CC CC - Certified in Cybersecurity Questions and Answers

Role-Based Access Control (RBAC) assigns permissions based on job roles, making it scalable and efficient for large organizations. It simplifies access management and supports least privilege.

255.255.255.0is a commonly usedsubnet mask, indicating that the first 24 bits represent the network portion of an IPv4 address. Subnet masks define how IP addresses are divided into network and host portions, enabling efficient routing and segmentation.

The primary purpose of aWeb Application Firewall (WAF)is tofilter, monitor, and block malicious HTTP/HTTPS trafficdirected at web applications. A WAF operates at theapplication layer (Layer 7)of the OSI model and is specifically designed to protect web applications from common attacks such as SQL injection, cross-site scripting (XSS), command injection, and other OWASP Top 10 vulnerabilities.

Unlike traditional network firewalls, which focus on IP addresses, ports, and protocols, a WAF understands web-specific traffic patterns and inspects the content of HTTP requests and responses. This allows it to detect malicious payloads embedded in URLs, headers, cookies, and request bodies.

While some WAFs may offer limited protection against application-layer DDoS attacks, DDoS mitigation is not their primary function. Intrusion detection is typically handled by IDS/IPS solutions, and SSL certificate management is unrelated to WAF functionality.

Security frameworks such as NIST and OWASP recommend WAFs as a critical compensating control for protecting public-facing web applications, especially when secure coding fixes cannot be deployed immediately.

While managementparticipatesin BCP, “management” alone is not a documented component. The other options represent formal, documented BCP elements.

ATrojanis a direct form of malware that disguises itself as legitimate software to perform malicious actions.

Most VPNs (e.g., IPSec) operate atLayer 3 (Network layer), encapsulating IP packets to create secure tunnels.

Segregation of duties reduces fraud and insider threats by requiring multiple individuals to complete critical tasks.

Digital signatures provide authentication, integrity, and non-repudiation. They confirm who sent a message and ensure it was not altered.

ISC2’s Code of Ethics requires candidates to report violations through proper channels to preserve exam integrity.

Risk Avoidanceeliminates risk by discontinuing activities that expose the organization to unacceptable threats.

Distributed Denial-of-Service (DDoS) attacks disrupt availability by overwhelming systems, preventing legitimate access.

The primary goal of arisk assessmentis to identify, estimate, and prioritize risks based on likelihood and impact. This allows organizations to make informed decisions about how to handle risk. Risk avoidance, mitigation, or transfer occurafterthe assessment phase.

Attribute-Based Access Control (ABAC) grants access based on complex logical rules that evaluate attributes of the user, resource, action, and environment. Examples include user role, department, time of day, device type, and data sensitivity. These attributes are evaluated dynamically, allowing fine-grained and context-aware access decisions.

DAC allows owners to grant permissions, MAC uses labels and classifications, and RBAC assigns permissions based on roles. None of these provide the same level of flexibility as ABAC. Because ABAC supports complex, rule-based decisions, it is widely used in modern cloud environments and zero trust architectures.

Data backupsare essential to disaster recovery, enabling restoration of systems and data following failures or disasters.

Data Loss Prevention (DLP) is designed to protect sensitive data across all states: at rest, in motion, and in use. DLP solutions monitor, detect, and prevent unauthorized access, sharing, or exfiltration of data.

While encryption protects data at rest and in transit, it does not prevent authorized users from misusing data. Hashing ensures integrity, not confidentiality. Threat modeling identifies risks but does not enforce protection.

DLP tools enforce policies, inspect content, and prevent data leakage through email, web uploads, removable media, and cloud services. They are especially valuable for protecting regulated data such as PII and financial records.

NIST and CIS recognize DLP as a critical control for comprehensive data protection strategies.

Data remanence refers to the residual representation of data that remains on storage media even after attempts have been made to delete or erase it. When files are deleted, the operating system typically removes references to the data rather than overwriting the actual bits on the disk. As a result, the data may still be recoverable using forensic tools.

Remanence is especially relevant for magnetic storage, solid-state drives, and backup media. Because of this risk, security standards recommend proper media sanitization techniques such as overwriting, degaussing, or physical destruction. NIST SP 800-88 specifically addresses media sanitization methods to mitigate remanence risks.

