CISSP 2024 Advanced Quiz - Free Practice Quiz

Question 1 of 60

An organization's security architecture uses attribute-based access control (ABAC) to enforce dynamic policies. Which scenario BEST demonstrates a unique capability of ABAC that RBAC cannot easily provide?

A Granting read access to all members of the Finance role B Denying access to all users except administrators C Assigning permissions based on predefined job functions D Granting access only when the user's department attribute matches the data's classification attribute AND the user's device is compliant

1 / 60

Question 2 of 60

A security architect is designing a system that must guarantee that even the system administrators cannot access plaintext user data. Which cryptographic architecture BEST achieves this requirement?

A AES-256 encryption of data at rest with keys stored in a key management service B Server-side encryption with administrator-managed HSMs C Database-level encryption with TDE (Transparent Data Encryption) D End-to-end encryption with client-side key management where keys never leave user devices

2 / 60

Question 3 of 60

A security professional must choose between full, differential, and incremental backup strategies for a system with a 4-hour RPO and a 1-hour RTO. Which backup strategy combination BEST satisfies both objectives?

A Weekly full backups with daily differentials only B Monthly full backups with weekly incrementals C Daily full backups only D Nightly full backups combined with hourly incremental backups and fast restoration to an alternate system using pre-staged standby media

3 / 60

Question 4 of 60

A security operations center analyst observes that an internal host has established 47 outbound connections to 47 different external IPs over 6 hours, each connection lasting exactly 3 minutes and 12 seconds, followed by exactly 27 minutes of silence. Which threat indicator does this pattern MOST suggest?

A Normal web browsing behavior B Port scanning activity C DDoS attack from the internal host D Beaconing behavior consistent with command-and-control communication

4 / 60

Question 5 of 60

A CISO must justify the cost of a $150,000 intrusion detection system to the board. The system protects assets valued at $2,000,000 with an Exposure Factor of 40% and an Annual Rate of Occurrence of 0.25. What is the Return on Security Investment (ROSI)?

A The control is unjustifiable because ALE exceeds control cost B The control breaks even with no net benefit C The SLE exceeds the ALE making quantitative analysis invalid D The ALE ($200,000) exceeds the control cost ($150,000) making the investment justified, with ROSI = ($200,000 - $150,000) / $150,000 = 33%

5 / 60

Question 6 of 60

During an audit of a financial system, an auditor discovers that batch processing jobs run with domain administrator privileges. Which principle does this MOST egregiously violate?

A Accountability B Separation of duties C Need to know D Least privilege

6 / 60

Question 7 of 60

An organization running a critical SaaS application must ensure that a compromised cloud provider administrator cannot access customer data in plaintext. Which architectural approach BEST addresses this insider threat?

A Requiring the cloud provider to sign a confidentiality agreement B Deploying multi-factor authentication for cloud provider administrator accounts C Enabling cloud provider audit logging of administrator access D Client-side encryption with customer-controlled keys in an on-premises HSM before data is transmitted to the cloud provider

7 / 60

Question 8 of 60

Which legal doctrine allows investigators to introduce evidence obtained during a lawful search that also reveals previously unknown crimes, without requiring a separate search warrant?

A Exclusionary rule B Chain of custody doctrine C Fruit of the poisonous tree doctrine D Plain view doctrine

8 / 60

Question 9 of 60

During a forensic investigation, an analyst must determine whether a suspect deleted files to obstruct an investigation. Which forensic artifact is MOST likely to reveal the names and deletion times of recently deleted files on an NTFS volume?

A Windows Event Log Security channel B Registry hive NTUSER.DAT C Prefetch files in C:\Windows\Prefetch D $Recycle.Bin metadata and $MFT journal entries

9 / 60

Question 10 of 60

An incident responder is analyzing a Windows system for signs of a living-off-the-land (LotL) attack. Which artifact MOST likely reveals PowerShell command history used by an attacker who attempted to clear event logs?

A Prefetch files in C:\Windows\Prefetch B Windows Security event log C Windows Application event log D PowerShell module logging in the Windows Registry and ConsoleHost_history.txt file

10 / 60

Question 11 of 60

During a security architecture review, an analyst evaluates a web application's session management. The application issues 128-bit session tokens generated by a cryptographically secure PRNG, transmitted only over HTTPS, with a 30-minute inactivity timeout and automatic invalidation upon logout. Which residual session management risk MOST warrants additional investigation?

