CC CC - Certified in Cybersecurity Questions and Answers

A baseline is a documented set of approved security controls, configurations, and system settings used as a standard across an IT environment. Baselines ensure consistency, security, and compliance by defining how systems should be configured before deployment and during operation.

Security baselines are commonly derived from frameworks such as CIS Benchmarks, NIST SP 800-53, and vendor hardening guides. They help reduce misconfigurations, which are a leading cause of security breaches.

Patches address specific vulnerabilities, inventory tracks assets, and policies define high-level rules and expectations. Baselines translate policies into actionable technical settings, such as password policies, logging configurations, and service restrictions.

By enforcing baselines, organizations improve security posture, simplify audits, and enable faster incident response. Any deviation from the baseline can be detected and investigated, making baselines a cornerstone of secure and well-managed IT environments.

High availability (HA) refers to system designs that ensure continuous operation by minimizing downtime in the event of component failures. Adding a backup firewall that automatically takes over when the primary firewall fails is a classic example of high availability.

HA solutions often use failover mechanisms, heartbeat monitoring, and redundancy to ensure seamless service continuity. The goal is to maintain availability, which is a core pillar of the CIA triad.

Component redundancy describes duplicated parts, but high availability focuses on the operational outcome—continued service. Load balancing distributes traffic, not failover. Clustering involves multiple systems working together, but HA specifically emphasizes fault tolerance and uptime.

High availability is critical for security infrastructure such as firewalls, authentication servers, and monitoring tools. NIST and ISO frameworks stress HA as essential for business continuity, disaster recovery, and resilient security operations.

Role-Based Access Control (RBAC) assigns permissions based on job roles, making it scalable and efficient for large organizations. It simplifies access management and supports least privilege.

Availability is the primary security goal enhanced by a strong business continuity program. Business continuity planning focuses on ensuring that critical systems, services, and operations remain accessible during and after disruptive events such as cyberattacks, natural disasters, or system failures.

Availability is one of the three pillars of the CIA triad and ensures that authorized users can access information and systems when needed. Business continuity strategies include redundancy, failover systems, backups, alternate processing sites, and disaster recovery plans.

While confidentiality and integrity are important, business continuity is primarily concerned with minimizing downtime and maintaining operational resilience. Non-repudiation relates to accountability and is not a continuity objective.

Frameworks such as NIST SP 800-34 and ISO/IEC 22301 emphasize availability as the core outcome of effective business continuity and disaster recovery planning.

Network Access Control (NAC) enforces policies that determine whether devices can connect to a network based on posture, identity, and compliance.

Integrityis the primary factor in system and information reliability. Reliable systems must ensure that data is accurate, complete, and protected from unauthorized modification. If integrity is compromised, decisions based on the data become unreliable—even if systems are available or confidential. NIST and ISO frameworks emphasize integrity as essential to trustworthiness and operational reliability.

A security incident is an event that threatens or violates CIA principles. Not all incidents result in breaches.

The CIA triad provides a foundational framework for understanding and designing security controls.

Data backupsare essential to disaster recovery, enabling restoration of systems and data following failures or disasters.

Aturnstileis a physical access control device designed to allow only one individual to pass at a time. Turnstiles are commonly used to prevent tailgating and unauthorized entry in offices, transit stations, and secure facilities. Unlike mantraps, turnstiles typically allow one-way movement and do not lock a person inside an enclosed space.

The primary goal of arisk assessmentis to identify, estimate, and prioritize risks based on likelihood and impact. This allows organizations to make informed decisions about how to handle risk. Risk avoidance, mitigation, or transfer occurafterthe assessment phase.

A Virtual Local Area Network (VLAN) is a logical segmentation of network devices that allows systems to appear as though they are on the same local network, regardless of their physical location. VLANs operate at the Data Link layer (Layer 2) and use tagging (such as IEEE 802.1Q) to separate broadcast domains logically.

VLANs improve security, performance, and manageability by isolating traffic between different groups of systems. Devices in the same VLAN can communicate as if they were on the same LAN, even if they are physically distributed across different switches or buildings.

LAN refers to a physical local network, VPN provides encrypted tunnels across networks, and WLAN refers to wireless LANs. Only VLANs provide logical grouping independent of geography.