This concept is critical when disposing of or repurposing storage devices, particularly those that previously contained sensitive or regulated data.

Double dealing is not a recognized social engineering technique. The others involve manipulating individuals to disclose information or perform actions.

Governancedefines oversight, accountability, and decision-making structures within an organization.

Port scanning targetstransport-layer ports(TCP/UDP), making Layer 4 the correct answer.

A Security Operations Center (SOC) continuously monitors security events, analyzes threats, and coordinates incident response. SOCs integrate people, processes, and technology such as SIEM, SOAR, and threat intelligence platforms.

Availability is the primary security goal enhanced by a strong business continuity program. Business continuity planning focuses on ensuring that critical systems, services, and operations remain accessible during and after disruptive events such as cyberattacks, natural disasters, or system failures.

Availability is one of the three pillars of the CIA triad and ensures that authorized users can access information and systems when needed. Business continuity strategies include redundancy, failover systems, backups, alternate processing sites, and disaster recovery plans.

While confidentiality and integrity are important, business continuity is primarily concerned with minimizing downtime and maintaining operational resilience. Non-repudiation relates to accountability and is not a continuity objective.

Frameworks such as NIST SP 800-34 and ISO/IEC 22301 emphasize availability as the core outcome of effective business continuity and disaster recovery planning.

SOAR (Security Orchestration, Automation, and Response) platforms are designed to collect security data from multiple tools, analyze events, and automatically execute response actions using predefined playbooks. This automation allows security teams to respond quickly and consistently to incidents.

While SIEM systems collect and correlate logs and generate alerts, they typically require manual analyst intervention for response. SOAR extends SIEM capabilities by orchestrating workflows across tools such as firewalls, endpoint protection, ticketing systems, and threat intelligence platforms.

Log repositories store logs without analysis or response capabilities. Intrusion Prevention Systems (IPS) focus on blocking malicious traffic in real time but do not coordinate broader incident response actions.

SOAR solutions reduce alert fatigue, improve response time, and standardize incident handling procedures. They are a key component of mature Security Operations Centers (SOCs) and are strongly recommended by modern security operations frameworks.

An Intrusion Detection System (IDS) consists of three fundamental functional components: information sources, analysis engines, and response mechanisms. Information sources collect data such as network packets, logs, or system events. Analysis engines evaluate this data to detect suspicious behavior. Response components generate alerts or notifications.

While IDS systems typically do not block traffic (unlike IPS), they still perform response actions such as logging, alerting, and triggering workflows.

All three components work together to detect and report security incidents. This architecture is well documented in NIST intrusion detection guidance and forms the basis of both host-based and network-based IDS solutions.

Knowledge-based authentication relies onsomething the user knows, such as passwords, PINs, or answers to security questions. It is the most common but also the weakest form of authentication due to susceptibility to guessing, phishing, and brute-force attacks. For this reason, it is often combined with other factors in multi-factor authentication (MFA).

Load balancing improves availability by distributing traffic across multiple systems, preventing overload and downtime.

AnOn-Path (Man-in-the-Middle)attack allows attackers to intercept, modify, or replay communications between two parties without their knowledge.

The CIA triad provides a foundational framework for understanding and designing security controls.

Clean-agent fire suppression systems such as FM-200 and Inergen are recommended for server rooms because they suppress fires without damaging electronic equipment. Water, foam, and powder systems can destroy hardware and cause prolonged outages.

Clean agents extinguish fires by reducing heat or oxygen levels while remaining safe for occupied spaces. NIST and data center best practices strongly recommend clean-agent systems for mission-critical environments.

Metal detectors are effectivepreventive physical controlsthat detect electronic devices and storage media. They are commonly used in high-security environments to enforce device restrictions.

ASecurity Operations Center (SOC)is a centralized function responsible for continuous monitoring, detection, analysis, and response to cybersecurity events. SOC teams use tools such as SIEM, SOAR, IDS/IPS, and threat intelligence feeds to identify threats before they escalate into incidents.