A The 128-bit token length may be insufficient B The PRNG algorithm needs verification C The inactivity timeout is too short D Session token exposure via Cross-Site Scripting (XSS) that can steal the token from the browser's memory or cookies â€” and whether HttpOnly and Secure cookie flags are properly set

11 / 60

Question 12 of 60

An organization implements attribute-based encryption (ABE) for a healthcare data sharing system. Which security property does ABE provide that traditional public key encryption cannot?

A Higher encryption performance for large datasets B Smaller key sizes than RSA-2048 C Forward secrecy for past communications D Policy-based decryption where access to plaintext requires possession of attributes satisfying the embedded access policy â€” enabling encrypted data to be stored publicly while enforcing fine-grained access control

12 / 60

Question 13 of 60

An organization implements a multi-cloud strategy with workloads in AWS, Azure, and GCP. Which security architecture approach MOST effectively enforces consistent policy across all three providers without managing separate native security tool configurations?

A Deploying cloud-native security services independently in each provider B Using a single cloud provider's security hub to monitor all environments C Establishing a cloud access security broker (CASB) in API inspection mode only D Implementing a cloud-agnostic Security Posture Management (CSPM) platform with unified policy engine and multi-cloud connectors

13 / 60

Question 14 of 60

Which security design principle states that the protection of a system should not depend on keeping its design or implementation secret â€” that security must hold even if all details of the mechanism are publicly known?

A Need to know B Security through obscurity C Defense in depth D Kerckhoffs's principle / open design

14 / 60

Question 15 of 60

A penetration tester exploits a buffer overflow vulnerability in a network service running as SYSTEM on a Windows server, gaining a reverse shell. Which post-exploitation activity would MOST significantly increase the attacker's persistence across reboots?

A Installing a rootkit in the Windows Registry Run key B Disabling Windows Defender C Extracting password hashes from LSASS memory D Creating a new hidden local administrator account AND installing a persistent backdoor as a signed Windows service with a legitimate-sounding name

15 / 60

Question 16 of 60

A security engineer must implement network segmentation for a healthcare environment containing both modern EHR workstations and legacy medical devices that cannot be patched. Which architecture MOST effectively balances functionality and security?

A Micro-segment legacy devices into dedicated VLANs with unidirectional data flows permitted only for required clinical functions, monitored by purpose-built medical device security platforms B Deploy all legacy devices in a single isolated VLAN with no network connectivity C Place all devices on a single VLAN with strong perimeter firewall rules D Apply compensating controls such as encryption to legacy devices without network changes

16 / 60

Question 17 of 60

A security engineer discovers that a containerized microservice communicates with its database using a hardcoded API key stored in the container image. Which remediation approach follows CISSP 2024 CBK best practices for secrets management in containerized environments?

A Inject secrets at runtime using a dedicated secrets management service (e.g., HashiCorp Vault or cloud-native secrets manager) with short-lived dynamic credentials B Store the API key in a Kubernetes ConfigMap for easier rotation C Move the API key to environment variables in the container orchestration platform D Encrypt the API key using AES-256 before embedding it in the image

17 / 60

Question 18 of 60

A security team must implement a key management solution for a hybrid cloud environment with strict requirements that cryptographic keys never leave on-premises hardware. Which solution BEST satisfies this requirement?

A Customer-managed keys (CMK) in a cloud-provider KMS with BYOK (Bring Your Own Key) where the customer generates and imports keys and retains the on-premises root of trust via a dedicated HSM B Using the cloud provider's default encryption with provider-managed keys C Encrypting data with software-based AES-256 before uploading to cloud storage D Using certificate pinning to prevent key exposure

18 / 60

Question 19 of 60

A CISO reviews a proposed third-party cloud storage integration for processing employee performance review data. Under GDPR, which data protection consideration is MOST critical before the integration can proceed?

