ISC2 CISSP — Certified Information Systems Security Professional · Difficulty

Medium CISSP practice questions

Applied — put a concept to work in a realistic situation. 114 medium questions available — no sign-up, always free.

Question 1 of 25

A hospital's wireless network keeps dropping clinical tablets from its access points. Analysis of captured traffic shows a steady stream of spoofed 802.11 deauthentication frames sourced from the legitimate AP's BSSID, forcing clients to disconnect repeatedly. The security team wants a standards-based control that prevents attackers from forging these management frames. Which measure most directly addresses this attack?

Reviewed for accuracy · Report an issue
Question 2 of 25

A hospital's network team discovers that unauthorized laptops are being plugged into wall jacks in patient waiting areas and gaining access to the internal LAN. The team wants a solution that authenticates each device at the moment it connects to a switch port, before granting any network access, and can dynamically assign the device to an appropriate VLAN based on identity. Which control BEST meets this requirement?

Reviewed for accuracy · Report an issue
Question 3 of 25

A global engineering firm needs an access control model for a new document repository. Access decisions must consider a combination of the user's department, project assignment, the sensitivity label of the document, the time of day, and whether the connection originates from a managed device on the corporate network. Requirements change frequently, and administrators want to express rules using these attributes without creating a new role for every combination. Which access control model BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 25

A financial services firm has employees who frequently transfer between departments. An internal audit reveals that many long-tenured staff retain access permissions from previous roles they no longer need, even though their accounts are active and legitimately used. Which identity lifecycle control most directly addresses this specific finding?

Reviewed for accuracy · Report an issue
Question 5 of 25

During a security audit of a financial services firm, the auditor finds that three database administrators all log into production systems using a single shared 'dbadmin' account whose password is stored in a team password vault. Management insists this is efficient and that the vault logs who checked out the credential. Which principle of identity and access management is most fundamentally violated by this arrangement?

Reviewed for accuracy · Report an issue
Question 6 of 25

A financial services firm is purchasing a specialized loan-origination application from a small vendor. Because the software will process sensitive customer data and become business-critical, the security team wants assurance that the firm can maintain and remediate the code if the vendor goes out of business or fails to patch discovered vulnerabilities. Which contractual provision BEST addresses this specific concern?

Reviewed for accuracy · Report an issue
Question 7 of 25

A financial services firm is performing a quantitative risk assessment on its data center. Historical records and industry data show that a major power outage affecting the facility has occurred roughly twice over the past ten years, and each event causes losses estimated at $150,000. The single loss expectancy (SLE) is already documented at $150,000. Which value should the risk analyst use for the annualized rate of occurrence (ARO) when calculating the annualized loss expectancy (ALE)?

Reviewed for accuracy · Report an issue
Question 8 of 25

A security tester reviewing a company's REST API discovers that changing the numeric account ID in the URL path /api/v1/accounts/1042/statements to /api/v1/accounts/1043/statements returns another customer's statements. The request carried a valid, authenticated bearer token belonging to the tester. Which underlying flaw most accurately describes this finding, and what is the correct remediation?

Reviewed for accuracy · Report an issue
Question 9 of 25

A public-facing REST API exposes a customer-lookup endpoint that requires authentication. Security monitoring reveals that a small number of valid API keys are issuing thousands of sequential requests per minute, systematically enumerating account identifiers. Authorization checks are correctly enforced, and no single request is malformed. Which control would MOST directly mitigate this abuse while allowing legitimate clients to continue operating?

Reviewed for accuracy · Report an issue
Question 10 of 25

A security analyst investigating intermittent session hijacking on a corporate LAN discovers that a rogue host is answering ARP requests for the default gateway's IP address, causing traffic destined for the gateway to be redirected through the attacker's machine. Which switch-based control would most effectively prevent this attack on the access layer?

Reviewed for accuracy · Report an issue
Question 11 of 25

A software company must digitally sign its release binaries so that customers can verify both the authenticity and integrity of downloads, and so the company cannot later deny having produced a given release. Which key should be used to create the signature, and what property does this primarily provide?

Reviewed for accuracy · Report an issue
Question 12 of 25

A security analyst is establishing a recurring log review process for a financial application. Management wants the review to reliably surface privileged-account misuse without generating overwhelming volumes of raw event data for humans to read manually. Which approach BEST meets this requirement?

