ISC CC CC - Certified in Cybersecurity Exam Practice Test

A BIA identifies critical systems, dependencies, and acceptable downtime to establish recovery priorities.

Mandatory Access Control (MAC) enforces centrally managed security labels and clearances, making it suitable for classified and government systems.

Multitenancy allows shared infrastructure while maintaining logical isolation between customers.

Zenmap is the graphical front end for Nmap. It performs host discovery, port scanning, service enumeration, and OS fingerprinting.

Theprimary purpose of security trainingis to reduce the likelihood and impact of attacks—especially human-centric threats such as phishing, social engineering, and credential theft. While training may also support compliance and efficiency, its most critical role is risk reduction.

Humans are often the weakest link in security. Awareness training helps users recognize threats, follow secure practices, and respond appropriately to suspicious activity, significantly lowering the organization’s attack surface.

Authentication is the process of verifying that a user is who they claim to be. Identification occurs first (username), authentication verifies the claim (password, token, biometrics), and authorization determines access rights.

The primary objective of DRP is restoring IT systems to a reliable operational state.

SSH key-based authentication is ideal for automated system-to-system communication. It allows secure, passwordless authentication using cryptographic key pairs.

Biometrics and smart cards require human interaction, and hard-coded passwords are insecure and difficult to rotate. SSH keys provide strong authentication, automation support, and secure key management.

This approach is widely recommended for scripts, automation, and DevOps pipelines.

An Advanced Persistent Threat (APT) involves stealthy, long-term access to systems for espionage, data theft, or sabotage.

SSH uses TCP port 22 by default and provides encrypted remote administration. Telnet (23) and FTP (21) are insecure alternatives.

Guidelines arenon-mandatoryrecommendations that provide best practices and flexibility. Policies, procedures, and regulations are mandatory and enforceable.

Guidelines allow organizations to adapt security practices based on context without strict enforcement, as defined in ISO/IEC 27001 and governance frameworks.

Type 1 authentication refers tosomething you know, such as passwords or PINs. While widely used, this authentication method has several inherent weaknesses. Users may share credentials intentionally or unintentionally, reuse weak passwords across systems, or forget them altogether. Passwords can also be intercepted through phishing, keylogging, shoulder surfing, or man-in-the-middle attacks.

Because of these weaknesses, Type 1 authentication alone provides limited security assurance. Modern security frameworks strongly recommend supplementing knowledge-based authentication with additional factors, such as something you have (tokens) or something you are (biometrics), to form Multi-Factor Authentication (MFA).

Availabilityensures that authorized users can access information and systems when needed, a core element of the CIA triad.

Platform as a Service (PaaS) provides customers with an environment tobuild, deploy, and manage applicationswithout managing underlying infrastructure. PaaS includes operating systems, middleware, runtime environments, and development tools.

SaaS delivers fully managed applications, while IaaS provides raw infrastructure. PaaS best balances flexibility and operational efficiency for software development.

Human life and safety always take precedence over systems, data, and business operations. Security awareness ensures employees know how to act safely during incidents such as fires, active threats, or infrastructure failures.

Endpoints are user-facing devices such as laptops, desktops, and mobile devices.

Zero Trust assumes no implicit trust and requires continuous verification of every access request. Microsegmentation is a core Zero Trust technique that limits lateral movement.

Microsegmentationdivides networks into granular zones protected by internal firewalls or policy enforcement points. It limits lateral movement and is a core Zero Trust principle.

Risk identification is a collaborative process that enables awareness, communication, and protection against threats.

Type 1 authenticationrefers to “something you know,” such as a password, PIN, or passphrase. This is the most common and oldest form of authentication used in information systems.

Other authentication types include Type 2 (something you have, such as a smart card or token) and Type 3 (something you are, such as biometrics). Some models also define additional types, such as location-based or behavior-based authentication.

While easy to implement, Type 1 authentication is considered the weakest because secrets can be guessed, reused, stolen, or phished. For this reason, security best practices strongly recommend combining it with other authentication types using multi-factor authentication (MFA).