A A Data Processing Agreement (DPA) must be executed with the cloud provider as a processor, specifying processing purposes, security measures, sub-processor obligations, and data subject rights support B The cloud provider must achieve ISO 27001 certification C The cloud provider must be located in the EU D Employees must consent to cloud storage of their data

19 / 60

Question 20 of 60

An organization performs a tabletop exercise simulating a ransomware attack that encrypts all file servers. During the exercise, the team discovers they cannot access recovery procedures because they are stored on the encrypted file servers. Which gap does this reveal?

A Business continuity plan documentation stored on systems subject to the failure it is meant to address â€” lack of offline/out-of-band BCP access B Inadequate employee training C Insufficient backup frequency D Insufficient recovery time objectives

20 / 60

Question 21 of 60

Which formal security model was specifically designed for commercial integrity requirements and uses the concept of 'constrained data items' and 'transformation procedures' to ensure data is only modified through authorized mechanisms?

A Clark-Wilson integrity model B Biba integrity model C Brewer-Nash (Chinese Wall) model D Bell-LaPadula confidentiality model

21 / 60

Question 22 of 60

An organization wants to implement a software-defined perimeter (SDP) to replace its traditional VPN. Which security outcome does SDP provide that a traditional VPN cannot?

A Per-application, identity-aware micro-segmentation that makes infrastructure invisible to unauthenticated users (dark cloud) while enforcing least-privilege network access for authenticated users B Encryption of all traffic between client and server C Centralized authentication with Active Directory integration D Deep packet inspection of encrypted traffic

22 / 60

Question 23 of 60

An organization deploys an AI-based spam filtering system that incorrectly classifies 0.5% of legitimate emails as spam. Security leadership accepts this false positive rate. Which risk treatment decision does this represent?

A Risk acceptance of residual risk after control implementation B Risk transfer C Risk avoidance D Risk reduction to zero

23 / 60

Question 24 of 60

Which database security control restricts the amount of information a query can reveal about the underlying dataset while still allowing useful aggregate queries â€” commonly applied in privacy-preserving data analytics?

A Differential privacy noise injection B Database encryption with TDE C Role-based access control (RBAC) D Database auditing and monitoring

24 / 60

Question 25 of 60

An APT actor compromises a certificate authority's intermediate signing certificate and issues rogue TLS certificates for major financial institutions. Which mechanism would have MOST effectively detected this attack in near-real time?

A Certificate Transparency (CT) log monitoring with automated alerting B Extended Validation (EV) certificate enforcement C HTTP Public Key Pinning (HPKP) D OCSP stapling on affected web servers

25 / 60

Question 26 of 60

A threat intelligence analyst identifies that a nation-state APT group has published a new remote code execution exploit targeting the organization's web server software. Which response action should be executed FIRST according to the CISSP 2024 CBK incident response framework?

A Immediately apply emergency patches or implement compensating controls, then escalate to incident response procedures B Wait for the vendor to release an official patch before taking action C Shut down all web servers to prevent exploitation D Report the threat to law enforcement and await guidance

26 / 60

Question 27 of 60

A developer implements a RESTful API that returns different HTTP response times based on whether a username exists in the database (fast response for non-existent usernames, slow response for valid usernames requiring password hash comparison). Which vulnerability does this represent?

A Username enumeration via timing side-channel B Insecure direct object reference C Cross-site request forgery D Broken authentication

27 / 60

Question 28 of 60

A security team implements a SOAR platform to automate incident response. For which incident type does automation provide the GREATEST risk reduction with the LOWEST implementation risk?

A High-volume, low-complexity alert triage and response â€” such as automatically quarantining endpoints that trigger known-malware signatures and enriching alerts with threat intelligence B Zero-day exploit responses requiring novel containment strategies C Advanced persistent threat (APT) investigations requiring human judgment D Board-level security incident reporting

28 / 60

Question 29 of 60

A CISSP candidate analyzes a proposed security architecture for a financial trading system that requires sub-millisecond response times. Which design decision BEST balances security and performance requirements?

A Deploying hardware security modules (HSMs) for cryptographic operations and purpose-built network security appliances optimized for low-latency inspection B Using software-based full-disk encryption on trading servers C Implementing security controls at network aggregation points rather than individual endpoints D Disabling all encryption to eliminate latency

29 / 60

Question 30 of 60

Which advanced persistent threat (APT) technique uses legitimate system tools and processes â€” such as PowerShell, WMI, and certutil â€” to avoid detection by endpoint security products?

