CC CC - Certified in Cybersecurity Questions and Answers

The Data Link layer (Layer 2) handles MAC addressing and frame delivery within local networks.

Attribute-Based Access Control (ABAC) grants access based on complex logical rules that evaluate attributes of the user, resource, action, and environment. Examples include user role, department, time of day, device type, and data sensitivity. These attributes are evaluated dynamically, allowing fine-grained and context-aware access decisions.

DAC allows owners to grant permissions, MAC uses labels and classifications, and RBAC assigns permissions based on roles. None of these provide the same level of flexibility as ABAC. Because ABAC supports complex, rule-based decisions, it is widely used in modern cloud environments and zero trust architectures.

Load balancing improves availability by distributing traffic across multiple systems, preventing overload and downtime.

A URL filter is the most effective control for restricting access to specific websites. URL filtering allows administrators to block access based on domain names, URLs, or content categories such as gambling, social media, or malicious sites.

IP address blocking is less precise because many websites share IP addresses or use dynamic hosting. DLP solutions focus on data protection, not web access control. IPS systems detect and block attacks but are not designed for enforcing acceptable-use browsing policies.

URL filtering is commonly implemented in firewalls, secure web gateways, and proxy servers and is widely used to enforce organizational internet usage policies.

PAM solutions focus onjust-in-time (JIT) access, granting elevated privileges only when needed and revoking them afterward. This reduces standing privileges and minimizes attack surfaces.

A replay attack occurs when an attacker captures valid authentication data—such as login credentials, session tokens, or cryptographic handshakes—and later reuses that data to gain unauthorized access. The attacker does not need to know the actual password; instead, they replay previously captured authentication information.

Replay attacks often exploit systems that lack proper protections such as timestamps, nonces, session expiration, or cryptographic challenge-response mechanisms. These attacks are particularly dangerous in poorly secured authentication protocols or legacy systems.

A man-in-the-middle attack involves intercepting and potentially altering communications in real time, while a replay attack focuses on reusing captured data. Smurf attacks and DDoS attacks target availability, not authentication.

Security controls such as time-based tokens, one-time passwords, mutual authentication, and secure protocols (e.g., TLS) are commonly used to prevent replay attacks. NIST authentication guidelines explicitly recommend replay resistance as a core requirement for secure authentication systems.

Burp Suiteis widely used for web application security testing, including vulnerability scanning, interception, and penetration testing.

Qualitative risk analysis evaluates risk using descriptive categories such aslow,medium, andhighinstead of numerical values. This approach relies on expert judgment, experience, and contextual understanding rather than precise financial or statistical calculations. According to NIST SP 800-30, qualitative analysis is especially useful when numerical data is unavailable or when rapid risk prioritization is required.

Unlike quantitative risk analysis, which assigns monetary values and probabilities, qualitative analysis focuses on relative severity and likelihood. It is commonly used during early stages of risk management, policy development, and executive decision-making. While less precise, qualitative risk analysis is easier to communicate to stakeholders and helps organizations focus resources on the most critical risks.

Internet of Things (IoT) devices include sensors, cameras, smart appliances, and controllers connected to networks.

Impact measures the severity of consequences if a security event occurs. It is a key component of risk calculations along with likelihood.

A Content Delivery Network (CDN) provides the greatest resilience against large-scale DDoS attacks by distributing traffic across a globally dispersed network of edge servers. CDNs absorb and filter malicious traffic before it reaches the origin infrastructure.

Increasing servers or bandwidth helps only to a limited extent and can still be overwhelmed by volumetric attacks. IPS-based mitigation is effective for smaller attacks but is not designed to handle massive distributed floods. CDNs combine traffic absorption, rate limiting, caching, and threat filtering at scale.

Major CDNs operate with terabits of capacity and specialized DDoS defenses, making them highly effective against attacks that would cripple individual organizations.

For public-facing applications, CDNs are considered a best-practice defensive control against availability attacks.

A ping flood attack exploits the Internet Control Message Protocol (ICMP), which operates atOSI Layer 3 (Network Layer). The attacker overwhelms a target system by sending a large volume of ICMP Echo Request (ping) packets, consuming bandwidth and processing resources.

Because ICMP is used for network diagnostics and error reporting, excessive ICMP traffic can prevent legitimate network communication, leading to a denial-of-service condition. Since IP and ICMP are Layer 3 protocols, ping flood attacks directly impact the network layer.

A sudden flood of network packets causing degraded performance is best classified as anadverse event. An adverse event is any occurrence that negatively affects system performance, availability, or operations but may not yet meet the threshold of a confirmed security incident. According to NIST definitions, events such as traffic spikes, system slowdowns, or anomalous behavior are initially treated as adverse events until further analysis confirms malicious intent.