NIST and CIS guidelines consistently discourage reliance on single-factor, knowledge-based authentication for sensitive systems due to its susceptibility to compromise.

SOAR (Security Orchestration, Automation, and Response) platforms are designed to collect security data from multiple tools, analyze events, and automatically execute response actions using predefined playbooks. This automation allows security teams to respond quickly and consistently to incidents.

While SIEM systems collect and correlate logs and generate alerts, they typically require manual analyst intervention for response. SOAR extends SIEM capabilities by orchestrating workflows across tools such as firewalls, endpoint protection, ticketing systems, and threat intelligence platforms.

Log repositories store logs without analysis or response capabilities. Intrusion Prevention Systems (IPS) focus on blocking malicious traffic in real time but do not coordinate broader incident response actions.

SOAR solutions reduce alert fatigue, improve response time, and standardize incident handling procedures. They are a key component of mature Security Operations Centers (SOCs) and are strongly recommended by modern security operations frameworks.

Load balancing improves availability by distributing traffic across multiple systems, preventing overload and downtime.

An accurate asset inventory is foundational to security. Without knowing what assets exist, organizations cannot secure, monitor, or protect them effectively.

ATrojanis a direct form of malware that disguises itself as legitimate software to perform malicious actions.

Immediate response checklists ensure rapid communication and awareness when a BCP is enacted.

A Security Information and Event Management (SIEM) system is designed tocollect, correlate, analyze, and alert on security eventsgenerated across an organization’s IT environment. SIEM platforms aggregate logs from diverse sources such as servers, firewalls, endpoints, applications, and cloud services, providing centralized visibility into security activity.

The core value of a SIEM lies inevent correlation and contextual analysis. By correlating events across systems and over time, a SIEM can detect suspicious patterns that individual logs alone would not reveal—such as lateral movement, privilege escalation, or coordinated attacks. SIEMs also support real-time alerting, dashboards, querying, and incident investigation, enabling security teams to respond faster and more effectively.

SIEM systems donotencrypt files (that’s cryptography), block websites directly (that’s firewalls or secure web gateways), or manage passwords (that’s IAM). Instead, they serve as thecentral nervous system of a Security Operations Center (SOC), supporting monitoring, detection, compliance reporting, and incident response workflows as recommended by NIST and other security frameworks.

ABusiness Impact Analysis (BIA)identifies critical systems, dependencies, and acceptable downtime to prioritize recovery and continuity strategies.

Logical (technical) controls such as encryption, access controls, DLP, and firewalls directly prevent unauthorized data access and exfiltration.

The primary purpose of multi-factor authentication (MFA) is to add additional layers of security to user authentication by requiring more than one authentication factor. These factors typically include something you know, something you have, and something you are.

MFA significantly reduces the risk of unauthorized access, even if one factor—such as a password—is compromised. Attackers would still need access to the additional factors to authenticate successfully.

While MFA can help reduce the likelihood of breaches, it does not directly prevent malware or ensure data integrity. Its focus is on strengthening identity verification.

NIST, CIS, and other security frameworks strongly recommend MFA, particularly for remote access, privileged accounts, and cloud environments, due to its proven effectiveness in preventing account compromise.

Access control ensures that only authorized users can access specific resources. It includes authentication, authorization, and enforcement mechanisms.

Encryption protects data confidentiality, firewalls control network traffic, and antivirus detects malware. Only access control directly governs who can access sensitive information.

Clean-agent fire suppression systems such as FM-200 and Inergen are recommended for server rooms because they suppress fires without damaging electronic equipment. Water, foam, and powder systems can destroy hardware and cause prolonged outages.

Clean agents extinguish fires by reducing heat or oxygen levels while remaining safe for occupied spaces. NIST and data center best practices strongly recommend clean-agent systems for mission-critical environments.

The three core structural components of an SQL database aretables,views, andschemas. Tables store the actual data in rows and columns. Views are virtual tables created from queries that present data in a specific way without duplicating it. Schemas act as logical containers that organize database objects and define ownership and access control.