A Living-off-the-land (LotL) attack B Polymorphic malware C Fileless malware D Supply chain compromise

30 / 60

Question 31 of 60

Which CISSP 2024 CBK concept describes the process of converting personally identifiable information (PII) into a form where the individual cannot be re-identified without additional information held separately?

A Anonymization (irreversible) B Pseudonymization (reversible with separate key) C Tokenization D Data masking

31 / 60

Question 32 of 60

During a compliance audit, an assessor discovers that a financial institution has implemented compensating controls instead of specific PCI DSS requirements. Which condition MUST be met for compensating controls to be formally accepted under PCI DSS?

A The compensating controls must be cheaper than the required controls B The compensating controls must meet the intent and rigor of the original requirement, provide a similar level of defense, and be documented with a risk analysis demonstrating equivalence C The compensating controls must have been in place for at least 12 months D The compensating controls must be approved by the card brands directly

32 / 60

Question 33 of 60

Which security metric BEST measures the effectiveness of a patch management program by tracking the time elapsed between vulnerability public disclosure and remediation deployment?

A Mean Time Between Failures (MTBF) B Mean Time to Remediate (MTTR) for critical vulnerabilities C System availability percentage D Number of vulnerabilities remediated per quarter

33 / 60

Question 34 of 60

A data protection officer (DPO) must determine whether an organization's new AI-driven fraud detection system requires a Data Protection Impact Assessment (DPIA) under GDPR. Which factor MOST strongly triggers the DPIA requirement?

A The system processes financial data which is always subject to DPIA B Systematic, large-scale automated processing of personal data involving profiling for fraud detection that produces legal or similarly significant effects on individuals. C The system is operated by a third-party vendor D The system uses machine learning which requires DPIA by default

34 / 60

Question 35 of 60

An organization uses a Hardware Security Module (HSM) to protect code-signing keys. A developer requests export of the private signing key to a local workstation to speed up release cycles. Which response BEST reflects CISSP 2024 CBK key management principles?

A Approve the request if the workstation has full-disk encryption B Deny the request â€” all signing operations must occur within the HSM boundary; configure the CI/CD pipeline to invoke signing via authenticated HSM API calls C Approve the request temporarily and revoke key access afterward D Export to an encrypted USB drive as a compromise

35 / 60

Question 36 of 60

A security architect is evaluating quantum-resistant cryptographic algorithms. Which algorithm family was selected by NIST in 2024 as the primary post-quantum key encapsulation mechanism (KEM) standard?

A RSA-8192 (increased key size) B ML-KEM (CRYSTALS-Kyber), standardized as FIPS 203 C Elliptic Curve Diffie-Hellman (ECDH) D Lattice-based NTRU Prime

36 / 60

Question 37 of 60

An organization's red team successfully exfiltrates 50GB of sensitive data over 60 days without triggering any security alerts. Which security program gap does this MOST directly expose?

A Lack of encryption on sensitive data B Inadequate data loss prevention (DLP) controls and behavioral anomaly detection C Absence of multi-factor authentication D Insufficient perimeter firewall rules

37 / 60

Question 38 of 60

An organization's business continuity plan includes a reciprocal agreement with a business partner to share data center resources during a disaster. Which risk does this arrangement PRIMARILY introduce?

A Recovery Time Objective violations B Confidentiality risk due to commingling of sensitive data between organizations in a shared, potentially under-resourced environment during simultaneous disasters C Lack of geographic diversity D Inability to test the arrangement

38 / 60

Question 39 of 60

A security team implements network traffic analysis and discovers that an internal host is communicating with an external IP address using DNS TXT record queries containing unusually long encoded strings at 5-minute intervals. Which attack technique does this MOST likely represent?

A DNS amplification DDoS attack B DNS tunneling for covert command-and-control (C2) channel C BGP route injection D DNS cache poisoning

39 / 60

Question 40 of 60

A CISO discovers that the organization's incident response team lacks authority to isolate compromised systems without manager approval, causing average containment delays of 4 hours. Which governance change would MOST effectively reduce this delay?