HTTPS uses both asymmetric and symmetric encryption. Asymmetric encryption is used during the TLS handshake to securely exchange keys and authenticate the server. Once the secure session is established, symmetric encryption is used for data transmission because it is faster and more efficient.

This hybrid approach combines the strengths of both encryption types and is fundamental to secure web communication.

Ransomware encrypts victim data and demands payment for decryption. It is one of the most damaging forms of malware and directly impacts availability and business operations.

Confidentiality ensures information is accessible only to authorized individuals.

Physical controls such as fire suppression systems, flood barriers, and seismic bracing protect facilities and equipment from environmental threats.

Input validation ensures user inputs are sanitized and conform to expected formats, preventing injection attacks such as SQL injection and command injection.

Anentitlementrefers to the inherent set of privileges or access rights granted to a user when an account is created. Entitlements define what resources a user can access and what actions they are allowed to perform.

A baseline refers to standard configurations, not user permissions. Aggregation and transitivity relate to access control models but do not describe default assigned privileges.

Managing entitlements is a key function of IAM systems and is critical for enforcing least privilege, access reviews, and compliance. Poor entitlement management often leads to excessive permissions and increased security risk.

Information riskrefers to the potential harm arising from the unauthorized access, disclosure, modification, or destruction of sensitive information. This includes credentials, financial records, intellectual property, and personally identifiable information (PII).

Information risk directly impacts theconfidentiality, integrity, and availability (CIA triad)of data. While such incidents may also lead to reputational damage or compliance violations, the primary category describing the exposure of sensitive data itself is information risk.

NIST SP 800-30 emphasizes information risk as a core component of enterprise risk management, especially in organizations that rely heavily on digital data for operations and decision-making.

The ultimate goal of disaster recovery is torestore business operations and IT services to a stable, reliable statethat supports organizational objectives. Backup and alternate sites are means—not the end goal.

Risk transference is a risk management strategy in which an organization or individual shifts the financial impact of a risk to a third party. Purchasing insurance is a classic example of risk transference. In this scenario, Mark transfers the financial consequences of potential damage to the laptop screen to the insurance provider.

Risk acceptance involves acknowledging a risk and choosing to do nothing. Risk deterrence discourages risky behavior through controls or penalties. Risk mitigation reduces the likelihood or impact of a risk through safeguards such as protective cases or training.

Risk transference does not eliminate the risk itself; the laptop can still be damaged. However, it reduces the financial burden associated with the event. In cybersecurity, common examples include cyber insurance, outsourcing, and service-level agreements (SLAs).

This strategy is widely recognized in risk management frameworks such as NIST SP 800-30 and ISO 31000 as an appropriate option when mitigation is too costly or impractical.

Defense in depth begins by identifying assets, followed by administrative controls (policies), technical controls (logical), and physical controls to protect systems at multiple layers.

Defense in Depth employs administrative, technical, and physical controls across multiple layers to reduce reliance on any single security mechanism. This approach increases resilience and detection capability.

A Virtual Private Network (VPN) creates an encrypted tunnel between a user’s device and a remote network or server. This tunnel protects data confidentiality and integrity by encrypting all traffic passing through it, even when using untrusted networks such as public Wi-Fi.

HTTPS encrypts only web traffic, antivirus detects malware, and IDS monitors for suspicious activity. Only a VPN provides full-tunnel encryption for all network communications. VPNs are commonly implemented using protocols such as IPSec or SSL/TLS and are widely recommended for secure remote access.

Security benchmarks define baseline performance and configuration standards against which systems are measured.

VLAN hopping exploits weaknesses in Layer 2 switching mechanisms such as trunking and tagging.

Identification is the act of claiming an identity (e.g., username). Authentication is the process of verifying that claim (e.g., password, biometrics). Authorization follows authentication.

Segregation of duties ensures no single individual can propose, approve, and implement changes alone, reducing fraud and errors.

Crime Prevention Through Environmental Design (CPTED) uses environmental design principles such as visibility, lighting, access control, and territorial reinforcement to deter criminal activity.

An Incident Response Plan (IRP) outlines roles, responsibilities, and procedures for handling security incidents and minimizing damage.

Risk identification is a collaborative process that enables awareness, communication, and protection against threats.

Logical access controls enforce security through software-based mechanisms such as access control lists, authentication systems, and configuration settings.