Cross-Site Request Forgery (CSRF) tricks an authenticated user’s browser into sending unauthorized requests to a trusted server. Because the user is already authenticated, the server processes the request as legitimate.

XSS injects malicious scripts, while spoofing involves impersonation. CSRF exploits trust in an existing authenticated session. Defenses include CSRF tokens, same-site cookies, and proper request validation.

Data Loss Prevention (DLP)systems monitor, detect, and block unauthorized data exfiltration across endpoints, networks, and cloud services.

Spoofing involves falsifying identity information (IP, MAC, email headers) to appear as a trusted source and bypass controls.

Corrective controls are designed torestore systems to normal operation after a security incident or attack has occurred. Examples include restoring data from backups, reimaging compromised systems, applying patches, and resetting credentials.

Detective controls identify incidents, preventive controls stop incidents, and corrective controls fix the damage. While recovery controls are sometimes mentioned informally, most security frameworks (including NIST) classify restoration activities under corrective controls.

Corrective controls are critical for minimizing downtime and ensuring business resilience following an incident.

Integrityis the primary factor in system and information reliability. Reliable systems must ensure that data is accurate, complete, and protected from unauthorized modification. If integrity is compromised, decisions based on the data become unreliable—even if systems are available or confidential. NIST and ISO frameworks emphasize integrity as essential to trustworthiness and operational reliability.

In information security, privacy refers to protecting personal and sensitive information from unauthorized access, use, or disclosure. Privacy focuses specifically on data related to individuals, such as PII, and ensuring it is handled according to legal, ethical, and regulatory requirements.

While privacy is closely related to confidentiality, it places greater emphasis on individual rights and consent. Ensuring privacy means limiting access to personal data and preventing misuse.

Integrity and availability address different aspects of the CIA triad, while option D is incomplete and incorrect. Security frameworks treat privacy as a critical objective, especially in environments handling personal data.

Azero-day vulnerabilityis typically not identifiable through a standard vulnerability assessment. Vulnerability scanners and routine assessments rely onknown vulnerability signatures, published advisories, and documented weaknesses. By definition, a zero-day vulnerability is unknown to vendors, defenders, and security tools at the time it exists or is exploited.

File permission issues, buffer overflows, and cross-site scripting (XSS) vulnerabilities are commonly detected through automated scans, configuration reviews, and application testing because they are well understood and documented classes of weaknesses. Scanners are specifically designed to identify these known issues.

Zero-day vulnerabilities, however, require alternative detection approaches such as behavioral monitoring, anomaly detection, threat intelligence, or post-exploitation forensics. This limitation is why vulnerability assessments alone are insufficient and must be complemented withdefense-in-depth, monitoring, and incident response capabilities.

Security frameworks consistently emphasize that organizations should not rely solely on vulnerability scanning, as it cannot detect unknown or newly emerging threats like zero-day vulnerabilities.

Incident response focuses on detecting, containing, eradicating, and recovering from security incidents, including violations of policies and practices.

An IP address is a logical identifier used to locate and route traffic to devices on a network.

A security assessment evaluates the effectiveness of security controls and verifies whether they meet security requirements. It differs from risk assessments, which focus on identifying threats and vulnerabilities.

Athreat vectoris the path or method used by a threat actor to exploit vulnerabilities, such as phishing, malware, or network attacks.

Qualitative risk analysis evaluates risk using descriptive categories such aslow,medium, andhighinstead of numerical values. This approach relies on expert judgment, experience, and contextual understanding rather than precise financial or statistical calculations. According to NIST SP 800-30, qualitative analysis is especially useful when numerical data is unavailable or when rapid risk prioritization is required.

Unlike quantitative risk analysis, which assigns monetary values and probabilities, qualitative analysis focuses on relative severity and likelihood. It is commonly used during early stages of risk management, policy development, and executive decision-making. While less precise, qualitative risk analysis is easier to communicate to stakeholders and helps organizations focus resources on the most critical risks.

The primary goal of Identity and Access Management (IAM) is to ensuresecure and controlled accessto organizational resources. IAM systems manage user identities, authenticate users, and authorize access based on roles, policies, and least privilege principles.