A Hire more incident response staff B Establish pre-authorized incident response playbooks granting IR team authority to take specific containment actions (isolation, credential reset, blocking) without real-time management approval for defined incident severity levels C Purchase faster network equipment D Implement automated containment tools only

40 / 60

Question 41 of 60

A software development team uses Infrastructure as Code (IaC) to deploy cloud resources. Which security practice MOST effectively identifies misconfigurations before resources are provisioned?

A Runtime cloud security posture monitoring B Static analysis of IaC templates (e.g., Terraform, CloudFormation) integrated into the CI/CD pipeline using tools such as Checkov or tfsec C Penetration testing of provisioned resources D Manual security review of IaC templates before deployment

41 / 60

Question 42 of 60

Which cryptographic protocol vulnerability allows an attacker to force a TLS connection to use a weaker, deprecated cipher suite by intercepting and modifying the ClientHello message?

A BEAST attack B Downgrade attack (e.g., POODLE, FREAK, Logjam) C CRIME attack D Lucky Thirteen attack

42 / 60

Question 43 of 60

Which security architecture pattern allows a microservices application to enforce mutual TLS (mTLS) authentication between services without modifying individual application code?

A Adding TLS libraries to each microservice's codebase B Service mesh with sidecar proxy pattern (e.g., Istio/Envoy) handling mTLS transparently at the infrastructure layer C Network-level TLS termination at the load balancer only D Application-level API gateway with certificate management

43 / 60

Question 44 of 60

Which security principle requires that every access request to a protected resource be verified against the current access control policy, rather than relying on a cached authorization decision from a prior successful access?

A Least privilege B Complete mediation C Separation of duties D Defense in depth

44 / 60

Question 45 of 60

A multinational organization must comply with GDPR, CCPA, PIPEDA, and Brazil's LGPD simultaneously. Which governance approach MOST effectively manages this multi-jurisdictional compliance burden?

A Implementing GDPR controls only, as they are the most stringent B Implementing a unified privacy framework that satisfies the most stringent requirements across all applicable regulations with jurisdiction-specific addenda C Conducting compliance assessments independently per regulation D Appointing separate compliance teams for each jurisdiction

45 / 60

Question 46 of 60

A security architect implements micro-segmentation in a data center using software-defined networking. Which security benefit does micro-segmentation provide that traditional VLAN-based segmentation cannot?

A Elimination of the need for firewalls B Encryption of all intra-data center traffic C Granular, workload-level east-west traffic control that prevents lateral movement between individual servers even within the same VLAN D Automatic network topology discovery

46 / 60

Question 47 of 60

An organization conducts an annual security awareness phishing simulation. 23% of employees click the link, and 8% enter credentials. The CISO wants to reduce these rates to below 5% click and 1% submit within 18 months. Which program design element would MOST effectively achieve this behavioral change?

A Increasing the frequency of simulations to monthly without changing content B Terminating employees who repeatedly fail simulations C Just-in-time training delivered immediately after simulation failure, combined with targeted role-based training modules and executive sponsorship communication D Making simulations harder to detect to increase failure rates

47 / 60

Question 48 of 60

An organization's security policy requires that all removable media be encrypted. A user discovers that their department has been using unencrypted USB drives for 18 months to transfer files between air-gapped systems, a practice management approved but which violates the written policy. Which risk management document should be created to formalize management's ongoing acceptance of this deviation?

A A new security policy overriding the encryption requirement B A risk register entry only C A formal risk acceptance or policy exception document signed by an appropriate authority, documenting the deviation, business justification, compensating controls, and review date D A Memorandum of Understanding between departments

48 / 60

Question 49 of 60

Which cryptographic attack against elliptic curve implementations exploits variations in computation time to recover private key material?

A Birthday attack B Differential cryptanalysis C Timing side-channel attack D Meet-in-the-middle attack

49 / 60

Question 50 of 60

An organization deploys a deception technology solution consisting of fake credentials, documents, and network assets distributed throughout the environment. Which security capability does this PRIMARILY provide?

A Data loss prevention for sensitive documents B Preventive control to block intrusion attempts C Early threat detection through high-fidelity alerts triggered by adversaries interacting with honeytokens and honeypots D Network performance monitoring

50 / 60

Question 51 of 60

An organization implements continuous integration and continuous deployment (CI/CD) pipelines. Which security control MOST effectively prevents vulnerable code from reaching production?