A replay attack occurs when an attacker captures valid authentication data—such as login credentials, session tokens, or cryptographic handshakes—and later reuses that data to gain unauthorized access. The attacker does not need to know the actual password; instead, they replay previously captured authentication information.

Replay attacks often exploit systems that lack proper protections such as timestamps, nonces, session expiration, or cryptographic challenge-response mechanisms. These attacks are particularly dangerous in poorly secured authentication protocols or legacy systems.

A man-in-the-middle attack involves intercepting and potentially altering communications in real time, while a replay attack focuses on reusing captured data. Smurf attacks and DDoS attacks target availability, not authentication.

Security controls such as time-based tokens, one-time passwords, mutual authentication, and secure protocols (e.g., TLS) are commonly used to prevent replay attacks. NIST authentication guidelines explicitly recommend replay resistance as a core requirement for secure authentication systems.

Abotis malware that allows attackers to remotely control infected systems, often forming botnets used for DDoS attacks, spam, or credential theft.

Microsegmentationdivides networks into granular zones protected by internal firewalls or policy enforcement points. It limits lateral movement and is a core Zero Trust principle.

Senior management is ultimately responsible for approving, signing, and publishing organizational policies. While departments such as security, HR, and legal may draft, review, or advise on policies, executive leadership provides formal authorization and accountability.

This responsibility aligns with governance principles outlined in frameworks like ISO/IEC 27001 and NIST, which emphasize management commitment to information security. Policies require executive endorsement to ensure they are enforceable, aligned with business objectives, and supported with appropriate resources.

Senior management’s involvement demonstrates organizational commitment, establishes authority, and ensures compliance across all departments. Without leadership approval, policies lack legitimacy and may not be consistently followed.

Security operations rely on clear, management-approved policies to guide procedures, incident response, and compliance activities. Executive sponsorship also enables enforcement and disciplinary actions when policies are violated.

Backups are recovery controls because they restore data and systems after failures, attacks, or disasters.

Data loss affecting availability or integrity is classified as asecurity incident, even if no attacker is involved.

Microsegmentation enables fine-grained, software-defined security controls, limiting lateral movement within networks.

Policies created by leadership to define acceptable behavior and usage areadministrative (management) controls. They guide organizational behavior, define responsibilities, and establish governance expectations.

Technical controls enforce policies, while physical controls protect facilities. This scenario clearly describes governance and oversight, making it an administrative control.

Hashing produces a fixed-length value that uniquely represents data. Any modification to the data changes the hash, allowing integrity verification. Hashing does not provide confidentiality but is critical for detecting tampering.

A Content Delivery Network (CDN) ensures low latency by caching content at geographically distributed edge locations close to end users. When customers access a website, content is served from the nearest CDN node rather than a centralized server.

This significantly reduces round-trip time, network congestion, and load on origin servers. CDNs are especially effective for static content such as images, scripts, and videos, which dominate e-commerce traffic.

Load balancing distributes traffic but does not reduce geographic distance. SaaS is a service model, not a latency solution. Decentralized data centers help but lack the optimized edge caching and routing capabilities of a CDN.

CDNs are a core performance and availability control for global online services and are widely used by large e-commerce platforms to improve customer experience and resilience.

Password Authentication Protocol (PAP) is the least secure option because it transmits credentials in clear text over the network. This makes PAP highly vulnerable to eavesdropping and credential theft.

CHAP improves security by using challenge-response mechanisms. EAP supports strong authentication methods, including certificates and MFA. IPsec provides encrypted and authenticated network communication.

Because PAP lacks encryption and protection mechanisms, it is generally discouraged and considered obsolete. Modern security standards strongly advise against its use in favor of encrypted authentication protocols.

A ping flood attack exploits the Internet Control Message Protocol (ICMP), which operates atOSI Layer 3 (Network Layer). The attacker overwhelms a target system by sending a large volume of ICMP Echo Request (ping) packets, consuming bandwidth and processing resources.

Because ICMP is used for network diagnostics and error reporting, excessive ICMP traffic can prevent legitimate network communication, leading to a denial-of-service condition. Since IP and ICMP are Layer 3 protocols, ping flood attacks directly impact the network layer.