Reviewed for accuracy · Report an issue
Question 13 of 25

A SaaS provider's enterprise customers increasingly demand independent assurance that the provider's controls over customer data are designed and operating effectively over a period of time. The provider's internal audit team already performs quarterly control reviews, but customers state that internal reports are insufficient for their own vendor risk programs. Which assessment approach BEST satisfies the customers' requirement?

Reviewed for accuracy · Report an issue
Question 14 of 25

An e-commerce company earns nearly all its revenue during a two-week holiday sales window. During last year's window, a volumetric distributed denial-of-service (DDoS) attack made the storefront unreachable for several hours, causing significant lost sales. The CISO wants to prioritize a control that most directly addresses the property of the CIA triad that failed in this incident. Which control should the CISO prioritize?

Reviewed for accuracy · Report an issue
Question 15 of 25

A security architect adopts a vendor-published security baseline for the organization's Windows servers. During implementation, she discovers that 12 legacy application servers cannot support one of the baseline's mandatory controls (a modern TLS cipher configuration) because doing so would break a critical business application that the vendor no longer updates. Management insists the application must remain operational. What is the MOST appropriate action for the architect to take regarding the baseline?

Reviewed for accuracy · Report an issue
Question 16 of 25

A defense contractor deploys a multilevel security system enforcing the Bell-LaPadula model. An analyst holding a Secret clearance is logged in at the Secret level and attempts to save a newly authored file classified as Confidential into a Confidential-level repository. According to the model's rules, how should the system respond to this action?

Reviewed for accuracy · Report an issue
Question 17 of 25

A financial services firm deploys an integrity-focused security model to protect a critical ledger system. A batch process running at the 'Medium Integrity' level attempts to write records into a data store classified at 'High Integrity.' Under the Biba model, how should the system respond to this write attempt?

Reviewed for accuracy · Report an issue
Question 18 of 25

A development team is building an API gateway that must encrypt session tokens in transit between microservices. They require both confidentiality and assurance that ciphertext has not been tampered with, without bolting on a separate MAC computation. Which block cipher mode of operation should the security architect recommend?

Reviewed for accuracy · Report an issue
Question 19 of 25

A regional bank's executive team asks the security manager to clarify the difference between the organization's Business Continuity Plan (BCP) and its Disaster Recovery Plan (DRP) before approving budget for both. The manager needs to explain how the two efforts relate. Which statement most accurately describes the relationship and scope of these plans?

Reviewed for accuracy · Report an issue
Question 20 of 25

During a fraud investigation, a forensic analyst images a suspect's hard drive and later hands the copy to a second analyst for review. Weeks afterward, the defense challenges whether the evidence was altered while in storage. Which practice would MOST directly refute this challenge and support the evidence's admissibility in court?

Reviewed for accuracy · Report an issue
Question 21 of 25

A DevSecOps team wants to prevent developers from committing hardcoded API keys and database passwords into the source repository. Occasionally these secrets are discovered only after they have been deployed to production, forcing emergency credential rotation. Which control most effectively addresses this problem as early as possible in the pipeline?

Reviewed for accuracy · Report an issue
Question 22 of 25

A financial services company is designing a new accounts-payable system. Regulators require that clerks cannot directly manipulate ledger balances; instead, all changes must occur through approved programs that validate each entry, and the person who initiates a payment must not be the same person who approves it. Which security model most directly addresses these requirements?

Reviewed for accuracy · Report an issue
Question 23 of 25

A development team is preparing a web application for release. Security wants to identify insecure coding patterns such as improper input validation and use of deprecated cryptographic functions across the entire codebase, including code paths that may rarely execute at runtime. The team has full access to the source code and wants the earliest possible feedback in the development pipeline. Which testing approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 24 of 25

A financial services firm is acquiring a packaged desktop application from a vendor and plans to deploy it across thousands of employee workstations. The security team wants assurance that the executables installed have not been altered between the vendor's build process and the endpoints, and that they genuinely originate from the named vendor. Which control most directly provides this assurance?

Reviewed for accuracy · Report an issue
Question 25 of 25

A government procurement team is evaluating two firewall products. Vendor A advertises that its product achieved EAL4+ certification. Vendor B states its product was certified against a specific network device Protection Profile (PP). The procurement officer asks the security architect which certification best assures that the product's security functions meet the government's actual operational security requirements. What should the architect explain?

Reviewed for accuracy · Report an issue