A Manual security review of all pull requests B Quarterly penetration testing of the production environment C Automated security gates integrating SAST, DAST, SCA, and container scanning with policy-enforced build failures for critical/high findings before merge to main branch D Developer security awareness training

51 / 60

Question 52 of 60

A software development organization adopts a DevSecOps model. Which practice MOST effectively shifts security responsibility left without creating development bottlenecks?

A Requiring security team approval for all code commits B Conducting security reviews only at major milestones C Embedding security engineers in each development team as dedicated security champions with automated security tooling integrated into developer IDEs and pre-commit hooks D Performing annual penetration tests of production systems

52 / 60

Question 53 of 60

An organization implements a defense-in-depth strategy for its OT/ICS environment. Which control addresses the UNIQUE security challenge of legacy PLCs that cannot run endpoint security agents?

A Network-based IDS on the corporate IT network B Applying security patches to the PLC firmware weekly C Deploying unidirectional security gateways (data diodes) between the ICS network and enterprise network with passive network monitoring inside the ICS segment D Using cloud-based SIEM to monitor PLC logs

53 / 60

Question 54 of 60

A legal team requires that all emails related to an ongoing litigation matter be preserved exactly as they exist, with no modifications or deletions permitted. Which technical control BEST implements this requirement?

A Exporting emails to PDF format B Moving emails to a read-only network share C Litigation hold with email system archiving configured for immutable retention of in-scope custodian mailboxes D Backing up email servers nightly

54 / 60

Question 55 of 60

A CISO must demonstrate compliance with multiple overlapping frameworks (SOC 2, ISO 27001, NIST CSF, and PCI DSS) to different stakeholders. Which governance approach MOST efficiently manages this multi-framework compliance burden?

A Implementing each framework independently with separate control sets and evidence B Achieving SOC 2 compliance only as it maps to most other frameworks C Using a unified control framework (e.g., CCM, HITRUST, SCF) that maps controls to multiple frameworks simultaneously, enabling single control implementation to satisfy multiple framework requirements D Outsourcing compliance management to separate consultants per framework

55 / 60

Question 56 of 60

Which formal verification technique mathematically proves that a security mechanism correctly implements its specification for all possible inputs and states â€” rather than testing a finite set of cases?

A Fuzzing / fuzz testing B Regression testing C Formal methods / model checking D Penetration testing

56 / 60

Question 57 of 60

A CISO implements a security metrics program using a balanced scorecard approach. Which metric set MOST effectively communicates security program value to the board of directors?

A Number of firewall rules, patch counts, and antivirus signature updates B Technical vulnerability CVSS scores and exploit availability C Mean time to detect, mean time to respond, risk reduction percentage, and security investment ROI D Number of security incidents and employee training completion rates

57 / 60

Question 58 of 60

Which CISSP 2024 CBK Domain 8 concept requires that security requirements, threat models, and risk assessments be documented and incorporated into the software design BEFORE coding begins?

A Post-release vulnerability management B Penetration testing C Security requirements engineering / secure design phase D Code review

58 / 60

Question 59 of 60

During a business impact analysis, the security team determines that the Customer Records Database has an MTD of 4 hours, an RTO of 2 hours, and an RPO of 30 minutes. Which backup and recovery architecture CORRECTLY satisfies all three constraints?

A Daily tape backups with 6-hour restoration time B Weekly full backups with hourly transaction logs C Synchronous database replication to a warm standby with automated failover, point-in-time recovery logs retained for 30-minute granularity, and tested restoration within 2 hours D Daily backups with a 3-hour RTO target

59 / 60

Question 60 of 60

An organization's cloud environment undergoes automated provisioning of development resources by developers who have been granted overly permissive IAM policies. Which governance control MOST effectively enforces least privilege at scale in a dynamic cloud environment?

A Manual IAM policy review for each developer B Disabling developer access to cloud consoles C Infrastructure as Code (IaC) with automated IAM policy analysis and enforcement of permission boundaries using cloud-native policy guardrails (e.g., AWS SCPs, Azure Policy, GCP Organization Policies) D Quarterly access certification reviews

60 / 60