Two-Person Integrityensures no single individual can complete a sensitive action alone, reducing fraud and insider threats.

System security configuration management focuses on ensuring that systems are securely configured, consistently maintained, and properly tracked throughout their lifecycle. Core elements includebaselines,updates, andinventory. Baselines define the approved secure configuration for systems. Updates (such as patches and configuration changes) ensure systems remain secure over time. Inventory tracks hardware and software assets so organizations know what must be configured and maintained.

Audit logs, while extremely important for security monitoring, incident response, and compliance, arenot a core element of configuration management. Instead, audit logs fall under security operations, monitoring, and logging controls. Configuration management is concerned with how systems are built and maintained, not with recording activity after deployment.

Frameworks such as NIST SP 800-128 clearly distinguish configuration management from logging and auditing, even though both contribute to overall system security.

The ISC2 Code of Ethics prioritizesprotecting society and the public, including users, over employer interests.

Subnetting divides a large network into smaller, logical segments called subnets. One of the primary benefits of subnetting isreducing network congestion. In a flat network, broadcast traffic is sent to all devices, which can significantly degrade performance as the network grows. By creating subnets, broadcast domains are limited, ensuring that broadcast traffic stays within a specific segment instead of flooding the entire network.

While subnetting can indirectly improve security and management, its most direct and measurable benefit is performance improvement through reduced broadcast traffic. Smaller subnets result in fewer devices competing for bandwidth, which enhances efficiency and reliability.

Subnetting also supports scalability and fault isolation. Network issues in one subnet are less likely to impact others. This concept is foundational in enterprise networks and is heavily emphasized in network design standards and certifications such as Security+, CCNA, and CISSP.

Incident management is often referred to as crisis management because it focuses on managing disruptive events that threaten operations.

Spoofing involves falsifying identity information such as IP or MAC addresses to bypass security controls.

Corrective controls are designed torestore systems to normal operation after a security incident or attack has occurred. Examples include restoring data from backups, reimaging compromised systems, applying patches, and resetting credentials.

Detective controls identify incidents, preventive controls stop incidents, and corrective controls fix the damage. While recovery controls are sometimes mentioned informally, most security frameworks (including NIST) classify restoration activities under corrective controls.

Corrective controls are critical for minimizing downtime and ensuring business resilience following an incident.

White-box testing involves examining an application’s internal structure, including source code, logic paths, and configurations, to identify vulnerabilities and security weaknesses. Testers have full knowledge of the system and can analyze how data flows and how controls are implemented.

This testing approach is effective for identifying issues such as insecure coding practices, logic flaws, and hard-coded credentials. Black-box testing does not involve source code access, functional testing validates behavior, and user acceptance testing focuses on business requirements.

White-box testing is commonly used in secure code reviews, static application security testing (SAST), and DevSecOps pipelines. Security standards strongly recommend white-box techniques for early vulnerability detection.

SSH key-based authentication is ideal for automated system-to-system communication. It allows secure, passwordless authentication using cryptographic key pairs.

Biometrics and smart cards require human interaction, and hard-coded passwords are insecure and difficult to rotate. SSH keys provide strong authentication, automation support, and secure key management.

This approach is widely recommended for scripts, automation, and DevOps pipelines.

SSH uses TCP port 22 by default and provides encrypted remote administration. Telnet (23) and FTP (21) are insecure alternatives.

Mandatory Access Control (MAC) usesdata classification (sensitivity)anduser clearances, which are often tied to job roles. Access decisions are centrally enforced and cannot be changed by users or data owners.

Non-repudiation requires strong identity verification, message integrity, and tamper resistance, typically implemented using digital signatures and PKI.

Load balancing distributes incoming traffic across multiple servers or resources to improve performance, scalability, and availability. It prevents overload of a single system and supports high availability architectures.

ISC2’s Code of Ethics requires candidates to report violations through proper channels to preserve exam integrity.

A Red Book is ahard-copy version of critical business continuity and emergency procedures. It is essential when disasters such as hurricanes, earthquakes, or cyberattacks disable power, networks, or electronic backups. In such scenarios, electronic access may be impossible, making physical documentation vital.

Threat actors include insiders, external attackers, and automated technologies such as bots. Modern threat landscapes recognize non-human actors as valid threats due to automation and AI-driven attacks.