IAM does not guarantee complete protection against all threats, as no system can provide 100% security. It also does not eliminate authentication or focus on network performance monitoring. Instead, IAM ensures that theright usershave theright accessto theright resourcesat theright time.

Core IAM capabilities include identity provisioning, authentication, authorization, access reviews, and auditing. IAM is foundational to zero trust architectures and is emphasized by NIST, ISO/IEC 27001, and CIS as a critical security control for preventing unauthorized access and reducing insider threat risk.

An Advanced Persistent Threat (APT) involves stealthy, long-term access to systems for espionage, data theft, or sabotage.

Phishing uses deceptive messages—often emails or websites—to trick users into revealing sensitive information. Spoofing is often used as a technique within phishing attacks.

Risk management aims to reduce risks to acceptable levels, not eliminate them entirely. This involves identifying risks, assessing impact and likelihood, and selecting appropriate controls.

Apolicyis a high-level, mandatory statement approved by senior management that defines what is allowed or required within an organization. In this scenario, the governing board establishes a rule that only the legal department may review third-party contracts, making it a policy decision.

Procedures provide step-by-step instructions, standards define specific technical or operational requirements, and laws are external legal mandates imposed by governments. None of those best describe this situation.

Policies establish authority, accountability, and organizational intent. They are enforceable and form the foundation for standards and procedures. Governance frameworks emphasize management-approved policies as essential for consistent and compliant operations.

Penetration testing simulates real-world attacks to identify vulnerabilities before adversaries exploit them.

Buffer overflow attacks target applications, exploiting improper memory handling. Applications operate atLayer 7 (Application Layer), making it the primary target.

DNS primarily usesport 53over UDP and TCP for name resolution.

A threat actor is the individual or group responsible for carrying out attacks. Threat vectors describe methods, not entities.

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) operate at theTransport layer (Layer 4)of the OSI model. This layer is responsible for end-to-end communication, segmentation, flow control, and error handling.

TCP provides reliable, connection-oriented communication with acknowledgments and retransmissions. UDP provides connectionless communication optimized for speed and low latency.

The Session layer manages session establishment, and the Presentation layer handles formatting and encryption. Neither is responsible for transport-level data delivery.

Understanding protocol placement is essential for firewall rules, intrusion detection, and network troubleshooting. Most security controls rely heavily on Transport-layer awareness.

IPSec (Internet Protocol Security) operates atLayer 3 – the Network Layerof the OSI model. IPSec is designed to secure IP communications by authenticating and encrypting each IP packet in a data stream. Because it works directly with IP packets, it naturally fits at the network layer.

Operating at Layer 3 gives IPSec a major advantage: it can protectall network traffic, regardless of the application or transport protocol being used. This means IPSec can secure TCP, UDP, and ICMP traffic transparently without requiring changes to applications. IPSec is commonly used to implementVirtual Private Networks (VPNs), including site-to-site and remote-access VPNs.

IPSec uses protocols such asAuthentication Header (AH)andEncapsulating Security Payload (ESP)to provide confidentiality, integrity, authentication, and anti-replay protection. Key management is typically handled by IKE (Internet Key Exchange).

Although IPSec may appear in some diagrams as interacting with other layers, standards bodies such as NIST and IETF clearly define IPSec as aLayer 3 (Network Layer)security protocol.

Antivirus softwareis apreventive security controldesigned to stop known malware threats before they can execute or spread within a system. Antivirus solutions use signature-based detection, heuristic analysis, and increasingly behavior-based techniques to block malicious code such as viruses, worms, trojans, and ransomware.

In contrast,IDS (Intrusion Detection Systems)andHIDS (Host-based IDS)are primarilydetective controls. They monitor systems and networks for suspicious activity but do not inherently block threats.SIEMplatforms aggregate and analyze logs for visibility and correlation; they support detection and response but do not directly prevent threats.

According to NIST SP 800-53, preventive controls are designed to stop incidents from occurring, while detective controls identify events after or during occurrence. Therefore, antivirus is the correct choice as it directly prevents threats.

The primary goal of incident management is toreduce the impact of an incidenton the organization. Incident management focuses on minimizing damage, limiting scope, and restoring stability as quickly as possible.

