Medium CC practice questions
Applied — put a concept to work in a realistic situation. 117 medium questions available — no sign-up, always free.
A small marketing firm identifies a risk that an internal wiki server could briefly go offline during rare regional power flickers. After analysis, the team determines the likelihood is low, the impact is minimal (a few minutes of downtime for a non-critical tool), and the cost of adding a backup power supply far exceeds any potential loss. Management decides to take no further action and simply live with the possibility. Which risk treatment approach does this decision represent?
A system administrator built all company web servers from a documented secure baseline last year. During a recent review, several servers were found running services and settings that no longer match that baseline, even though no approved changes were recorded. What is the BEST way to describe and address this situation?
An attacker on the same office LAN sends forged replies mapping the default gateway's IP address to the attacker's own MAC address. Nearby workstations update their local tables and begin sending their internet-bound traffic to the attacker's machine instead of the router. Which technique is being used, and at which OSI layer does it operate?
Two companies that have never exchanged keys before want to begin sending encrypted messages to each other over the internet. They need a way for each party to share a value that lets the other encrypt data without ever transmitting a secret key that an eavesdropper could capture. Which type of cryptography is designed to solve this problem?
A user connects to their bank's website over public Wi-Fi at a coffee shop. An attacker on the same network positions their device so that all traffic between the user and the bank router passes through the attacker's machine, allowing them to silently read and relay the communication in real time. Which type of attack is being described?
A financial services firm performs nightly backups of its transaction database. During a quarterly review, the security team runs a restore of a backup to a test environment and compares checksums of the restored records against the originals to confirm that no data was altered or corrupted since the backup was taken. Which element of the CIA triad is this activity primarily designed to protect?
A regional flood forces a retail company to close its main office for several days. Before the disruption, the company had documented alternate work locations, prioritized which business functions must keep running, and identified backup suppliers so it could continue serving customers throughout the outage. Which type of plan primarily provides this capability to keep essential operations running during the disruption?
A company created a business continuity plan two years ago. Since then, it has moved several critical applications to a new cloud provider, hired a new operations manager, and changed office locations. During a recent power outage, staff discovered the emergency contact list was outdated and several documented recovery steps referenced systems that no longer exist. What key practice did the organization most likely fail to perform?
A regional bank is finalizing its business continuity plan (BCP). During a review, a manager notices the plan lists critical processes, recovery priorities, and required resources, but no one is sure how staff, executives, and vendors will be reached and coordinated if the primary office phone and email systems are unavailable during a disruption. Which component should be added to address this gap?
During the early stages of building a business continuity program, a company's continuity coordinator is trying to determine, for each business process, the longest period the process can be unavailable before the organization suffers unacceptable or irreversible harm. Which business impact analysis output is the coordinator identifying?
A mid-sized logistics company is beginning to develop its business continuity program. The continuity coordinator wants to know which business functions must be restored first after a disruption and how much downtime each function can tolerate before the company suffers unacceptable losses. Which activity should the coordinator perform to obtain this information?
A company installs a fingerprint scanner at the entrance to its data center. Employees must scan their finger before the physical door will unlock, preventing unauthorized people from walking into the room. When classifying this safeguard by control type, how should the fingerprint scanner best be categorized?
A critical vulnerability is being actively exploited, and the security team must deploy an emergency patch to production servers outside the normal maintenance window. According to sound change management practice, what should the team do to remain compliant while acting quickly?
A company's security team notices that sensitive printed documents are frequently left on desks overnight, and unlocked workstations often display confidential information. Which best-practice security policy should the team implement to directly address both issues?
A software team deploys their application on a Platform as a Service (PaaS) offering. The cloud provider manages the operating system, runtime, and underlying infrastructure. During a security review, the team asks which security task remains their responsibility under the shared responsibility model. Which task is the customer responsible for?
A company migrates its application servers to a public cloud provider using an Infrastructure as a Service (IaaS) model. During a security review, the team debates who is responsible for applying operating system security patches on those virtual machines. According to the shared responsibility model, who is responsible?
A data center entrance requires each employee to swipe an access badge and then enter a personal PIN on a keypad before the door unlocks. From an authentication perspective, what does this configuration provide?
A security analyst maintains a documented list of all approved hardware and software assets connected to the corporate network. During a routine review, the analyst compares a network scan against this list and discovers three devices that are not recorded anywhere. Which configuration management practice made this discovery possible?
At a small marketing firm, employees store project files on a shared server. When Maria creates a document, she alone decides which coworkers can read or edit it, and she can grant or revoke that access at any time through the file's permission settings. Which access control model does this arrangement best illustrate?
At a design firm, each project lead can decide who may open, edit, or share the files they create in a shared collaboration platform. There are no organization-wide classification labels; access is entirely at the file creator's discretion. Which access control model is in use?
A company is rolling out a new data governance program. Before staff can determine which storage, encryption, and sharing rules apply to a given file, what must first be assigned to that data?
A company stores customer records in a cloud provider's encrypted storage service. When a contract ends, the company must ensure the data is unrecoverable, but it has no physical access to the provider's drives, which are shared with other tenants. Which secure destruction method is most appropriate in this situation?
A company recently completed classifying all of its data into categories such as Public, Internal, and Confidential. A security analyst notices that employees still routinely email Confidential files without encryption because they cannot tell which files are sensitive. Which action would MOST directly address this problem?
A junior database administrator is assigned to run weekly backup jobs on the company's customer database. When IT provisions the account, they grant it full administrative rights to the entire database server, including the ability to modify schemas, delete tables, and manage other user accounts. Which security principle has been violated?
A company is retiring a batch of solid-state drives (SSDs) that stored confidential customer data. A technician plans to run a strong magnetic degausser over the drives to ensure the data cannot be recovered before disposal. Why is this approach flawed for these devices?