Risk management aims to reduce risks to acceptable levels, not eliminate them entirely. This involves identifying risks, assessing impact and likelihood, and selecting appropriate controls.

Port forwarding is commonly referred to by all these terms depending on context and implementation.

Cross-site scripting (XSS) attacks exploitinput validation vulnerabilitiesin web applications. These vulnerabilities occur when an application fails to properly validate, sanitize, or encode user-supplied input before including it in web pages. As a result, attackers can inject malicious scripts that are executed in the browsers of other users.

XSS attacks commonly occur through form fields, URL parameters, cookies, or HTTP headers. Once executed, malicious scripts can steal session cookies, capture keystrokes, redirect users to malicious sites, or perform actions on behalf of the victim.

ARP spoofing and DNS poisoning target network-level trust relationships, not application input validation. Pharming redirects users to fake websites by manipulating DNS or host files, again unrelated to input validation.

Preventing XSS relies heavily on strong input validation, output encoding, content security policies (CSP), and secure coding practices. OWASP and NIST explicitly identify XSS as a validation-related vulnerability and emphasize defensive coding as the primary mitigation.

Two-factor authentication (2FA) requires users to verify their identity usingtwo independent authentication factorsfrom different categories, such as something you know and something you have.

The purpose of 2FA is to strengthen authentication security and reduce the risk of unauthorized access. Even if one factor is compromised, the attacker cannot authenticate without the second factor.

2FA is a subset of multi-factor authentication and is strongly recommended by modern security standards, particularly for remote access, cloud services, and privileged accounts.

Encryption ensures confidentiality by rendering data unreadable to unauthorized users, whether at rest or in transit.

Secure Shell (SSH) is the secure alternative to Telnet. Telnet transmits data, including credentials, in clear text, making it vulnerable to interception. SSH encrypts all communications, providing confidentiality, integrity, and authentication.

HTTPS secures web traffic, SFTP is used for file transfer, and LDAPS secures directory services—not remote terminal access. SSH is the industry-standard replacement for Telnet.

Token-based authentication relies on encrypted, machine-generated tokens to verify a user’s identity. After successful authentication, the system issues a token (often a JSON Web Token or OAuth token) that represents the user’s session or authorization claims. This token is then presented with each request instead of repeatedly transmitting credentials.

Unlike basic or form-based authentication, token-based methods reduce exposure of usernames and passwords, improve scalability, and support modern distributed architectures such as APIs, cloud services, and mobile applications. Tokens can also include expiration times and scopes, improving security control.

Guidelines arenon-mandatoryrecommendations that provide best practices and flexibility. Policies, procedures, and regulations are mandatory and enforceable.

Guidelines allow organizations to adapt security practices based on context without strict enforcement, as defined in ISO/IEC 27001 and governance frameworks.

Athreat vectoris the path or method used by a threat actor to exploit vulnerabilities, such as phishing, malware, or network attacks.

Policies are high-level statements of management intent and direction. Standards and procedures derive from policies.

Ransomware affects victims’ files primarily byencryptingthem, rendering the data inaccessible without a decryption key. Attackers then demand a ransom in exchange for restoring access.

While modern ransomware may also steal data, encryption is the defining characteristic of ransomware attacks. Destroying or selling files is not the primary mechanism.

Strong backups, access controls, and endpoint protection are key defenses against ransomware, as emphasized by NIST and CIS.

GRC (Governance, Risk, and Compliance) integrates business objectives with risk management and regulatory compliance.

Asecurity breachrefers to an incident where an unauthorized individual successfully gains access to a system, application, network, or data resource. Unlike a general security event, a breach confirms that confidentiality, integrity, or availability has been compromised. According to NIST SP 800-61, a breach occurs when security controls fail and protected information is accessed, disclosed, altered, or destroyed without authorization.

Not every event or intrusion results in a breach. For example, a blocked attack detected by an IDS is an event, not a breach. A breach has legal, regulatory, and business implications, often triggering notification requirements, forensic investigations, and remediation actions.

An IPS monitors traffic, detects malicious activity, and actively blocks attacks. Encryption is handled by protocols such as TLS or IPSec, not IPS devices.

The primary goal of incident management is toreduce the impact of an incidenton the organization. Incident management focuses on minimizing damage, limiting scope, and restoring stability as quickly as possible.

