ISC2 CISSP — Certified Information Systems Security Professional · Difficulty

Hard CISSP practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 15 hard questions available — no sign-up, always free.

Question 1 of 15

A retail chain offers free customer Wi-Fi using an open (unencrypted) SSID for convenience. Security notices that attackers are setting up rogue access points broadcasting the same SSID with stronger signal to lure customers into connecting, then intercepting their traffic and harvesting credentials from login portals. The business insists the guest network must remain frictionless with no pre-shared key or 802.1X. Which control BEST reduces the risk of these evil twin attacks while preserving open access?

Reviewed for accuracy · Report an issue
Question 2 of 15

A retailer's e-commerce platform experiences credential-stuffing attacks. Currently, each successful breach costs an average of $50,000, and the company suffers about 6 successful breaches per year. A proposed multi-factor authentication and bot-mitigation solution costs $120,000 annually and is expected to reduce the frequency of successful breaches to 1 per year. Based purely on a quantitative cost-benefit analysis, what should the risk manager recommend?

Reviewed for accuracy · Report an issue
Question 3 of 15

A security team at a defense contractor discovers that executives traveling internationally are being targeted by rogue base stations that force their smartphones to downgrade from 5G/LTE to 2G, enabling interception of voice and SMS traffic. Which control most directly mitigates this IMSI-catcher (Stingray) attack technique?

Reviewed for accuracy · Report an issue
Question 4 of 15

A financial analytics firm encrypts customer records at rest using AES-256 and secures all transfers with TLS 1.3. During a security review, an auditor notes that sensitive data is decrypted into system memory and processed in plaintext while running complex analytics workloads on shared virtualization hosts. Which technology BEST addresses the protection gap the auditor has identified?

Reviewed for accuracy · Report an issue
Question 5 of 15

A defense contractor's data warehouse allows analysts to run aggregate queries (counts, averages) over classified personnel records. A security review discovers that by combining several narrowly-scoped aggregate queries, an analyst can deduce the identity and clearance status of a specific individual—information they are not authorized to see directly. Which database security control BEST addresses this specific weakness?

Reviewed for accuracy · Report an issue
Question 6 of 15

A security architect discovers that several endpoints on the corporate network are using DNS over HTTPS (DoH) configured directly in their browsers, bypassing the organization's internal DNS resolvers. The security team relies on those resolvers to log queries, block known malicious domains, and detect DNS-based command-and-control traffic. Which consequence represents the MOST significant security concern the architect should address?

Reviewed for accuracy · Report an issue
Question 7 of 15

During an active intrusion, an analyst discovers that a compromised server is actively exfiltrating data to an external IP. Legal has stated they intend to pursue prosecution and require forensically sound evidence. Management is pressuring the team to stop the data loss immediately. What is the BEST containment action for the analyst to take?

Reviewed for accuracy · Report an issue
Question 8 of 15

A network engineer is configuring a site-to-site IPsec VPN between two corporate data centers using IKEv1 with pre-shared key authentication. Both gateways have static, well-known public IP addresses. During a security review, an auditor flags that the tunnel is configured to use IKE Aggressive Mode. What is the primary security concern the auditor is raising, and what is the appropriate remediation?

Reviewed for accuracy · Report an issue
Question 9 of 15

A CISSP-certified security consultant discovers that a client's flagship product contains a serious vulnerability that could expose customer financial data. The client's executive team instructs the consultant to keep the finding confidential to protect the company's reputation and stock price, and reminds the consultant of the signed nondisclosure agreement. Following the ISC2 Code of Ethics, how should the consultant prioritize their obligations when deciding what to do?

Reviewed for accuracy · Report an issue
Question 10 of 15

A financial services company still uses a legacy application that encrypts transaction records with Double DES (2DES), applying DES twice with two independent 56-bit keys, giving what management believes is 112 bits of effective security. A security architect reviewing the design warns that the actual effective key strength is far less than assumed. Which cryptanalytic attack is the architect most concerned about, and what is the resulting effective security?

Reviewed for accuracy · Report an issue
Question 11 of 15

A large hospital uses RBAC to control access to its electronic health record system. Over five years, administrators have created more than 4,000 distinct roles to accommodate combinations of department, shift, location, and patient-assignment rules. Auditors now report that no one can determine which role grants which effective permissions, and provisioning new staff requires manual role selection that frequently over-grants access. Which approach BEST addresses the underlying 'role explosion' problem while preserving fine-grained control?

Reviewed for accuracy · Report an issue
Question 12 of 15

A security manager compiles quarterly vulnerability scan results to present to leadership. Over the past year the raw count of open critical vulnerabilities has risen from 40 to 65, but during the same period the organization deployed 300 new servers as part of a cloud migration. Leadership wants to understand whether the security posture is actually deteriorating. What should the manager do to produce the most meaningful analysis of the test output?

Reviewed for accuracy · Report an issue
Question 13 of 15

A financial services firm signs a contract with a SaaS vendor that processes sensitive customer data. During the security review, the firm's third-party risk manager discovers the SaaS vendor outsources its data hosting and backup operations to a separate cloud subcontractor located in another country. The firm's own regulators hold the firm accountable for protecting customer data end-to-end. What is the MOST effective action to address this supply-chain risk before signing?

Reviewed for accuracy · Report an issue
Question 14 of 15

A security engineer reviews the TLS configuration of a customer-facing web application. The scan reports that the server still negotiates TLS 1.0 and accepts cipher suites using CBC-mode with RC4 fallback. Penetration testers demonstrate a man-in-the-middle attack that forces the client and server to negotiate the weakest mutually supported protocol version. Which configuration change most directly mitigates this specific downgrade attack while preserving interoperability with modern clients?

Reviewed for accuracy · Report an issue
Question 15 of 15

A network engineer reviews switch configurations after a penetration test report indicates an attacker on an access port was able to inject frames that reached devices on a different VLAN without crossing a router. The report notes the attacker crafted frames containing two stacked 802.1Q tags. Which switch configuration weakness most directly enabled this attack, and what should be corrected?

Reviewed for accuracy · Report an issue