CC ISC CC - Certified in Cybersecurity Free Practice Exam Questions (2026 Updated)

Disaster Recovery Planning (DRP) focuses on restoringIT systems and communications, while Business Continuity Planning (BCP) ensurescritical business functions continueduring disruptions. They are complementary but distinct disciplines.

DNS primarily usesport 53over UDP and TCP for name resolution.

Logical access controls enforce security through software-based mechanisms such as access control lists, authentication systems, and configuration settings.

Side-channel attacks exploit physical characteristics such as power usage, timing, or electromagnetic emissions to infer sensitive information like cryptographic keys.

Private or ephemeral ports (49152–65535) are dynamically assigned to client applications for temporary communication sessions.

Carbon dioxide (CO₂) systems suppress fire without leaving residue or damaging electronic equipment. While they pose risks to people, they are effective for protecting electronics compared to water or foam.

VLAN hopping exploits weaknesses in Layer 2 switching mechanisms such as trunking and tagging.

Most VPNs (e.g., IPSec) operate atLayer 3 (Network layer), encapsulating IP packets to create secure tunnels.

Abreachoccurs when sensitive or protected information is accessed, disclosed, or used without authorization—regardless of intent. Even accidental disclosures, such as sending confidential data to the wrong recipient, qualify as breaches because confidentiality has been compromised.

Impact measures the severity of consequences if a security event occurs. It is a key component of risk calculations along with likelihood.

Load balancing distributes incoming traffic across multiple servers or resources to improve performance, scalability, and availability. It prevents overload of a single system and supports high availability architectures.

A threat actor is the individual or group responsible for carrying out attacks. Threat vectors describe methods, not entities.

Human safety always takes precedence over systems, data, and business operations.

ABusiness Continuity Plan (BCP)ensures critical operations continue during and after significant disruptions, regardless of the cause.

Secure Shell (SSH) is the secure alternative to Telnet. Telnet transmits data, including credentials, in clear text, making it vulnerable to interception. SSH encrypts all communications, providing confidentiality, integrity, and authentication.

HTTPS secures web traffic, SFTP is used for file transfer, and LDAPS secures directory services—not remote terminal access. SSH is the industry-standard replacement for Telnet.

Cross-site scripting (XSS) attacks exploitinput validation vulnerabilitiesin web applications. These vulnerabilities occur when an application fails to properly validate, sanitize, or encode user-supplied input before including it in web pages. As a result, attackers can inject malicious scripts that are executed in the browsers of other users.

XSS attacks commonly occur through form fields, URL parameters, cookies, or HTTP headers. Once executed, malicious scripts can steal session cookies, capture keystrokes, redirect users to malicious sites, or perform actions on behalf of the victim.

ARP spoofing and DNS poisoning target network-level trust relationships, not application input validation. Pharming redirects users to fake websites by manipulating DNS or host files, again unrelated to input validation.

Preventing XSS relies heavily on strong input validation, output encoding, content security policies (CSP), and secure coding practices. OWASP and NIST explicitly identify XSS as a validation-related vulnerability and emphasize defensive coding as the primary mitigation.

Anentitlementrefers to the inherent set of privileges or access rights granted to a user when an account is created. Entitlements define what resources a user can access and what actions they are allowed to perform.

A baseline refers to standard configurations, not user permissions. Aggregation and transitivity relate to access control models but do not describe default assigned privileges.

Managing entitlements is a key function of IAM systems and is critical for enforcing least privilege, access reviews, and compliance. Poor entitlement management often leads to excessive permissions and increased security risk.

Risk management aims to reduce risks to acceptable levels, not eliminate them entirely. This involves identifying risks, assessing impact and likelihood, and selecting appropriate controls.

Integrity applies broadly—to data, systems, processes, and organizational operations—ensuring accuracy, completeness, and trustworthiness.