, Intelligence, SSDL Touchpoints, and Deployment) so you benchmark your program against peers. SAMM tells you what you should do; BSIMM tells you what others are doing.
Trap Calling BSIMM prescriptive: it documents observed practices for benchmarking, not a target set of best practices.
- Choose a target maturity level by risk and resources, not 'always aim for level 5'
A maturity model lets an organization benchmark and plan improvement, but the right target level is a risk and resource decision, not an automatic climb to the top. Most organizations should not reflexively aim for the highest level; the cost of reaching and sustaining it must be justified by the risk it reduces. The model guides prioritization, not a mandate to maximize.
Trap Choosing the highest maturity level as the universally correct goal, when the right target is the one justified by the organization's risk and resources.
- Operation and maintenance is the longest SDLC phase and an active security stage
Once software is released, operation and maintenance is the longest phase of its life, where patching, secure configuration, monitoring, and re-assessment after every significant change keep it secure against new threats. Security work does not stop at deployment; the running system needs continuous attention, including re-running risk assessments when the system or its environment changes materially.
Trap Assuming security work effectively ends once the system is deployed, treating operation and maintenance as passive upkeep rather than an active security stage.
- Route every change to released software through change management
During operation, every modification (a patch, a feature, or a configuration tweak) flows through change management: review, test, approve, document, and keep a rollback path, so no change is made without oversight. This prevents a well-meant fix from silently introducing a new vulnerability or breaking an existing control. Skipping change control to ship a fix faster is the wrong move because it deploys unreviewed risk.
Trap Pushing a patch straight to production to fix something fast, bypassing review and testing: that ships unvetted risk.
- The Integrated Product Team (IPT) makes security a shared, cross-functional responsibility
An Integrated Product Team is a multidisciplinary group (developers, security, operations, QA, and the business owner) that works a product across its whole life cycle together, so security is a shared responsibility rather than a hand-off to a separate team at the end. The IPT model embeds security expertise alongside development instead of gating it as a late, separate review. It is the staffing pattern behind 'build security in.'
Trap Picturing a standalone security team that receives a finished product to review: the IPT integrates security throughout, not at a hand-off.
- Capture security requirements and abuse cases in the requirements phase
The requirements phase owns security and privacy requirements plus abuse or misuse cases (explicit statements of how the system must resist attack and how an attacker might try to misuse it) alongside an initial risk and data-classification view. Getting these right early is the cheapest point on the cost-of-correction curve, and they drive the threat modeling and control choices made in design. Functional requirements alone, with security added later, is the failure pattern.
Trap Conflating abuse and misuse cases with ordinary functional use cases, when they specify how an attacker tries to break the system, not the intended user behavior.
- Threat modeling belongs to the design phase
Threat modeling (systematically enumerating how a design could be attacked and which controls counter each threat) is a design-phase activity, performed after requirements are set but before code is written, so the architecture can be shaped to resist the identified threats. Done here it is cheap; deferred until after implementation it forces redesign. It feeds the secure-design review and control selection that close out the design phase.
Trap Placing threat modeling in the testing phase alongside penetration testing, when it belongs in design, before code is written, so the architecture can be shaped.
- Disposal is a deliberate security stage, not an afterthought
Retirement and disposal is the final SDLC phase and a deliberate security activity, because a system at end of life still holds data, credentials, keys, and trust relationships. Secure decommissioning sanitizes or destroys media, revokes the system's identities and access, and updates the asset inventory and architecture records. Walking away from a retired system without sanitizing it leaves recoverable data and live trust paths.
Trap Treating disposal as a non-security cleanup step of deleting files and unplugging hardware, skipping media sanitization and revocation of the system's identities and trust paths.
Dev Environment Security
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Software Security Effectiveness
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Acquired Software Security
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Secure Coding
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Most source-level vulnerabilities are one event: untrusted input reaching a trusting sink
Injection, cross-site scripting, command injection, and buffer overflows are different symptoms of the same root cause: attacker-controlled data is consumed by code that treats it as trusted. The durable fix breaks that chain at the point of consumption (parameterize the query, encode for the output context, bound the write), not by trying to enumerate every malicious payload. Recognizing the shared cause is what lets you pick the structural defense instead of a generic one.
Trap Reaching for a signature filter that enumerates and blocks known malicious payloads instead of breaking the input-to-sink chain at the point of consumption.
- Validate input against an allow-list of known-good, never a deny-list of known-bad
Input validation should accept only input matching the exact expected format, length, and character set (an allow-list / whitelist), because you cannot enumerate every malicious input an attacker might craft, so a deny-list of 'known bad' characters always leaves a gap. Allow-list validation is the cross-cutting first line of defense, but it is defense in depth: it does not replace the sink-specific control (parameterized query, output encoding).