Object-oriented interfaces are not a fundamental component of an SQL database. While modern databases may support object-relational features or APIs that allow object-oriented programming languages to interact with the database, these interfaces exist outside the core database structure.

SQL databases are based on the relational model, not the object-oriented model. Even though object-relational mapping (ORM) tools exist, they are middleware components rather than native database structures.

Understanding core database components is important for security professionals when managing access controls, permissions, and data exposure risks.

Standards such as ISO, NIST, and CIS are commonly developed by third-party organizations and provide best practices and compliance guidance. They are not laws unless mandated.

These areType 1 (bare-metal) hypervisors, running directly on hardware without a host operating system, offering higher performance and security.

A firewall is a network security device designed to monitor, filter, and control incoming and outgoing traffic based on predefined security rules. Firewalls act as a barrier between trusted internal networks and untrusted external networks, such as the internet.

Firewalls can operate at multiple layers of the OSI model and may inspect packet headers, session states, and even application-level data. Modern firewalls often include advanced features such as intrusion prevention, deep packet inspection, and threat intelligence integration.

Servers and endpoints generate or consume traffic but do not filter it by default. Ethernet is a networking standard, not a device. Firewalls are a foundational security control recommended by virtually all cybersecurity frameworks, including NIST and CIS Critical Security Controls.

By enforcing traffic filtering rules, firewalls help prevent unauthorized access, reduce attack surfaces, and protect systems from threats such as malware, scanning, and exploitation.

Cloud orchestration coordinates automated tasks, workflows, and resource provisioning across cloud environments to improve efficiency and consistency.

Log retention policies are primarily driven by laws, regulations, and governance requirements. Audits review compliance but do not typically define retention durations themselves.

Network Access Control (NAC) enforces policies that determine whether devices can connect to a network based on posture, identity, and compliance.

Metal detectors are effectivepreventive physical controlsthat detect electronic devices and storage media. They are commonly used in high-security environments to enforce device restrictions.

Transport Layer Security (TLS) helps mitigateman-in-the-middle (MITM) attacksby providing encryption, authentication, and integrity protection for data transmitted between communicating systems. TLS ensures that data exchanged between a client and server cannot be intercepted, modified, or read by unauthorized third parties.

TLS uses digital certificates and public key cryptography to authenticate servers (and sometimes clients), preventing attackers from impersonating legitimate endpoints. It also encrypts session data using symmetric encryption, protecting confidentiality even if traffic is captured.

TLS does not prevent application-layer attacks such as XSS or SQL injection, which are caused by insecure application logic. It also does not address social engineering, which targets human behavior rather than network protocols.

Because MITM attacks exploit unencrypted or improperly authenticated connections, TLS is a primary defense recommended by NIST and all modern security standards for protecting data in transit.

Abreachoccurs when sensitive or protected information is accessed, disclosed, or used without authorization—regardless of intent. Even accidental disclosures, such as sending confidential data to the wrong recipient, qualify as breaches because confidentiality has been compromised.

Two-Person Integrityensures no single individual can complete a sensitive action alone, reducing fraud and insider threats.

Law enforcement is not typically part of an organization’s internal incident response team. Incident response teams usually consist of cybersecurity professionals, technical subject matter experts, IT staff, legal advisors, and management representatives.

Law enforcement may become involved after an incident, especially in cases involving criminal activity, regulatory requirements, or large-scale breaches. However, they are external stakeholders, not internal team members.

Management plays a key role in decision-making and communication, while technical and cybersecurity experts handle detection, containment, eradication, and recovery.

NIST incident response guidance emphasizes coordination with external entities but clearly distinguishes internal response teams from external authorities such as law enforcement.

Information riskrefers to the potential harm arising from the unauthorized access, disclosure, modification, or destruction of sensitive information. This includes credentials, financial records, intellectual property, and personally identifiable information (PII).

