CC ISC CC - Certified in Cybersecurity Free Practice Exam Questions (2026 Updated)

BCP is anorganization-wide responsibility. While IT plays a key role, BCP requires participation from all business units, leadership, HR, facilities, and external partners.

Asecurity breachrefers to an incident where an unauthorized individual successfully gains access to a system, application, network, or data resource. Unlike a general security event, a breach confirms that confidentiality, integrity, or availability has been compromised. According to NIST SP 800-61, a breach occurs when security controls fail and protected information is accessed, disclosed, altered, or destroyed without authorization.

Not every event or intrusion results in a breach. For example, a blocked attack detected by an IDS is an event, not a breach. A breach has legal, regulatory, and business implications, often triggering notification requirements, forensic investigations, and remediation actions.

Privacy focuses on individual rights over personal information, distinct from confidentiality which focuses on access control.

Mandatory Access Control (MAC) enforces centrally managed security labels and clearances, making it suitable for classified and government systems.

A protocol analyzer, also known as a packet sniffer, captures and inspects network traffic flowing across a network segment. If traffic is unencrypted, protocol analyzers can intercept sensitive information such as usernames, passwords, session tokens, and application data.

Log servers store logs, network scanners identify hosts and services, and firewalls filter traffic based on rules. Only protocol analyzers are designed to capture and inspect packet contents.

This capability makes protocol analyzers valuable for troubleshooting and for attackers conducting eavesdropping attacks. Encryption protocols such as TLS are critical defenses against this risk.

Defense in Depth employs administrative, technical, and physical controls across multiple layers to reduce reliance on any single security mechanism. This approach increases resilience and detection capability.

Authentication is the process of verifying that a user is who they claim to be. Identification occurs first (username), authentication verifies the claim (password, token, biometrics), and authorization determines access rights.

A Disaster Recovery Plan (DRP) provides procedures to restore IT systems, applications, and infrastructure after an outage.

A baseline is a documented set of approved security controls, configurations, and system settings used as a standard across an IT environment. Baselines ensure consistency, security, and compliance by defining how systems should be configured before deployment and during operation.

Security baselines are commonly derived from frameworks such as CIS Benchmarks, NIST SP 800-53, and vendor hardening guides. They help reduce misconfigurations, which are a leading cause of security breaches.

Patches address specific vulnerabilities, inventory tracks assets, and policies define high-level rules and expectations. Baselines translate policies into actionable technical settings, such as password policies, logging configurations, and service restrictions.

By enforcing baselines, organizations improve security posture, simplify audits, and enable faster incident response. Any deviation from the baseline can be detected and investigated, making baselines a cornerstone of secure and well-managed IT environments.

AnOn-Path (Man-in-the-Middle)attack allows attackers to intercept, modify, or replay communications between two parties without their knowledge.

Transport Layer Security (TLS) helps mitigateman-in-the-middle (MITM) attacksby providing encryption, authentication, and integrity protection for data transmitted between communicating systems. TLS ensures that data exchanged between a client and server cannot be intercepted, modified, or read by unauthorized third parties.

TLS uses digital certificates and public key cryptography to authenticate servers (and sometimes clients), preventing attackers from impersonating legitimate endpoints. It also encrypts session data using symmetric encryption, protecting confidentiality even if traffic is captured.

TLS does not prevent application-layer attacks such as XSS or SQL injection, which are caused by insecure application logic. It also does not address social engineering, which targets human behavior rather than network protocols.

Because MITM attacks exploit unencrypted or improperly authenticated connections, TLS is a primary defense recommended by NIST and all modern security standards for protecting data in transit.

Attribute-Based Access Control (ABAC) is considered a dynamic authorization model because access decisions are made in real time based on attributes of the user, resource, action, and environment. These attributes can include time of day, device type, location, data sensitivity, and user role.

Unlike RBAC or MAC, which rely on static roles or labels, ABAC evaluates policies dynamically using a policy decision point (PDP). This makes ABAC ideal for modern cloud, zero trust, and highly distributed environments.

DAC allows owners to grant permissions, RBAC uses predefined roles, and MAC relies on fixed security labels. ABAC provides the most flexible and context-aware authorization.

In access control models, asubjectis an active entity that requests access to a resource. In this scenario, Derrick is the subject because he is the user initiating an action—logging into a system and attempting to read a file. Subjects can be users, processes, or systems acting on behalf of users.

Anobject, by contrast, is a passive entity that is being accessed, such as a file, database, printer, or network resource. The file Derrick wants to read is the object. Access control systems evaluate whether a subject has the appropriate permissions to perform an action (such as read, write, or execute) on an object.

This subject-object relationship is foundational to many security models, including discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC). Proper identification of subjects is essential for authentication, authorization, auditing, and accountability. By clearly defining who the subject is, organizations can enforce least privilege, track user actions, and maintain strong security governance across systems.

A URL filter is the most effective control for restricting access to specific websites. URL filtering allows administrators to block access based on domain names, URLs, or content categories such as gambling, social media, or malicious sites.

IP address blocking is less precise because many websites share IP addresses or use dynamic hosting. DLP solutions focus on data protection, not web access control. IPS systems detect and block attacks but are not designed for enforcing acceptable-use browsing policies.

URL filtering is commonly implemented in firewalls, secure web gateways, and proxy servers and is widely used to enforce organizational internet usage policies.

A replay attack occurs when an attacker captures valid authentication data—such as login credentials, session tokens, or cryptographic handshakes—and later reuses that data to gain unauthorized access. The attacker does not need to know the actual password; instead, they replay previously captured authentication information.

Replay attacks often exploit systems that lack proper protections such as timestamps, nonces, session expiration, or cryptographic challenge-response mechanisms. These attacks are particularly dangerous in poorly secured authentication protocols or legacy systems.

A man-in-the-middle attack involves intercepting and potentially altering communications in real time, while a replay attack focuses on reusing captured data. Smurf attacks and DDoS attacks target availability, not authentication.

Security controls such as time-based tokens, one-time passwords, mutual authentication, and secure protocols (e.g., TLS) are commonly used to prevent replay attacks. NIST authentication guidelines explicitly recommend replay resistance as a core requirement for secure authentication systems.

Deterrent controls are designed to discourage individuals from attempting unauthorized or malicious actions. CCTV systems act as deterrent controls because their visible presence can discourage theft, vandalism, or unauthorized access by increasing the perceived risk of being caught.

Business Continuity Plans (BCP), Disaster Recovery Plans (DRP), and Incident Response Plans (IRP) are corrective and recovery-focused controls, not deterrents. They address what happensafteran incident occurs.

Deterrent controls are often combined with preventive and detective controls to form a layered security strategy. Examples include warning signs, lighting, guards, and surveillance cameras. These controls play an important psychological role in reducing security incidents.

A ping flood attack exploits the Internet Control Message Protocol (ICMP), which operates atOSI Layer 3 (Network Layer). The attacker overwhelms a target system by sending a large volume of ICMP Echo Request (ping) packets, consuming bandwidth and processing resources.

Because ICMP is used for network diagnostics and error reporting, excessive ICMP traffic can prevent legitimate network communication, leading to a denial-of-service condition. Since IP and ICMP are Layer 3 protocols, ping flood attacks directly impact the network layer.

A security incident is any event that actually or potentially compromises confidentiality, integrity, or availability.

Clear roles ensure fast, coordinated response, reduce confusion, and prevent duplicated or missed actions during incidents.