Preparation is handled before incidents occur, and disaster recovery focuses on long-term system restoration. Protecting life and safety is important but not the core definition of incident management in cybersecurity frameworks.

NIST SP 800-61 emphasizes rapid containment, mitigation, and impact reduction as the central objectives of incident management.

Well-known ports (0–1023) are reserved for core services such as HTTP (80), HTTPS (443), FTP (21), and SSH (22).

Separation of duties prevents fraud by ensuring no single individual can complete critical actions alone, enabling detection through checks and balances.

This scenario describes areplay attack, in which an attacker captures valid authentication data and reuses it later to gain unauthorized access. Juli is passively monitoring network traffic, capturing credentials as they are transmitted, and planning to reuse them in a future attack.

Replay attacks often occur when authentication mechanisms do not use protections such as encryption, nonces, timestamps, or session tokens. If credentials are transmitted in clear text or without replay protection, attackers can intercept and reuse them without needing to crack passwords.

Brute-force and dictionary attacks involve guessing credentials, not capturing them. Social engineering relies on human manipulation rather than technical interception.

Replay attacks highlight the importance of secure protocols such as TLS, encrypted authentication exchanges, challenge-response mechanisms, and one-time passwords. NIST authentication guidance explicitly identifies replay resistance as a critical requirement for secure authentication systems.

Standards define mandatory technical or operational requirements that must be followed to comply with policy. Guidelines are optional, and procedures provide step-by-step instructions.

VLANslogically separate networks at Layer 2 while sharing the same physical infrastructure.

Common IRT models includededicated,leveraged, andhybridteams. In these models, response capabilities exist within the organization. While organizations mayusethird-party assistance, a fullyoutsourcedIRT is generally not considered a core internal IRT model because incident response requires immediate organizational authority, access, and accountability.

A session key is a temporary cryptographic key used to encrypt communication between two systems for a single session. Session keys are typically symmetric keys generated during secure key exchange processes such as TLS handshakes.

They provide confidentiality and efficiency because symmetric encryption is much faster than asymmetric encryption. Once the session ends, the key is discarded, limiting exposure even if the key is later compromised.

Public keys are used for key exchange and authentication, not bulk data encryption. “Temporary key” and “section key” are not standard cryptographic terms.

Session keys are fundamental to secure network communications and are recommended by all modern cryptographic standards due to their performance and security benefits.

Emergency exit doors are a critical physical control designed to ensure safe and rapid evacuation during emergencies such as fires or earthquakes. These doors are typically clearly marked, unobstructed, and may include panic bars to allow easy exit without special knowledge or tools.

Fire alarms alert occupants, exit signs provide direction, and emergency lighting improves visibility, but none of these physically enable evacuation. Exit doors directly support life safety by allowing people to leave the building quickly and safely. Life safety is the highest priority in physical security design, and exit doors are mandatory under building and fire safety codes.

255.255.255.0is a commonly usedsubnet mask, indicating that the first 24 bits represent the network portion of an IPv4 address. Subnet masks define how IP addresses are divided into network and host portions, enabling efficient routing and segmentation.

A security assessment evaluates the effectiveness of security controls and verifies whether they meet security requirements. It differs from risk assessments, which focus on identifying threats and vulnerabilities.

ABAC uses centralized policy engines (PDPs) to evaluate attributes and enforce fine-grained access control decisions dynamically.

A disaster recovery team typically includes executive leadership, IT personnel, legal representatives, and public relations staff. These roles are critical for decision-making, technical recovery, and external communication.

A billing clerk is unlikely to be part of the disaster recovery team because the role does not typically contribute to recovery strategy, system restoration, or crisis communication.

An Intrusion Detection System (IDS) consists of three fundamental functional components: information sources, analysis engines, and response mechanisms. Information sources collect data such as network packets, logs, or system events. Analysis engines evaluate this data to detect suspicious behavior. Response components generate alerts or notifications.

While IDS systems typically do not block traffic (unlike IPS), they still perform response actions such as logging, alerting, and triggering workflows.

All three components work together to detect and report security incidents. This architecture is well documented in NIST intrusion detection guidance and forms the basis of both host-based and network-based IDS solutions.

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records to ensure authenticity and integrity. It prevents attacks such as DNS spoofing and cache poisoning.