Trap Choosing 'strip or block dangerous characters' (a deny-list) over 'accept only known-good input'. The deny-list is incomplete because not all bad input can be enumerated.
7 questions test this
- A security architect is reviewing a web application that uses a denylist approach to filter potentially dangerous input patterns. The team…
- A security architect is reviewing the input validation strategy for a new web application. The development team has implemented a denylist…
- A security engineer is reviewing the input validation implementation for a web application that processes customer data. The development…
- A development team is implementing input validation for a web application's user registration form. The security architect recommends using…
- A development team is implementing input validation for a web application that accepts user-submitted data. The team lead recommends using…
- An organization is developing a web application and wants to implement secure input validation. The security team recommends using…
- A security architect is reviewing an organization's input validation strategy for a web application. The development team proposes using a…
- Defeat SQL injection with parameterized queries, not by escaping characters
OWASP's primary defense against SQL injection is the prepared statement with parameterized queries: it forces the developer to define all SQL code first and bind each parameter later, so the database always distinguishes code from data and an attacker cannot change the query's intent. OWASP's priority order is prepared statements first, then safely-implemented stored procedures, then allow-list validation where a bind variable is impossible (e.g. a table name), and escaping user input is explicitly discouraged as fragile and database-specific.
Trap Selecting 'escape special characters in the input' as the SQL-injection fix. OWASP strongly discourages escaping; parameterized queries are the primary defense.
6 questions test this
- A development team is building a financial application that stores customer data in a SQL database. The lead developer proposes using…
- A security architect is reviewing code that constructs database queries using string concatenation with user input. The application queries…
- A developer is working on a banking application and needs to prevent SQL injection attacks when executing database queries with…
- A security engineer is reviewing code that constructs SQL queries using string concatenation with user input. What is the MOST effective…
- A developer is tasked with preventing SQL injection attacks in a web application. The application currently builds database queries by…
- A development team is building a database-driven application and wants to prevent SQL injection vulnerabilities. Which primary defense…
- Prevent XSS with output encoding matched to the destination context
Cross-site scripting is defeated by encoding untrusted data for exactly the context it lands in: HTML body, HTML attribute, JavaScript, CSS, and URL contexts each have different parsing rules, and using the wrong encoding can itself introduce a weakness. Input validation helps as defense in depth but cannot be the sole XSS control, because the output context is not known at the HTTP request layer where input validation runs; a Content Security Policy is an additional mitigating layer.
Trap Relying on input validation alone to stop XSS. Context awareness is unavailable at the request layer, so output must still be encoded for where it is rendered.
4 questions test this
- An organization is implementing a comprehensive injection prevention strategy for their web application. Security architects recommend…
- A security architect is reviewing an application that displays user-submitted content on web pages. The development team has implemented…
- A developer is implementing defenses against cross-site scripting (XSS) attacks in a web application. The application displays…
- An application developer needs to display user-submitted content in multiple locations within a web page, including within HTML body text,…
- Defeat command injection by avoiding the shell and using a safe command API
OS command injection occurs when untrusted input is passed to a shell or command interpreter. The root-cause fix is to avoid invoking a shell at all and instead call a parameterized command API with an explicit allow-list of permitted arguments, so attacker input can never be parsed as a new command. The same code-versus-data separation that defeats SQL injection applies here.
Trap Escaping or sanitizing shell metacharacters in the input rather than avoiding the shell entirely and calling a parameterized command API.
- Broken access control is the #1 OWASP Top 10:2021 risk: enforce authorization server-side
Broken Access Control moved up to the #1 position in the OWASP Top 10:2021 (from 5th), with 94% of tested applications showing some form of it; access control means users cannot act outside their intended permissions. The coding defenses are structural: deny by default, enforce authorization on the server for every request, and check object ownership before acting, never trust a hidden field, a disabled button, or a client-side check.
Trap Enforcing access control only in the client (hiding a button, disabling a field). The authorization check must run server-side on every request.
- Buffer overflows are fixed by bounds checking; canaries, ASLR, and DEP only raise the bar
A buffer overflow writes past a fixed-size buffer because no bounds check constrains the write, and overwriting a return address can let an attacker execute code. The root-cause defenses are bounds checking and memory-safe languages or functions. Compiler and OS mitigations (stack canaries, Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP / non-executable stack)) make exploitation harder but do not remove the underlying flaw.
Trap Treating ASLR/DEP/stack canaries as the fix. They are hardening layers that raise the cost of exploitation, not a substitute for bounds checking.
- Integer overflow wraps silently and often enables a later buffer overflow
An integer overflow is arithmetic that exceeds the type's range and wraps around silently, frequently producing an undersized allocation or a bypassed length check that then enables a buffer overflow. The defense is to perform range and overflow checks before the value is used to size or index memory, not after.
Trap Validating the arithmetic result after the operation, when the value has already wrapped, instead of range-checking the operands before the computation.