Information risk directly impacts theconfidentiality, integrity, and availability (CIA triad)of data. While such incidents may also lead to reputational damage or compliance violations, the primary category describing the exposure of sensitive data itself is information risk.

NIST SP 800-30 emphasizes information risk as a core component of enterprise risk management, especially in organizations that rely heavily on digital data for operations and decision-making.

In Software as a Service (SaaS), the provider manages nearly all infrastructure, platforms, and applications, leaving customers responsible mainly for data and access.

Carbon dioxide (CO₂) systems suppress fire without leaving residue or damaging electronic equipment. While they pose risks to people, they are effective for protecting electronics compared to water or foam.

A zero-day vulnerability is a security flaw that is unknown to the vendor and defenders at the time it is discovered or exploited. Because there is no patch available, organizations have “zero days” to fix it.

BCP requires cross-functional participation to identify dependencies, workflows, and recovery priorities across all departments.

Criticality reflects how essential an asset is to business operations or mission success. It influences prioritization, recovery planning, and protection strategies.

MAC enforces centrally managed access controls. Users and data owners cannot modify permissions.

Anintrusionis an unauthorized attempt to access systems or networks. It may or may not succeed. Intrusions are more serious than simple events but may not rise to the level of a breach if controls prevent access.

When a device does not meet security baseline requirements, it poses a risk to the environment. Best practice is todisable or quarantine the deviceto prevent potential compromise or lateral movement. Network Access Control (NAC) solutions commonly automate this process.

Isolation ensures the device cannot interact with production systems until it is patched, configured correctly, and verified as compliant. This approach aligns with NIST and Zero Trust principles, emphasizing continuous compliance and containment.

Bell–LaPadula is a Mandatory Access Control (MAC) model focused on confidentiality. It uses security labels and clearances to enforce access rules such as “no read up, no write down.”

Business Continuity Plans (BCP) focus on sustaining operations using alternative processes and resources during disruptions.

IPv6 was introduced primarily due toIPv4 address exhaustion, enabling vastly expanded address space.

Registered ports (1024–49151) are typically assigned to vendor-specific or proprietary applications, such as database services.

Apolicyis a high-level, mandatory statement approved by senior management that defines what is allowed or required within an organization. In this scenario, the governing board establishes a rule that only the legal department may review third-party contracts, making it a policy decision.

Procedures provide step-by-step instructions, standards define specific technical or operational requirements, and laws are external legal mandates imposed by governments. None of those best describe this situation.

Policies establish authority, accountability, and organizational intent. They are enforceable and form the foundation for standards and procedures. Governance frameworks emphasize management-approved policies as essential for consistent and compliant operations.

An IPSec replay attack occurs when an attacker captures legitimate encrypted packets and attempts to retransmit (replay) them to gain unauthorized access or disrupt communication. The attacker does not need to decrypt the packets; instead, they rely on resending previously valid packets within an existing session.

Without proper protections, replayed packets could be accepted as valid, allowing attackers to impersonate legitimate users or repeat sensitive actions. IPSec defends against replay attacks usingsequence numbers and sliding windows, which ensure packets are processed only once and in the correct order.

Packet modification, eavesdropping, and traffic flooding are different attack types and are not specifically replay attacks. Replay attacks are particularly dangerous in authentication and session-based protocols, which is why anti-replay protection is a mandatory IPSec feature defined by the IETF.

An Incident Response Plan (IRP) defines how to detect, analyze, contain, eradicate, and recover from security incidents.

Anentitlementrefers to the inherent set of privileges or access rights granted to a user when an account is created. Entitlements define what resources a user can access and what actions they are allowed to perform.

A baseline refers to standard configurations, not user permissions. Aggregation and transitivity relate to access control models but do not describe default assigned privileges.

Managing entitlements is a key function of IAM systems and is critical for enforcing least privilege, access reviews, and compliance. Poor entitlement management often leads to excessive permissions and increased security risk.

Disaster Recovery Planning focuses on restoringIT systems, infrastructure, and communicationsafter a disruption. Business Continuity Planning focuses onmaintaining critical business functionsduring and after incidents, often using alternative processes.