If investigation later confirms the flood was caused by a deliberate denial-of-service attack, the classification may escalate to asecurity incident. However, without confirmation of intent or compromise, adverse event is the most accurate term.

Penetration testing simulates real-world attacks to identify vulnerabilities before adversaries exploit them.

ABusiness Continuity Plan (BCP)ensures critical operations continue during and after significant disruptions, regardless of the cause.

Law enforcement is not typically part of an organization’s internal incident response team. Incident response teams usually consist of cybersecurity professionals, technical subject matter experts, IT staff, legal advisors, and management representatives.

Law enforcement may become involved after an incident, especially in cases involving criminal activity, regulatory requirements, or large-scale breaches. However, they are external stakeholders, not internal team members.

Management plays a key role in decision-making and communication, while technical and cybersecurity experts handle detection, containment, eradication, and recovery.

NIST incident response guidance emphasizes coordination with external entities but clearly distinguishes internal response teams from external authorities such as law enforcement.

Theprimary purpose of security trainingis to reduce the likelihood and impact of attacks—especially human-centric threats such as phishing, social engineering, and credential theft. While training may also support compliance and efficiency, its most critical role is risk reduction.

Humans are often the weakest link in security. Awareness training helps users recognize threats, follow secure practices, and respond appropriately to suspicious activity, significantly lowering the organization’s attack surface.

The primary purpose of aWeb Application Firewall (WAF)is tofilter, monitor, and block malicious HTTP/HTTPS trafficdirected at web applications. A WAF operates at theapplication layer (Layer 7)of the OSI model and is specifically designed to protect web applications from common attacks such as SQL injection, cross-site scripting (XSS), command injection, and other OWASP Top 10 vulnerabilities.

Unlike traditional network firewalls, which focus on IP addresses, ports, and protocols, a WAF understands web-specific traffic patterns and inspects the content of HTTP requests and responses. This allows it to detect malicious payloads embedded in URLs, headers, cookies, and request bodies.

While some WAFs may offer limited protection against application-layer DDoS attacks, DDoS mitigation is not their primary function. Intrusion detection is typically handled by IDS/IPS solutions, and SSL certificate management is unrelated to WAF functionality.

Security frameworks such as NIST and OWASP recommend WAFs as a critical compensating control for protecting public-facing web applications, especially when secure coding fixes cannot be deployed immediately.

In Business Continuity Planning (BCP), the termbusinessrefers primarily to theoperational aspects of the organization—the people, processes, and activities required to deliver products and services. While IT systems, finances, and facilities support operations, BCP focuses on ensuring thatcritical business functions continueduring and after disruptions.

This includes customer service, supply chain operations, payroll, compliance activities, and decision-making processes. BCP is broader than disaster recovery, which focuses mainly on restoring IT systems. According to NIST SP 800-34, business continuity emphasizes mission-essential functions and their dependencies, including personnel, third parties, facilities, and technology.

An IPS monitors traffic, detects malicious activity, and actively blocks attacks. Encryption is handled by protocols such as TLS or IPSec, not IPS devices.

Most VPNs (e.g., IPSec) operate atLayer 3 (Network layer), encapsulating IP packets to create secure tunnels.

Business Continuity Plans ensure operations continue during long-term disruptions.

BCP requires cross-functional participation to identify dependencies, workflows, and recovery priorities across all departments.

Rootkits provide stealthy, persistent control by hiding malicious processes and maintaining privileged access. They are extremely difficult to detect and remove.

A security incident is an event that threatens or violates CIA principles. Not all incidents result in breaches.

ASHRAE recommends64°F–81°Ffor modern data centers to balance hardware longevity and energy efficiency.

Common IRT models includededicated,leveraged, andhybridteams. In these models, response capabilities exist within the organization. While organizations mayusethird-party assistance, a fullyoutsourcedIRT is generally not considered a core internal IRT model because incident response requires immediate organizational authority, access, and accountability.

HIPAA applies to healthcare providers, insurers, and their business associates to protect patient health information (PHI).

ATrojanis a direct form of malware that disguises itself as legitimate software to perform malicious actions.

Backups are one of the most critical components of any disaster recovery (DR) strategy. Disaster recovery focuses on restoring systems, data, and operations after a disruptive event such as a cyberattack, natural disaster, hardware failure, or human error. Without reliable backups, recovery may be impossible or severely delayed.

Backups ensure that critical data can be restored to a known good state, minimizing data loss and downtime. Industry frameworks such as NIST SP 800-34 and ISO/IEC 27031 emphasize backups as a foundational DR control. They support recovery time objectives (RTOs) and recovery point objectives (RPOs), which define how quickly systems must be restored and how much data loss isacceptable.