DNSSEC allows clients to verify that DNS responses have not been altered. It is the industry-standard solution recommended by security frameworks for protecting DNS infrastructure.

Antivirus softwareis apreventive security controldesigned to stop known malware threats before they can execute or spread within a system. Antivirus solutions use signature-based detection, heuristic analysis, and increasingly behavior-based techniques to block malicious code such as viruses, worms, trojans, and ransomware.

In contrast,IDS (Intrusion Detection Systems)andHIDS (Host-based IDS)are primarilydetective controls. They monitor systems and networks for suspicious activity but do not inherently block threats.SIEMplatforms aggregate and analyze logs for visibility and correlation; they support detection and response but do not directly prevent threats.

According to NIST SP 800-53, preventive controls are designed to stop incidents from occurring, while detective controls identify events after or during occurrence. Therefore, antivirus is the correct choice as it directly prevents threats.

The loopback address allows a system to test its own network stack.127.0.0.1is the IPv4 loopback address, while::1is its IPv6 equivalent. Both route traffic internally without leaving the host.

GDPR directly addresses privacy, while FIPS and MOUs can also relate to privacy controls and data handling requirements.

A guard dog deters unauthorized access by increasing perceived risk. Deterrent controls discourage attacks before they occur.

Hashing is the best control for detecting unauthorized changes to source code. By generating cryptographic hash values for approved versions of files, any modification—intentional or accidental—will result in a different hash, immediately indicating tampering.

Backups help recover data but do not prevent or detect unauthorized changes. File labels provide classification but do not ensure integrity. Security audits review compliance but do not continuously detect changes.

Hashing supports integrity assurance, which is a core security objective. Tools such as file integrity monitoring (FIM) systems rely on hashing to alert administrators when files are altered unexpectedly.

NIST and CIS controls emphasize hashing and integrity monitoring as essential for protecting code repositories, system files, and critical configurations, especially in DevOps and CI/CD environments.

Role-Based Access Control (RBAC) enforces least privilege by assigning permissions based on job roles rather than individuals. Users receive only the permissions necessary for their role, reducing excess access.

RBAC is widely used in enterprises, cloud platforms, and operating systems due to its scalability and manageability.

The principle of least privilege states that users, systems, and processes should be granted only the minimum permissions required to perform their assigned tasks—nothing more. This principle reduces the attack surface and limits potential damage from compromised accounts or insider threats.

If an attacker gains access to a low-privilege account, the impact is significantly reduced compared to a highly privileged account. Least privilege also helps prevent accidental misuse of system resources.

Two-person control requires two individuals to approve an action. Job rotation reduces fraud by changing responsibilities. Separation of privileges ensures critical tasks require multiple permissions. While all are valid security concepts, least privilege directly addresses permission minimization.

This principle is foundational in access control models, identity and access management (IAM), and zero trust architectures. NIST and CIS explicitly recommend least privilege as a core security control for protecting systems and sensitive data.

A Smurf attack amplifies ICMP traffic to overwhelm targets.

Clear roles ensure fast, coordinated response, reduce confusion, and prevent duplicated or missed actions during incidents.

Recovery controls restore systems and data after an incident. Examples include backups, failover systems, and disaster recovery procedures.

During the detection and analysis phase, incidents are identified, triaged, categorized, and prioritized based on impact and urgency. This ensures resources are allocated appropriately.

Distributed Denial-of-Service (DDoS) attacks overwhelm targets with traffic from multiple sources, disrupting availability.

Likelihood represents the probability that a threat will successfully exploit a vulnerability and is a core component of risk calculation.

Dumpster diving is a physical social engineering attack in which an attacker searches trash bins to recover sensitive information such as passwords, financial records, network diagrams, or personal data. Because the attack targets discarded physical materials, technical controls such as anti-malware software or data loss prevention tools are ineffective in preventing it.

Shredding is the most effective defense because it physically destroys sensitive documents before disposal, making the information unreadable and unusable. Security best practices recommend cross-cut or micro-cut shredders for documents containing confidential or regulated data. This control directly addresses the attack vector and eliminates the risk at its source.