- Fix a race condition (TOCTOU) by making check-and-act atomic
A race condition, specifically a time-of-check-to-time-of-use (TOCTOU) flaw, occurs when state changes between a security check and the action that relied on it, so the action operates on conditions that no longer hold. The fix is to make the check and the use a single atomic operation, using locking or atomic APIs, rather than two separable steps an attacker can interleave.
Trap Re-checking the condition immediately before use to shrink the window instead of making check-and-act atomic, since a narrower window is still a window an attacker can interleave.
- Know what each weakness taxonomy is FOR: Top 10, CWE, CVE, ASVS, CERT
The OWASP Top 10 is a ranked awareness document of web-application risk categories, not a checklist. CWE (MITRE's Common Weakness Enumeration) is the dictionary of weakness types, e.g. CWE-89 SQL injection, CWE-79 XSS. CVE is a different thing: one specific vulnerability instance in one product (an instance of a CWE). ASVS is OWASP's tiered catalog of requirements you verify an application against, and CERT/SEI standards give language-specific coding rules.
Trap Answering 'CVE' when the question asks for the weakness type. A CVE is one instance in a product, whereas the weakness category is a CWE.
- NIST SP 800-218 (SSDF) organizes secure development into four practice groups
The NIST Secure Software Development Framework (SSDF), SP 800-218, is a set of high-level secure software development practices meant to be integrated into any SDLC rather than replacing it. Its four practice groups are Prepare the Organization (PO), Protect the Software (PS), Produce Well-Secured Software (PW), and Respond to Vulnerabilities (RV).
- The top API risk is Broken Object Level Authorization: authorize the object, not just the caller
Broken Object Level Authorization (API1 in the OWASP API Security Top 10) is the dominant API failure: an authenticated user reaches another user's object simply by changing an ID in the request, because the server authenticated the caller but never verified that this caller may access that specific object. The fix is an ownership/authorization check on every object reference, performed server-side.
Trap Assuming an authenticated caller may act on any object whose ID they can supply. Authorization must be checked per object, not just at login.
- Broken Object Property Level Authorization covers excessive data exposure and mass assignment
Broken Object Property Level Authorization (OWASP API Security Top 10) combines the older 'excessive data exposure' and 'mass assignment' problems: the API returns more object fields than the caller should see, or accepts more fields than the caller should set, then relies on the client to filter. The fix is to authorize access at the property level on the server and return or accept only the fields appropriate to the caller, never filtering in the UI.
Trap Returning a full object and hiding extra fields in the client. The sensitive properties still travel to the caller and can be read directly.
- Rate-limit APIs to prevent unrestricted resource consumption and brute force
Rate limiting is a first-class API control because an API request consumes network bandwidth, CPU, memory, and storage; without limits an attacker can drive a denial of service or brute-force credentials and other guessable values. This corresponds to Unrestricted Resource Consumption in the OWASP API Security Top 10, and pairs with schema-based request validation that rejects any body or parameter not matching a declared schema.
- Software-defined security expresses controls as version-controlled code
Software-defined security defines security controls as code and configuration (policy-as-code and infrastructure-as-code for segmentation, identity, and security-group rules) rather than hand-applying settings. The payoff is consistency (the same control everywhere, no drift between a hand-configured box and its twin) and auditability (every change is a reviewable, attributable commit), inheriting code's review, testing, and rollback discipline.
- A WAF is a compensating layer, not the root-cause fix for a code-level flaw
A web application firewall can filter some malicious requests and buy time, but it is a compensating control layered on top of the application, not the root-cause defense. When a scenario describes a code-level vulnerability such as SQL injection or XSS, the correct answer is the secure-coding practice (parameterize the query, encode the output, validate input). The WAF is supplementary.
Trap Selecting 'deploy a WAF' as the fix for a described code-level injection flaw. It mitigates but does not remove the vulnerability; the code-level control does.
- Server-side validation is the only authoritative control; client-side checks are trivially bypassable
All security-relevant input validation must be enforced on the server and treat every client input as untrusted, because an attacker can disable JavaScript, use a browser dev tool, or send crafted HTTP requests through a proxy that never run the client-side checks. Client-side validation is for user-experience feedback only, never for security.
Trap Thorough client-side JavaScript validation is NOT a substitute and does not make server-side validation redundant.
5 questions test this
- A web application implements comprehensive client-side JavaScript validation for all user input fields, checking data types, lengths, and…
- During a code review, a security analyst discovers that an application implements input validation only on the client-side using…
- A security architect is reviewing an application's input validation strategy and notes that validation occurs only on the client-side using…
- A security architect is reviewing secure coding guidelines for a web application development project. The team asks whether client-side…
- A security architect is reviewing the input validation strategy for a web application. The development team performs thorough input…