Preparation is handled before incidents occur, and disaster recovery focuses on long-term system restoration. Protecting life and safety is important but not the core definition of incident management in cybersecurity frameworks.

NIST SP 800-61 emphasizes rapid containment, mitigation, and impact reduction as the central objectives of incident management.

An event is any observable occurrence. Not all events are incidents or breaches, but incidents start as events.

Side-channel attacks exploit physical characteristics such as power usage, timing, or electromagnetic emissions to infer sensitive information like cryptographic keys.

A zero-day vulnerability is a security flaw that is unknown to the vendor and defenders at the time it is discovered or exploited. Because there is no patch available, organizations have “zero days” to fix it.

Athreatis any actor or condition capable of exploiting a vulnerability to cause harm.

Policies are high-level statements of management intent and direction. Standards and procedures derive from policies.

According to NIST SP 800-61, incident response consists of four core phases:Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. Option A best represents these core components.

Confidentiality ensures information is accessible only to authorized individuals.

Standards define mandatory technical or operational requirements that must be followed to comply with policy. Guidelines are optional, and procedures provide step-by-step instructions.

Firewalls control and filter network traffic based on security rules to prevent unauthorized access. While they may monitor traffic, their primary function is enforcing access control at network boundaries.

Cross-site scripting (XSS) attacks exploitinput validation vulnerabilitiesin web applications. These vulnerabilities occur when an application fails to properly validate, sanitize, or encode user-supplied input before including it in web pages. As a result, attackers can inject malicious scripts that are executed in the browsers of other users.

XSS attacks commonly occur through form fields, URL parameters, cookies, or HTTP headers. Once executed, malicious scripts can steal session cookies, capture keystrokes, redirect users to malicious sites, or perform actions on behalf of the victim.

ARP spoofing and DNS poisoning target network-level trust relationships, not application input validation. Pharming redirects users to fake websites by manipulating DNS or host files, again unrelated to input validation.

Preventing XSS relies heavily on strong input validation, output encoding, content security policies (CSP), and secure coding practices. OWASP and NIST explicitly identify XSS as a validation-related vulnerability and emphasize defensive coding as the primary mitigation.

A firewall is a network security device designed to monitor, filter, and control incoming and outgoing traffic based on predefined security rules. Firewalls act as a barrier between trusted internal networks and untrusted external networks, such as the internet.

Firewalls can operate at multiple layers of the OSI model and may inspect packet headers, session states, and even application-level data. Modern firewalls often include advanced features such as intrusion prevention, deep packet inspection, and threat intelligence integration.

Servers and endpoints generate or consume traffic but do not filter it by default. Ethernet is a networking standard, not a device. Firewalls are a foundational security control recommended by virtually all cybersecurity frameworks, including NIST and CIS Critical Security Controls.

By enforcing traffic filtering rules, firewalls help prevent unauthorized access, reduce attack surfaces, and protect systems from threats such as malware, scanning, and exploitation.

Aturnstileis a physical access control device designed to allow only one individual to pass at a time. Turnstiles are commonly used to prevent tailgating and unauthorized entry in offices, transit stations, and secure facilities. Unlike mantraps, turnstiles typically allow one-way movement and do not lock a person inside an enclosed space.

Role-Based Access Control (RBAC) enforces least privilege by assigning permissions based on job roles rather than individuals. Users receive only the permissions necessary for their role, reducing excess access.

RBAC is widely used in enterprises, cloud platforms, and operating systems due to its scalability and manageability.

ABusiness Impact Analysis (BIA)identifies critical systems, dependencies, and acceptable downtime to prioritize recovery and continuity strategies.

Procedures provide detailed, actionable steps explaining how to perform tasks in compliance with policies and standards.

Distributed Denial of Service (DDoS) attacks primarily impactavailability, one of the three pillars of the CIA triad. DDoS attacks overwhelm systems, networks, or applications with massive volumes of traffic, exhausting resources such as bandwidth, CPU, or memory and preventing legitimate users from accessing services.