A clean desk policy reduces exposure during business hours but does not address improper disposal. DLP tools focus on electronic data movement, not physical waste. Therefore, shredding is considered a critical administrative and physical security control for preventing information leakage via dumpster diving, as emphasized in NIST SP 800-53 and ISO/IEC 27001 physical security guidelines.

Abreachoccurs when sensitive or protected information is accessed, disclosed, or used without authorization—regardless of intent. Even accidental disclosures, such as sending confidential data to the wrong recipient, qualify as breaches because confidentiality has been compromised.

Personally Identifiable Information (PII) refers to any data that can be used to identify a specific individual, either directly or indirectly. Examples include full name, Social Security number, date of birth, address, email address, phone number, and biometric identifiers.

PII is regulated by numerous laws and standards, including privacy regulations and data protection frameworks. Protecting PII is critical to prevent identity theft, fraud, and privacy violations.

Health information is a subset of sensitive data (often classified as PHI). Trade secrets and business data fall under intellectual property. Information classification levels describe value, not identity.

Security controls for PII typically include encryption, access control, monitoring, and data loss prevention mechanisms.

When restoring operations after a disaster,most critical systemsmust be restored first. Systems enable business functions, and without them, functions cannot operate.

Disaster recovery focuses on restoring IT infrastructure in priority order based on business impact analysis (BIA). While functions are important, they depend on systems to operate. Management and least critical functions are lower priorities.

NIST and ISO/IEC business continuity standards emphasize restoring mission-critical systems first to minimize downtime and financial loss.

An Advanced Persistent Threat (APT) involves stealthy, long-term access to systems for espionage, data theft, or sabotage.

Simulations provide realistic testing by executing scenarios that closely mirror real disruptions, revealing gaps and readiness levels better than discussions or reviews.

The three core structural components of an SQL database aretables,views, andschemas. Tables store the actual data in rows and columns. Views are virtual tables created from queries that present data in a specific way without duplicating it. Schemas act as logical containers that organize database objects and define ownership and access control.

Object-oriented interfaces are not a fundamental component of an SQL database. While modern databases may support object-relational features or APIs that allow object-oriented programming languages to interact with the database, these interfaces exist outside the core database structure.

SQL databases are based on the relational model, not the object-oriented model. Even though object-relational mapping (ORM) tools exist, they are middleware components rather than native database structures.

Understanding core database components is important for security professionals when managing access controls, permissions, and data exposure risks.

Criticality reflects how essential an asset or system is to business success or mission accomplishment. It is commonly determined during a Business Impact Analysis (BIA) and influences recovery priorities.

Network segmentation isolates systems and resources into separate security zones to limit lateral movement by attackers. By segmenting networks, organizations protect critical assets and reduce the impact of breaches.

If one segment is compromised, segmentation prevents attackers from easily accessing other systems. This approach supports defense-in-depth and zero trust architectures.

Network segmentation is implemented using VLANs, firewalls, and access controls and is a foundational security practice recommended by NIST and CIS.

DRP focuses on restoring IT infrastructure, applications, and communications to operational status.

The Internet Engineering Task Force (IETF) develops and maintains Internet standards through RFCs.

A router is a network device specifically designed to connect multiple networks and route traffic between them. Routers operate primarily at Layer 3 (the Network Layer) of the OSI model and use IP addresses to determine the best path for data packets.

Routers are commonly used to connect local area networks (LANs) to wide area networks (WANs), such as connecting an internal corporate network to the internet. They also play a role in enforcing network security by supporting access control lists (ACLs), network address translation (NAT), and routing policies.

Switches, while important, typically connect devices within the same network and operate at Layer 2. Servers and endpoints are hosts, not networking devices. Without routers, communication between separate networks would not be possible, severely limiting scalability and connectivity.

From a security perspective, routers help segment networks, reduce broadcast traffic, and control data flow, making them essential components in both performance and security architectures.

Security policies are high-level, mandatory statements approved by management that define security objectives, principles, and rules. Procedures and standards support policies but do not establish overarching intent.

DDoS attacks can target bothLayer 3 (Network)andLayer 4 (Transport)by overwhelming IP routing, ICMP traffic, TCP SYN floods, or UDP floods. Hence, both layers are impacted.

A zero-day vulnerability is unknown to the vendor and security community and has no available patch. Because defenders have “zero days” to fix it, zero-day vulnerabilities are highly dangerous.