(ISC)² Certified in Cybersecurity (CC) Practice Exam

What the (ISC)² Certified in Cybersecurity (CC) exam covers

• Security Principles57 questions
• Business Continuity, DR, and Incident Response46 questions
• Access Control Concepts55 questions
• Network Security62 questions
• Security Operations79 questions

Free (ISC)² Certified in Cybersecurity (CC) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 299.

1. Question 1Security Principles

   What does the CIA triad stand for in information security?

   • ACompliance, Integrity, Auditing
   • BConfidentiality, Integrity, AvailabilityCorrect
   • CControl, Identity, Access
   • DConfidentiality, Identity, Authentication
   ✓ Correct answer: B

   The CIA triad is the foundational model of information security. Confidentiality ensures that information is accessible only to those authorized to view it. Integrity ensures that data has not been altered in an unauthorized or undetected manner. Availability ensures that systems and data are accessible to authorized users when needed. Together these three properties define the core objectives that security controls are designed to protect.

   Why the other options are wrong

   • ACompliance, Integrity, Auditing is incorrect because Compliance and Auditing are governance and assurance activities, not core security properties that form the CIA triad.
   • CControl, Identity, Access is incorrect because these terms describe access management concepts, not the three foundational security properties of the triad.
   • DConfidentiality, Identity, Authentication is incorrect because Identity and Authentication are components of access control and the AAA framework, not the third pillar of the CIA triad, which is Availability.
2. Question 2Access Control Concepts

   Which is an example of a PHYSICAL access control?

   • AAn encryption algorithm
   • BA badge reader or locked door restricting entry to a server roomCorrect
   • CA firewall rule
   • DA password policy
   ✓ Correct answer: B

   Physical access controls are security mechanisms that restrict access to physical spaces, equipment, and facilities. Badge readers authenticate individuals before unlocking doors, and locked doors prevent unauthorized personnel from entering sensitive areas such as server rooms, data centers, and wiring closets. Physical access controls protect hardware from theft, tampering, and unauthorized observation, addressing threats that logical controls cannot prevent. They include fences, turnstiles, mantraps, guards, and surveillance systems alongside electronic access mechanisms.

   Why the other options are wrong

   • AAn encryption algorithm is incorrect because encryption is a technical or logical control that protects data confidentiality through cryptographic transformation of data; it operates in the digital domain and does not restrict physical movement or access to spaces.
   • CA firewall rule is incorrect because firewall rules are logical network controls that filter traffic based on defined criteria such as source IP, destination port, and protocol; they control network communication, not physical entry to buildings or rooms.
   • DA password policy is incorrect because a password policy is an administrative control that governs the selection and management of passwords, which are used for logical system authentication; it does not restrict physical access to any location.
3. Question 3Security Principles

   When selecting a security control, what does a cost-benefit analysis primarily compare?

   • AThe control's color-coded severity only
   • BThe cost of the control versus the reduction in expected loss (risk) it providesCorrect
   • CThe brand reputation of the vendor only
   • DThe number of vendors who sell it
   ✓ Correct answer: B

   A cost-benefit analysis in security evaluates whether the expenditure on a control is justified by the risk reduction it delivers. The expected loss (also called Annual Loss Expectancy or ALE) is calculated from the asset value, the likelihood of a threat occurring, and the impact if it does. If the cost of implementing and maintaining a control is less than the reduction in expected loss it provides, the control is financially justified. This analysis prevents both under-investment (accepting too much risk) and over-investment (spending more on controls than the value of what is being protected).

   Why the other options are wrong

   • AThe control's color-coded severity only is incorrect because color-coded severity ratings indicate the urgency or criticality of a vulnerability but do not by themselves determine whether the cost of a control is justified by the risk reduction it provides.
   • CThe brand reputation of the vendor only is incorrect because vendor reputation is one qualitative factor in procurement decisions; a cost-benefit analysis requires quantitative comparison of financial cost versus measurable risk reduction, not brand perception alone.
   • DThe number of vendors who sell it is incorrect because market competition may affect pricing but does not itself determine whether a control's cost is justified by its risk reduction benefit; a widely available cheap control might still cost more than the risk it mitigates.
4. Question 4Network Security

   On a Linux host using nftables/iptables, which command appends a rule to DROP all inbound TCP traffic to port 23 (Telnet)?

   • Aiptables -A OUTPUT -p udp --sport 23 -j ACCEPT
   • Biptables -L 23 -j DROP
   • Ciptables -F INPUT --dport 23
   • Diptables -A INPUT -p tcp --dport 23 -j DROPCorrect
   ✓ Correct answer: D

   iptables -A INPUT -p tcp --dport 23 -j DROP.