BCP is broader than DRP and includes people, processes, facilities, and third parties, while DRP is IT-centric. Both plans complement each other but serve different purposes.

In information security, privacy refers to protecting personal and sensitive information from unauthorized access, use, or disclosure. Privacy focuses specifically on data related to individuals, such as PII, and ensuring it is handled according to legal, ethical, and regulatory requirements.

While privacy is closely related to confidentiality, it places greater emphasis on individual rights and consent. Ensuring privacy means limiting access to personal data and preventing misuse.

Integrity and availability address different aspects of the CIA triad, while option D is incomplete and incorrect. Security frameworks treat privacy as a critical objective, especially in environments handling personal data.

A router is a network device specifically designed to connect multiple networks and route traffic between them. Routers operate primarily at Layer 3 (the Network Layer) of the OSI model and use IP addresses to determine the best path for data packets.

Routers are commonly used to connect local area networks (LANs) to wide area networks (WANs), such as connecting an internal corporate network to the internet. They also play a role in enforcing network security by supporting access control lists (ACLs), network address translation (NAT), and routing policies.

Switches, while important, typically connect devices within the same network and operate at Layer 2. Servers and endpoints are hosts, not networking devices. Without routers, communication between separate networks would not be possible, severely limiting scalability and connectivity.

From a security perspective, routers help segment networks, reduce broadcast traffic, and control data flow, making them essential components in both performance and security architectures.

GDPR directly addresses privacy, while FIPS and MOUs can also relate to privacy controls and data handling requirements.

DNS primarily usesport 53over UDP and TCP for name resolution.

Baselines allow organizations to detect unauthorized changes by comparing known-good configurations against current states.

ASecurity Operations Center (SOC)is a centralized function responsible for continuous monitoring, detection, analysis, and response to cybersecurity events. SOC teams use tools such as SIEM, SOAR, IDS/IPS, and threat intelligence feeds to identify threats before they escalate into incidents.

Corrective controls are designed torestore systems to normal operation after a security incident or attack has occurred. Examples include restoring data from backups, reimaging compromised systems, applying patches, and resetting credentials.

Detective controls identify incidents, preventive controls stop incidents, and corrective controls fix the damage. While recovery controls are sometimes mentioned informally, most security frameworks (including NIST) classify restoration activities under corrective controls.

Corrective controls are critical for minimizing downtime and ensuring business resilience following an incident.

The ISC2 Code of Ethics requires members to act lawfully and ethically. Accepting pirated material violates this obligation.

Data loss affecting availability or integrity is classified as asecurity incident, even if no attacker is involved.

AnOn-Path (Man-in-the-Middle)attack allows attackers to intercept, modify, or replay communications between two parties without their knowledge.

Availability ensures that systems and data are accessible to authorized users when needed. A power outage that disrupts access to a data center directly impacts availability.

Confidentiality concerns unauthorized disclosure, integrity concerns unauthorized modification, and non-repudiation concerns accountability. None of these are directly affected by a power outage.

Availability risks are commonly addressed through redundancy, backup power supplies, generators, UPS systems, and disaster recovery planning.

Ensuring availability is a core objective of business continuity and disaster recovery programs.

A hypervisor abstracts hardware to host multiple virtual machines securely and efficiently.

Data backupsare essential to disaster recovery, enabling restoration of systems and data following failures or disasters.

NIST publishes standards and frameworks. GDPR and HIPAA are regulations and laws, not standards bodies.

VLANs reduce broadcast domains, improving performance and security.

Adequate securitymeans applying controls proportional to risk and potential impact, a core concept in NIST frameworks.

An intranet is a private network that uses internet technologies (such as TCP/IP and web browsers) but is accessible only to an organization’s internal users. It mirrors the structure and functionality of the internet while remaining private.

An extranet extends limited access to external partners. A VLAN is a logical network segmentation technique. A VPN is a secure communication tunnel, not a network architecture.