The goal of a DDoS attack is not to steal data, alter information, or deny accountability, but rather todisrupt access. Confidentiality and integrity may remain intact, but users are unable to reach the system, resulting in service outages, financial loss, and reputational damage.

Availability is a critical security objective for public-facing services such as websites, APIs, and online platforms. Defenses against DDoS attacks include traffic filtering, rate limiting, content delivery networks (CDNs), scrubbing services, and redundant architectures.

Security frameworks such as NIST and ISO/IEC explicitly associate denial-of-service attacks with availability risks, making availability the most directly affected cybersecurity principle.

ATrojandeceives users into executing it by appearing legitimate while performing malicious actions.

Well-known ports (0–1023) are reserved for core services such as HTTP (80), HTTPS (443), FTP (21), and SSH (22).

Consistencyensures data remains uniform and synchronized across systems, databases, and backups—critical for accuracy and trustworthiness.

TheApplication Layer (Layer 7)of the OSI model provides services directly to the user and user-facing applications. This layer supports protocols such as HTTP, HTTPS, SMTP, FTP, and DNS, which enable web browsing, email, file transfers, and name resolution.

While users interact with applications rather than the OSI model itself, the Application Layer is responsible for enabling those interactions. The Session Layer manages session establishment, the Presentation Layer handles data formatting and encryption, and the Physical Layer transmits raw bits over physical media.

From a security perspective, many attacks target the Application Layer, including SQL injection, cross-site scripting (XSS), and authentication bypasses. As a result, application-layer security controls such as WAFs, secure coding practices, and input validation are critical.

Understanding OSI layers helps security professionals design layered defenses and properly place controls.

Registered ports (1024–49151) are typically assigned to vendor-specific or proprietary applications, such as database services.

AService Level Agreement (SLA)defines availability, performance, responsibilities, security controls, and incident response expectations between cloud providers and customers.

A switch operates at Layer 2 and forwards traffic only to the destination port based on MAC address tables, unlike hubs which broadcast traffic.

A VPC endpoint is the best solution for enabling secure, private connectivity between systems in different virtual private clouds (VPCs) without traversing the public internet. VPC endpoints allow private communication using the cloud provider’s internal network.

VPNs introduce additional overhead and complexity, while internet gateways and public IP addresses expose systems to the public internet, increasing attack surface.

VPC endpoints provide strong security, reduced latency, and simplified architecture. They are recommended by cloud providers and security frameworks for private, internal cloud communication.

Preparation is the foundational phase of incident response. It defines policies, roles, responsibilities, tools, training, and communication procedures. Without preparation, all other phases become chaotic and ineffective.

NIST SP 800-61 emphasizes preparation as the first phase because it ensures responders understand escalation paths, legal considerations, evidence handling, and authority. A new security engineer must understand preparation to operate effectively during real incidents.

Distributed Denial-of-Service (DDoS) attacks overwhelm targets with traffic from multiple sources, disrupting availability.

SSDs do not reliably respond to overwriting or degaussing due to wear-leveling. Physical destruction such as disintegration is the most secure sanitization method, per NIST SP 800-88.

ADenial-of-Service (DoS)attack disrupts availability by overwhelming systems or resources, preventing legitimate access.

SSH operates at the Application layer (Layer 7). IP, ICMP, and IGMP are Layer 3 protocols responsible for routing and control messaging.

A router is a network device specifically designed to connect multiple networks and route traffic between them. Routers operate primarily at Layer 3 (the Network Layer) of the OSI model and use IP addresses to determine the best path for data packets.

Routers are commonly used to connect local area networks (LANs) to wide area networks (WANs), such as connecting an internal corporate network to the internet. They also play a role in enforcing network security by supporting access control lists (ACLs), network address translation (NAT), and routing policies.

Switches, while important, typically connect devices within the same network and operate at Layer 2. Servers and endpoints are hosts, not networking devices. Without routers, communication between separate networks would not be possible, severely limiting scalability and connectivity.

From a security perspective, routers help segment networks, reduce broadcast traffic, and control data flow, making them essential components in both performance and security architectures.

A ping flood attack exploits the Internet Control Message Protocol (ICMP), which operates atOSI Layer 3 (Network Layer). The attacker overwhelms a target system by sending a large volume of ICMP Echo Request (ping) packets, consuming bandwidth and processing resources.