   Why the other options are wrong

   • Aiptables -A OUTPUT -p udp --sport 23 -j ACCEPT is incorrect because this rule appends to the OUTPUT chain (for outbound traffic), specifies UDP rather than TCP, uses --sport (source port) rather than destination port, and has an action of ACCEPT rather than DROP; none of these attributes match the goal of blocking inbound TCP Telnet traffic.
   • Biptables -L 23 -j DROP is incorrect because `iptables -L` is used to list existing rules in a chain; the syntax `-L 23 -j DROP` is not valid iptables syntax for creating a blocking rule and would either error or perform a listing operation. iptables -F INPUT --dport 23 is incorrect because `iptables -F` is the flush command that deletes all rules from a chain; this would remove all existing INPUT rules rather than adding a specific rule to drop Telnet traffic.
   • CThis iptables command appends (-A) a rule to the INPUT chain, which processes traffic destined for the local host. The -p tcp specifier targets TCP protocol traffic, --dport 23 matches packets with a destination port of 23 (Telnet), and -j DROP silently discards matching packets without sending a rejection response. Blocking inbound Telnet is a standard security hardening step because Telnet transmits all data including credentials in cleartext, making it trivially interceptable on any network segment between client and server.
5. Question 5Network Security

   When designing a network for a public-facing web application, where should the web servers be placed for best security?

   • ADirectly on the internal LAN with the database servers
   • BIn a DMZ (screened subnet) isolated from the internal network by firewallsCorrect
   • COn the same flat network as user workstations
   • DOutside all firewalls on the public internet directly
   ✓ Correct answer: B

   In a DMZ (screened subnet) isolated from the internal network by firewalls.

   Why the other options are wrong

   • AIf a public-facing web server is compromised, the attacker is contained within the DMZ; they face a second firewall before being able to reach the internal network where databases, file servers, and other sensitive systems reside. The DMZ limits the blast radius of a web server compromise. Directly on the internal LAN with the database servers is incorrect because placing internet-facing web servers on the same network segment as sensitive backend databases and internal systems means that if a web server is compromised, the attacker has direct network access to the most sensitive internal assets without traversing any additional firewall boundaries.
   • COn the same flat network as user workstations is incorrect because placing public-facing servers on the same network as user workstations creates a risk that a compromised web server could attack workstations directly or vice versa; the internal user network should be isolated from internet-facing services. Outside all firewalls on the public internet directly is incorrect because placing servers outside all firewall protection leaves them with no network-layer defense against direct attack; servers should always have at least one firewall between them and the public internet, even if they are public-facing.
   • DA Demilitarized Zone (DMZ) is a network segment that sits between the public internet and the internal private network, protected by firewalls on both sides. Web servers serving public users are placed in the DMZ because they must accept connections from untrusted external users, making them inherently more exposed than internal systems.
6. Question 6Security Principles

   A company buys cyber-insurance to cover losses from a data breach. Which risk treatment does this represent?

   • ARisk mitigation
   • BRisk avoidance
   • CRisk acceptance
   • DRisk transferenceCorrect
   ✓ Correct answer: D

   Risk transference is a risk management strategy in which the financial consequences of a risk are shifted to a third party while the organization retains operational responsibility for the activity. Cyber-insurance is the most common example: the insurer agrees to cover defined financial losses resulting from a data breach, ransomware attack, or other cyber incident in exchange for premium payments. While the organization still experiences the incident, the insurance policy transfers the financial burden of costs such as incident response, legal fees, regulatory fines, and customer notifications to the insurer. Risk transference does not eliminate or reduce the likelihood of an incident; it only manages the financial impact.

   Why the other options are wrong

   • ARisk mitigation is incorrect because risk mitigation involves implementing controls that reduce the likelihood or impact of a risk occurring; buying insurance does not change the probability of a breach or reduce its operational severity, it only compensates financially after the fact.
   • BRisk avoidance is incorrect because risk avoidance means eliminating the activity that creates the risk entirely, such as not collecting certain sensitive data or not offering a specific online service; purchasing insurance does not avoid the risk, it accepts the possibility of the event and transfers the financial consequences.
   • CRisk acceptance is incorrect because risk acceptance means acknowledging a risk and deciding to bear the consequences without implementing additional treatment; purchasing cyber-insurance is an active treatment that shifts financial liability to a third party, which is transference rather than passive acceptance of the risk.
7. Question 7Security Operations

   What is the primary purpose of log centralization (forwarding logs to a central server or SIEM)?

   • ATo assign IP addresses to logging hosts
   • BTo increase the network's bandwidth
   • CTo aggregate logs in one protected location for correlation, retention, and tamper resistanceCorrect
   • DTo delete logs faster on the source hosts
   ✓ Correct answer: C

   When logs remain distributed across individual hosts, they are vulnerable to tampering by a local attacker who has compromised that host, and correlating events across many systems requires accessing each one separately. Log centralization—forwarding log data to a SIEM or dedicated log management system—solves both problems by collecting logs from all sources into a single repository that can be protected with strict access controls and write-once storage. Centralization also enables automated correlation rules that can detect attack patterns spanning multiple systems simultaneously, which is impossible when logs are siloed on individual devices.