Intranets are commonly used for internal portals, documentation, collaboration tools, and internal services. From a security standpoint, intranets require strong authentication, segmentation, and access controls.

The purpose of multi-factor authentication (MFA) in Identity and Access Management (IAM) is to strengthen authentication by requiring users to present two or more independent factors from different categories: something you know, something you have, or something you are. This layered approach significantly reduces the risk of unauthorized access, even if one factor—such as a password—is compromised.

MFA addresses common attack techniques such as phishing, credential stuffing, and brute-force attacks. For example, even if an attacker steals a user’s password, they would still need access to the user’s hardware token or biometric factor to authenticate successfully.

MFA does not simplify access, remove authentication, or grant unrestricted access. Instead, it deliberately increases verification requirements to improve security. NIST SP 800-63 and other security frameworks strongly recommend MFA for privileged accounts, remote access, and cloud services because of its proven effectiveness in preventing account compromise.

DNS is an application-layer protocol that resolves domain names to IP addresses using structured queries and responses.

Risk management aims to reduce risks to acceptable levels, not eliminate them entirely. This involves identifying risks, assessing impact and likelihood, and selecting appropriate controls.

Cloud computing is defined by five essential characteristics per NIST: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Therefore, all listed options are valid characteristics.

Effective DLP solutions monitor all egress channels to prevent unauthorized data exfiltration, including web uploads, APIs, and removable media.

Worms are self-propagating malware that spread automatically across networks by exploiting vulnerabilities. Unlike viruses, worms do not require user interaction.

IPSec (Internet Protocol Security) operates atLayer 3 – the Network Layerof the OSI model. IPSec is designed to secure IP communications by authenticating and encrypting each IP packet in a data stream. Because it works directly with IP packets, it naturally fits at the network layer.

Operating at Layer 3 gives IPSec a major advantage: it can protectall network traffic, regardless of the application or transport protocol being used. This means IPSec can secure TCP, UDP, and ICMP traffic transparently without requiring changes to applications. IPSec is commonly used to implementVirtual Private Networks (VPNs), including site-to-site and remote-access VPNs.

IPSec uses protocols such asAuthentication Header (AH)andEncapsulating Security Payload (ESP)to provide confidentiality, integrity, authentication, and anti-replay protection. Key management is typically handled by IKE (Internet Key Exchange).

Although IPSec may appear in some diagrams as interacting with other layers, standards bodies such as NIST and IETF clearly define IPSec as aLayer 3 (Network Layer)security protocol.

Emergency exit doors are a critical physical control designed to ensure safe and rapid evacuation during emergencies such as fires or earthquakes. These doors are typically clearly marked, unobstructed, and may include panic bars to allow easy exit without special knowledge or tools.

Fire alarms alert occupants, exit signs provide direction, and emergency lighting improves visibility, but none of these physically enable evacuation. Exit doors directly support life safety by allowing people to leave the building quickly and safely. Life safety is the highest priority in physical security design, and exit doors are mandatory under building and fire safety codes.

Elliptic Curve Cryptography (ECC) does not rely on the prime factorization problem. Instead, ECC is based on the mathematical difficulty of solving elliptic curve discrete logarithm problems.

RSA relies directly on the difficulty of factoring large prime numbers. GPG and PGP are encryption tools and standards that may use RSA or other algorithms internally.

ECC provides equivalent security with much smaller key sizes, making it efficient for mobile devices, embedded systems, and environments with limited processing power.

Modern security standards increasingly recommend ECC due to its performance and strong security properties.

An exploit is the method or code used to take advantage of a known vulnerability. Successful exploitation may result in an intrusion or breach.

DDoS attacks can target bothLayer 3 (Network)andLayer 4 (Transport)by overwhelming IP routing, ICMP traffic, TCP SYN floods, or UDP floods. Hence, both layers are impacted.

Threat actors include insiders, external attackers, and automated technologies such as bots. Modern threat landscapes recognize non-human actors as valid threats due to automation and AI-driven attacks.

