CC ISC CC - Certified in Cybersecurity Free Practice Exam Questions (2026 Updated)

Discretionary Access Control (DAC) allows the owner or creator of an object to decide who can access it and what permissions they receive. This delegation capability is a defining feature of DAC systems.

MAC enforces centrally controlled policies, RBAC assigns permissions through roles, and ABAC uses attributes evaluated by a policy engine. Only DAC explicitly allows object owners to grant or revoke access at their discretion.

Address Space Layout Randomization (ASLR) randomizes the memory locations used by applications, making it significantly harder for attackers to predict where malicious payloads should be placed during buffer overflow attacks.

Buffer overflow exploits rely on predictable memory layouts. ASLR disrupts this predictability, increasing attacker effort and reducing exploit reliability.

The other options are either non-standard terms or unrelated to buffer overflow mitigation. ASLR is widely used in modern operating systems and is a key defensive control recommended by secure coding and system hardening guidelines.

ASLR does not eliminate vulnerabilities but raises the attack complexity, which is a core defensive strategy.

HTTPS (Hypertext Transfer Protocol Secure) is the most suitable protocol for secure communication between clients and servers. HTTPS uses TLS to encrypt data in transit, ensuring confidentiality, integrity, and authentication. This prevents attackers from eavesdropping, tampering, or impersonating servers.

HTTP and FTP transmit data in clear text, making them vulnerable to interception. SMTP is used for email delivery, not client-server web communication. Modern security standards mandate HTTPS for all production web applications.

PAM solutions focus onjust-in-time (JIT) access, granting elevated privileges only when needed and revoking them afterward. This reduces standing privileges and minimizes attack surfaces.

A zero-day vulnerability cannot be detected during a routine vulnerability assessment because it is unknown to vendors and security tools at the time of discovery. Vulnerability scanners rely on known signatures and disclosures.

Kernel flaws, buffer overflows, and permission misconfigurations are commonly identified through scans, audits, and configuration reviews.

Zero-day vulnerabilities require behavioral analysis, threat intelligence, or exploitation before detection. This is why defense-in-depth and monitoring are essential complements to vulnerability scanning.

Security frameworks emphasize that vulnerability assessments alone cannot detect unknown threats.

VLANslogically separate networks at Layer 2 while sharing the same physical infrastructure.

Firewalls are not particularly effective against insider threats because insiders already have authorized access to internal systems and networks. Firewalls are designed to control traffic between trusted and untrusted networks, not to monitor legitimate internal user behavior.

Least privilege limits what insiders can access, reducing potential damage. Background checks help identify risky individuals before hiring. Separation of duties prevents any one person from having complete control over critical processes.

Insider threats involve misuse of legitimate access, whether malicious or accidental. Effective controls against insiders focus on access management, monitoring, auditing, and behavioral analysis—not perimeter defenses.

Security frameworks consistently emphasize that insider threats require administrative, detective, and procedural controls rather than traditional network perimeter tools like firewalls.

Digital signatures provideauthentication,integrity, andnon-repudiation, but they donot provide confidentiality. A digital signature verifies who sent the message and ensures it was not altered, but the content remains readable unless encryption is also applied.

Confidentiality requires encryption, typically using symmetric or asymmetric cryptography. Digital signatures are often combined with encryption (such as in TLS or secure email), but by themselves they do not hide message contents.

Website spoofing involves impersonating legitimate sites to deceive users. Phishing often uses spoofed sites but is the broader attack method.

NIST publishes standards and frameworks. GDPR and HIPAA are regulations and laws, not standards bodies.

Two-factor authentication (2FA) requires users to verify their identity usingtwo independent authentication factorsfrom different categories, such as something you know and something you have.

The purpose of 2FA is to strengthen authentication security and reduce the risk of unauthorized access. Even if one factor is compromised, the attacker cannot authenticate without the second factor.

2FA is a subset of multi-factor authentication and is strongly recommended by modern security standards, particularly for remote access, cloud services, and privileged accounts.

Routers control traffic flow between different networks by making routing decisions based on IP addresses. They operate at OSI Layer 3 and determine the optimal path for data packets.

Cloud computing is defined by five essential characteristics per NIST: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Therefore, all listed options are valid characteristics.

Senior management is ultimately responsible for approving, signing, and publishing organizational policies. While departments such as security, HR, and legal may draft, review, or advise on policies, executive leadership provides formal authorization and accountability.

This responsibility aligns with governance principles outlined in frameworks like ISO/IEC 27001 and NIST, which emphasize management commitment to information security. Policies require executive endorsement to ensure they are enforceable, aligned with business objectives, and supported with appropriate resources.

Senior management’s involvement demonstrates organizational commitment, establishes authority, and ensures compliance across all departments. Without leadership approval, policies lack legitimacy and may not be consistently followed.

Security operations rely on clear, management-approved policies to guide procedures, incident response, and compliance activities. Executive sponsorship also enables enforcement and disciplinary actions when policies are violated.

The primary objective of DRP is restoring IT systems to a reliable operational state.

A Red Book is ahard-copy version of critical business continuity and emergency procedures. It is essential when disasters such as hurricanes, earthquakes, or cyberattacks disable power, networks, or electronic backups. In such scenarios, electronic access may be impossible, making physical documentation vital.

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records to ensure authenticity and integrity. It prevents attacks such as DNS spoofing and cache poisoning.

DNSSEC allows clients to verify that DNS responses have not been altered. It is the industry-standard solution recommended by security frameworks for protecting DNS infrastructure.

Risk is calculated by evaluating the likelihood of a threat exploiting a vulnerability and the resulting impact.

A wall is a physical deterrent that prevents and discourages unauthorized access. Signs are administrative deterrents, cameras are detective controls, and razor tape is a physical barrier but typically supplements perimeter defenses rather than serving as the primary deterrent.