   Why the other options are wrong

   • ATo assign IP addresses to logging hosts is incorrect because IP address assignment is the function of DHCP and network configuration management; it has no relationship to log centralization.
   • BTo increase the network's bandwidth is incorrect because log forwarding actually consumes some network bandwidth; the purpose is improved security visibility and log integrity, not bandwidth expansion.
   • DTo delete logs faster on the source hosts is incorrect because the goal of log management is to preserve and protect log data for the required retention period, not to delete it faster; premature deletion undermines accountability and compliance.
8. Question 8Access Control Concepts

   What does monitoring of privileged account usage primarily help detect?

   • AThe brand of network cabling
   • BThe number of printers on the network
   • CMisuse or compromise of high-impact administrative accountsCorrect
   • DThe font size used in documents
   ✓ Correct answer: C

   Privileged accounts—including domain administrators, root accounts, database administrators, and service accounts with elevated permissions—represent the highest-value targets in any environment because their compromise grants an attacker maximum control. Monitoring privileged account activity enables detection of anomalous behavior such as administrative logins at unusual times, use of privileged accounts for routine tasks rather than specific administrative operations, lateral movement using admin credentials, or sudden bulk operations like mass account creation or data deletion. Privileged access monitoring is a key component of insider threat detection and advanced persistent threat response.

   Why the other options are wrong

   • AThe brand of network cabling is incorrect because network cabling specifications are a physical infrastructure concern managed by network engineers; they are not visible in access logs and are unrelated to privileged account activity monitoring.
   • BThe number of printers on the network is incorrect because printer inventory management is a network asset management function; counting printers is performed through network discovery tools, not through privileged access monitoring.
   • DThe font size used in documents is incorrect because document formatting preferences are application-level settings with no security relevance; privileged account monitoring focuses on system-level administrative actions, not document editing activities.
9. Question 9Security Principles

   A help-desk technician resets a user's password after a caller claims to be a manager 'locked out before a big meeting,' without verifying identity. The account is later used to exfiltrate data. Which attack succeeded and what control would have prevented it?

   • Asocial engineering; a strict identity-verification procedure for resetsCorrect
   • BA worm; up-to-date antivirus signatures
   • CSQL injection; input validation on the login form
   • DA DDoS attack; rate limiting at the firewall
   ✓ Correct answer: A

   This scenario illustrates a classic social engineering attack in which the attacker manipulates a person—the help desk technician—rather than exploiting a technical vulnerability. The attacker created urgency and emotional pressure ("locked out before a big meeting") to convince the technician to bypass normal security procedures and reset the password without verifying the caller's identity. The correct countermeasure is a strict, consistently enforced identity verification procedure for all password reset requests—such as requiring the caller to authenticate through a separate, pre-registered channel or in person—that applies equally regardless of how urgent the request appears.

   Why the other options are wrong

   • BA worm; up-to-date antivirus signatures is incorrect because a worm is a self-propagating malware that spreads automatically through network vulnerabilities; the scenario describes manipulation of a human employee through deception, not malware execution.
   • CSQL injection; input validation on the login form is incorrect because SQL injection is a code-level attack that inserts malicious database queries through user input fields; the attack in this scenario exploited a human process failure, not a technical vulnerability in application code.
   • DA DDoS attack; rate limiting at the firewall is incorrect because a DDoS attack overwhelms systems with excessive traffic to deny service; the scenario describes targeted account takeover through manipulation of a single help desk employee, not a volumetric traffic attack.
10. Question 10Business Continuity, DR, and Incident Response

    An incident handler contained a breach and removed the malware, but two weeks later the same attacker returned through the identical unpatched flaw. Which incident-response phase was likely skipped or incomplete?

    • Aeradication/post-incident lessons learned — the root-cause vulnerability was never remediatedCorrect
    • BPreparation — no incident-response team existed
    • CIdentification of assets for the BIA
    • DDetection — the breach was never noticed
    ✓ Correct answer: A

    The eradication phase of incident response requires not only removing the malware and revoking the attacker's access, but also identifying and closing the root-cause vulnerability that allowed the initial intrusion. If the unpatched flaw that served as the entry point is not remediated during eradication, the environment remains vulnerable to the same attack vector and the attacker—or any other party with knowledge of the vulnerability—can re-enter through the same path. The post-incident lessons learned review should identify that the patch was not applied and escalate it for immediate remediation, closing the gap that the initial response missed.

    Why the other options are wrong

    • BPreparation — no incident-response team existed is incorrect because the scenario states an incident handler contained the breach and removed the malware, which confirms that an incident response capability existed and operated; the failure was in completeness of eradication, not in having a team.
    • CIdentification of assets for the BIA is incorrect because the Business Impact Analysis identifies critical business functions and their recovery requirements; it is a preparedness planning activity performed before incidents, not a phase that was skipped during active incident response.
    • DDetection — the breach was never noticed is incorrect because the scenario explicitly states the breach was detected and responded to; the failure occurred in the completeness of the remediation that followed, not in whether the incident was initially identified.

(ISC)² Certified in Cybersecurity (CC) practice exam FAQ