Because ICMP is used for network diagnostics and error reporting, excessive ICMP traffic can prevent legitimate network communication, leading to a denial-of-service condition. Since IP and ICMP are Layer 3 protocols, ping flood attacks directly impact the network layer.

Multi-factor authentication (MFA) requires two or more authentication factors from different categories: something you know, something you have, and something you are.

MFA significantly increases security by reducing reliance on any single factor. Even if one factor is compromised, attackers still cannot authenticate without the others.

MFA is widely recommended by NIST, CIS, and virtually all modern security frameworks, especially for privileged accounts and remote access.

A Red Book is ahard-copy version of critical business continuity and emergency procedures. It is essential when disasters such as hurricanes, earthquakes, or cyberattacks disable power, networks, or electronic backups. In such scenarios, electronic access may be impossible, making physical documentation vital.

A Business Continuity Plan is enacted when an organization experiences aloss or disruption of critical business operations. The goal of BCP is to ensure that essential business functions continue or are quickly restored, regardless of the cause of the disruption.

While events, incidents, or natural disasters may trigger disruptions, BCP activation is based onimpact to operations, not the type of event itself. BCP focuses on people, processes, facilities, and third parties—not just IT systems.

Likelihood represents the probability that a threat will successfully exploit a vulnerability and is a core component of risk calculation.

A Content Delivery Network (CDN) provides the greatest resilience against large-scale DDoS attacks by distributing traffic across a globally dispersed network of edge servers. CDNs absorb and filter malicious traffic before it reaches the origin infrastructure.

Increasing servers or bandwidth helps only to a limited extent and can still be overwhelmed by volumetric attacks. IPS-based mitigation is effective for smaller attacks but is not designed to handle massive distributed floods. CDNs combine traffic absorption, rate limiting, caching, and threat filtering at scale.

Major CDNs operate with terabits of capacity and specialized DDoS defenses, making them highly effective against attacks that would cripple individual organizations.

For public-facing applications, CDNs are considered a best-practice defensive control against availability attacks.

A zero-day vulnerability is one that is unknown to the vendor and has no available patch at the time it is exploited. Attackers take advantage of the fact that defenders have “zero days” to fix the issue.

Routine vulnerability scans cannot detect zero-days because scanners rely on known signatures. This is why defense-in-depth, monitoring, and anomaly detection are critical security strategies.

Risk assessment is the structured process of identifying risks, estimating their likelihood and impact, and prioritizing them for treatment. It forms the analytical foundation of risk management and enables informed decision-making. Risk assessment typically includes threat identification, vulnerability analysis, likelihood determination, and impact analysis.

Risk treatment and mitigation occur after risks have been assessed, while risk management is the broader lifecycle that includes assessment, response, monitoring, and communication. Standards such as NIST SP 800-30 emphasize risk assessment as a critical early step in managing cybersecurity risk.

Risk management is an ongoing process that identifies threats, evaluates risk, and applies controls to reduce risk to acceptable levels. It is foundational to cybersecurity governance.

An eavesdropping attack occurs when an attacker passively intercepts network communications to capture sensitive information such as credentials, session tokens, or authentication exchanges. This data can later be reused in impersonation or replay attacks.

CSRF and XSS are application-layer attacks, while ARP spoofing is an active network attack. Eavesdropping relies on unencrypted or weakly protected communications, highlighting the importance of TLS and secure authentication protocols.

The Disaster Recovery Plan (DRP) contains step-by-step technical procedures to restore IT systems, data, and infrastructure after a disruptive event. While the BCP focuses on maintaining operations, the DRP focuses onrestoration.

Zenmap is the graphical front end for Nmap. It performs host discovery, port scanning, service enumeration, and OS fingerprinting.

Non-repudiation ensures that an individual or system cannot deny having performed a specific action, such as sending or receiving a message or approving a transaction. It provides proof of origin and proof of delivery.

This security principle is typically implemented using cryptographic techniques such as digital signatures, public key infrastructure (PKI), hashing, and secure audit logs. For example, a digitally signed message can later be verified, preventing the sender from denying authorship.