Intercepting traffic to capture credentials is commonly achieved throughpacket sniffing, which targets theData Link layer (Layer 2). Techniques such as ARP poisoning operate at this layer to redirect traffic to the attacker.

While credentials belong to applications, the interception itself occurs at Layer 2.

Zero Trust is a security architecture that assumesno implicit trust—inside or outside the network perimeter. Every access request must be continuously verified based on identity, device health, context, and policy. Unlike traditional perimeter-based models, Zero Trust eliminates the concept of a “trusted internal network.”

Microsegmentation is a core Zero Trust technique that divides networks and workloads into highly granular security zones. Each zone enforces its own access controls, dramatically reducing lateral movement if an attacker gains access. This model aligns with NIST SP 800-207, which defines Zero Trust as a strategy to minimize attack surfaces and contain breaches.

ARP poisoning manipulates ARP tables to intercept or redirect LAN traffic, often enabling man-in-the-middle attacks.

Simulations provide realistic testing by executing scenarios that closely mirror real disruptions, revealing gaps and readiness levels better than discussions or reviews.

A sudden flood of network packets causing degraded performance is best classified as anadverse event. An adverse event is any occurrence that negatively affects system performance, availability, or operations but may not yet meet the threshold of a confirmed security incident. According to NIST definitions, events such as traffic spikes, system slowdowns, or anomalous behavior are initially treated as adverse events until further analysis confirms malicious intent.

If investigation later confirms the flood was caused by a deliberate denial-of-service attack, the classification may escalate to asecurity incident. However, without confirmation of intent or compromise, adverse event is the most accurate term.

TheApplication Layer (Layer 7)of the OSI model provides services directly to the user and user-facing applications. This layer supports protocols such as HTTP, HTTPS, SMTP, FTP, and DNS, which enable web browsing, email, file transfers, and name resolution.

While users interact with applications rather than the OSI model itself, the Application Layer is responsible for enabling those interactions. The Session Layer manages session establishment, the Presentation Layer handles data formatting and encryption, and the Physical Layer transmits raw bits over physical media.

From a security perspective, many attacks target the Application Layer, including SQL injection, cross-site scripting (XSS), and authentication bypasses. As a result, application-layer security controls such as WAFs, secure coding practices, and input validation are critical.

Understanding OSI layers helps security professionals design layered defenses and properly place controls.

Type 1 authentication is “something you know,” such as passwords or PINs. Other options represent possession-based or biometric authentication.

Ethernet (IEEE 802.3) defines wired LAN communication standards.

A wall is a physical deterrent that prevents and discourages unauthorized access. Signs are administrative deterrents, cameras are detective controls, and razor tape is a physical barrier but typically supplements perimeter defenses rather than serving as the primary deterrent.

Black box penetration testing requires the most effort because the testing team hasno prior knowledgeof the target system. Testers must perform reconnaissance, discovery, enumeration, vulnerability identification, and exploitation without any internal documentation or credentials.

In contrast, white box testing provides full knowledge of systems, source code, and configurations, significantly reducing discovery effort. Gray box testing provides partial information, offering a balance between realism and efficiency. “Blue box” is not a standard penetration testing category.

Black box testing closely simulates real-world external attackers, making it valuable for assessing perimeter defenses, but it is time-consuming and resource-intensive. Testers must identify attack surfaces from scratch and may miss internal vulnerabilities due to lack of access.

Security frameworks recognize black box testing as the most labor-intensive but also the most realistic external threat simulation.

Business Continuity encompasses the strategies, processes, and tools needed to keep critical operations running during a contingency.

Modern organizations depend on IT systems for communication, data processing, transactions, and service delivery. Without IT, critical business functions often cannot operate, making IT recovery essential to business continuity.

BCP is anorganization-wide responsibility. While IT plays a key role, BCP requires participation from all business units, leadership, HR, facilities, and external partners.

Defense in depth begins by identifying assets, followed by administrative controls (policies), technical controls (logical), and physical controls to protect systems at multiple layers.

An incident response policy establishes authority, scope, and direction. Without management approval, IR activities lack legitimacy.

Secure Shell (SSH) is the secure alternative to Telnet. Telnet transmits data, including credentials, in clear text, making it vulnerable to interception. SSH encrypts all communications, providing confidentiality, integrity, and authentication.

HTTPS secures web traffic, SFTP is used for file transfer, and LDAPS secures directory services—not remote terminal access. SSH is the industry-standard replacement for Telnet.

Privacy focuses on individual rights over personal information, distinct from confidentiality which focuses on access control.

A hierarchical database organizes data in a tree-like structure where each parent record can have multiple child records, but each child has only one parent. This model resembles a file system hierarchy and is designed to represent one-to-many relationships efficiently.

Hierarchical databases were among the earliest database models and are still used in specific environments such as legacy systems and mainframe applications. Data access is fast when the hierarchy is well understood, but the model lacks flexibility when relationships become complex.

Relational databases use tables with rows and columns, object-oriented databases store objects, and network databases allow many-to-many relationships. Only the hierarchical model strictly enforces a tree structure.

Understanding database models is important for security professionals when evaluating access control, data exposure, and system design risks.

A subject in cybersecurity is an active entity that initiates actions and requests access to resources. Among the options provided, auseris the correct example of a subject because users actively authenticate, request access, and perform operations on systems.

Files and filenames are objects, not subjects. They are passive entities that store data and do not initiate actions. A fence is a physical security control and does not function as a subject within access control models.

Subjects can include human users, system processes, applications, or services acting on behalf of users. In access control decisions, systems evaluate whether a subject is authorized to perform a specific action on an object based on identity, role, or security label.

Understanding the distinction between subjects and objects is essential for designing secure systems and implementing access control policies. It supports core principles such as least privilege and separation of duties. Without clearly identifying subjects, organizations cannot accurately enforce permissions, monitor activity, or perform effective auditing and incident response.

Risk identification is the first step in the risk management process. Organizations must first identify assets, threats, and vulnerabilities before they can assess likelihood or impact. Without knowing what risks exist, meaningful assessment and mitigation are impossible.

Anadverse eventis a harmful occurrence that may or may not constitute a security incident or breach.

Multi-factor authentication (MFA) requires two or more authentication factors from different categories: something you know, something you have, and something you are.

MFA significantly increases security by reducing reliance on any single factor. Even if one factor is compromised, attackers still cannot authenticate without the others.

MFA is widely recommended by NIST, CIS, and virtually all modern security frameworks, especially for privileged accounts and remote access.

PAM solutions focus onjust-in-time (JIT) access, granting elevated privileges only when needed and revoking them afterward. This reduces standing privileges and minimizes attack surfaces.

Discretionary Access Control (DAC) allows the owner or creator of an object to decide who can access it and what permissions they receive. This delegation capability is a defining feature of DAC systems.

MAC enforces centrally controlled policies, RBAC assigns permissions through roles, and ABAC uses attributes evaluated by a policy engine. Only DAC explicitly allows object owners to grant or revoke access at their discretion.

MITRE ATTandCK maps adversary tactics, techniques, and procedures (TTPs) across the attack lifecycle.

Digital signatures provide authentication, integrity, and non-repudiation. They confirm who sent a message and ensure it was not altered.

Software-Defined Networking (SDN) separates the control plane from the data plane, enabling centralized and programmable network management.

Digital signatures provideauthentication,integrity, andnon-repudiation, but they donot provide confidentiality. A digital signature verifies who sent the message and ensures it was not altered, but the content remains readable unless encryption is also applied.

Confidentiality requires encryption, typically using symmetric or asymmetric cryptography. Digital signatures are often combined with encryption (such as in TLS or secure email), but by themselves they do not hide message contents.

Clear roles ensure fast, coordinated response, reduce confusion, and prevent duplicated or missed actions during incidents.

An Incident Response Plan (IRP) defines procedures for managing and mitigating security incidents.