Non-repudiation supports accountability, legal enforceability, and forensic investigations. It differs from confidentiality (preventing unauthorized access), integrity (preventing unauthorized modification), and availability (ensuring access).

Non-repudiation is especially important in financial systems, legal communications, and regulated industries where disputes may arise.

ABAC uses centralized policy engines (PDPs) to evaluate attributes and enforce fine-grained access control decisions dynamically.

Honeytokens are decoy data elements designed to lure attackers and detect unauthorized access. Examples include fake credentials, files, or database entries that have no legitimate use.

When a honeytoken is accessed, it triggers an alert, indicating a compromise. Honeytokens are valuable for detecting insider threats and lateral movement.

They do not encrypt data, improve performance, or manage access. Honeytokens are part of deception-based security strategies that enhance detection capabilities.

Cloud computing is defined by five essential characteristics per NIST: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Therefore, all listed options are valid characteristics.

High availability (HA) refers to system designs that ensure continuous operation by minimizing downtime in the event of component failures. Adding a backup firewall that automatically takes over when the primary firewall fails is a classic example of high availability.

HA solutions often use failover mechanisms, heartbeat monitoring, and redundancy to ensure seamless service continuity. The goal is to maintain availability, which is a core pillar of the CIA triad.

Component redundancy describes duplicated parts, but high availability focuses on the operational outcome—continued service. Load balancing distributes traffic, not failover. Clustering involves multiple systems working together, but HA specifically emphasizes fault tolerance and uptime.

High availability is critical for security infrastructure such as firewalls, authentication servers, and monitoring tools. NIST and ISO frameworks stress HA as essential for business continuity, disaster recovery, and resilient security operations.

ARP poisoning manipulates ARP tables to intercept or redirect LAN traffic, often enabling man-in-the-middle attacks.

Disaster Recovery Planning focuses on restoringIT systems, infrastructure, and communicationsafter a disruption. Business Continuity Planning focuses onmaintaining critical business functionsduring and after incidents, often using alternative processes.

BCP is broader than DRP and includes people, processes, facilities, and third parties, while DRP is IT-centric. Both plans complement each other but serve different purposes.

Logical access controls enforce security through software-based mechanisms such as access control lists, authentication systems, and configuration settings.

BCP requires cross-functional participation to identify dependencies, workflows, and recovery priorities across all departments.

An incident response policy establishes authority, scope, and direction. Without management approval, IR activities lack legitimacy.

Type 1 authentication is “something you know,” such as passwords or PINs. Other options represent possession-based or biometric authentication.

DR planning includes technical controls, operational checklists, and security solutions to support recovery of IT systems after a disruption.

Security benchmarks define baseline performance and configuration standards against which systems are measured.

Disaster Recovery Planning focuses specifically on restoring IT infrastructure, systems, and communications.

Common IRT models includededicated,leveraged, andhybridteams. In these models, response capabilities exist within the organization. While organizations mayusethird-party assistance, a fullyoutsourcedIRT is generally not considered a core internal IRT model because incident response requires immediate organizational authority, access, and accountability.

In Software as a Service (SaaS), the provider manages nearly all infrastructure, platforms, and applications, leaving customers responsible mainly for data and access.

Discretionary Access Control (DAC) allows the owner or creator of an object to decide who can access it and what permissions they receive. This delegation capability is a defining feature of DAC systems.

MAC enforces centrally controlled policies, RBAC assigns permissions through roles, and ABAC uses attributes evaluated by a policy engine. Only DAC explicitly allows object owners to grant or revoke access at their discretion.

Baselines allow organizations to detect unauthorized changes by comparing known-good configurations against current states.

Platform as a Service (PaaS) provides customers with an environment tobuild, deploy, and manage applicationswithout managing underlying infrastructure. PaaS includes operating systems, middleware, runtime environments, and development tools.

SaaS delivers fully managed applications, while IaaS provides raw infrastructure. PaaS best balances flexibility and operational efficiency for software development.

Network Access Control (NAC) enforces policies that determine whether devices can connect to a network based on posture, identity, and compliance.