While routers, laptops, and firewalls are important infrastructure components, they can typically be replaced or reconfigured. Lost or corrupted data, however, may be irreplaceable without backups. Best practices include maintaining regular, automated backups, storing them offsite or in the cloud, and protecting them from ransomware using immutable or offline storage. Testing backups regularly is also essential to ensure they are usable during an actual disaster.

Ransomware affects victims’ files primarily byencryptingthem, rendering the data inaccessible without a decryption key. Attackers then demand a ransom in exchange for restoring access.

While modern ransomware may also steal data, encryption is the defining characteristic of ransomware attacks. Destroying or selling files is not the primary mechanism.

Strong backups, access controls, and endpoint protection are key defenses against ransomware, as emphasized by NIST and CIS.

Disaster Recovery (DR)focuses specifically on restoring IT systems and communications following outages.

Corrective controls are designed torestore systems to normal operation after a security incident or attack has occurred. Examples include restoring data from backups, reimaging compromised systems, applying patches, and resetting credentials.

Detective controls identify incidents, preventive controls stop incidents, and corrective controls fix the damage. While recovery controls are sometimes mentioned informally, most security frameworks (including NIST) classify restoration activities under corrective controls.

Corrective controls are critical for minimizing downtime and ensuring business resilience following an incident.

The feasibility study determines whether a project is technically, economically, and operationally viable before development begins.

Role-Based Access Control (RBAC) assigns permissions based on job roles, making it scalable and efficient for large organizations. It simplifies access management and supports least privilege.

A hierarchical database organizes data in a tree-like structure where each parent record can have multiple child records, but each child has only one parent. This model resembles a file system hierarchy and is designed to represent one-to-many relationships efficiently.

Hierarchical databases were among the earliest database models and are still used in specific environments such as legacy systems and mainframe applications. Data access is fast when the hierarchy is well understood, but the model lacks flexibility when relationships become complex.

Relational databases use tables with rows and columns, object-oriented databases store objects, and network databases allow many-to-many relationships. Only the hierarchical model strictly enforces a tree structure.

Understanding database models is important for security professionals when evaluating access control, data exposure, and system design risks.

BCP is anorganization-wide responsibility. While IT plays a key role, BCP requires participation from all business units, leadership, HR, facilities, and external partners.

Anti-malware solutions provide broader detection than traditional antivirus by covering multiple malware classes.

Standards such as ISO, NIST, and CIS are commonly developed by third-party organizations and provide best practices and compliance guidance. They are not laws unless mandated.

A Security Operations Center (SOC) continuously monitors security events, analyzes threats, and coordinates incident response. SOCs integrate people, processes, and technology such as SIEM, SOAR, and threat intelligence platforms.

A protocol analyzer, also known as a packet sniffer, captures and inspects network traffic flowing across a network segment. If traffic is unencrypted, protocol analyzers can intercept sensitive information such as usernames, passwords, session tokens, and application data.

Log servers store logs, network scanners identify hosts and services, and firewalls filter traffic based on rules. Only protocol analyzers are designed to capture and inspect packet contents.

This capability makes protocol analyzers valuable for troubleshooting and for attackers conducting eavesdropping attacks. Encryption protocols such as TLS are critical defenses against this risk.

The principle of least privilege ensures users have only the minimum permissions necessary to perform their tasks. This limits damage from compromised accounts and insider threats.

It is foundational to access control, IAM, and zero trust architectures and is recommended by all major security frameworks.

Recovery controls restore systems and data after an incident. Examples include backups, failover systems, and disaster recovery procedures.

Address Space Layout Randomization (ASLR) randomizes the memory locations used by applications, making it significantly harder for attackers to predict where malicious payloads should be placed during buffer overflow attacks.

Buffer overflow exploits rely on predictable memory layouts. ASLR disrupts this predictability, increasing attacker effort and reducing exploit reliability.

The other options are either non-standard terms or unrelated to buffer overflow mitigation. ASLR is widely used in modern operating systems and is a key defensive control recommended by secure coding and system hardening guidelines.

ASLR does not eliminate vulnerabilities but raises the attack complexity, which is a core defensive strategy.

Hashing ensuresintegrityby allowing detection of unauthorized changes to data.

These areType 1 (bare-metal) hypervisors, running directly on hardware without a host operating system, offering higher performance and security.

ATrojandeceives users into executing it by appearing legitimate while performing malicious actions.

Anentitlementrefers to the inherent set of privileges or access rights granted to a user when an account is created. Entitlements define what resources a user can access and what actions they are allowed to perform.

A baseline refers to standard configurations, not user permissions. Aggregation and transitivity relate to access control models but do not describe default assigned privileges.

Managing entitlements is a key function of IAM systems and is critical for enforcing least privilege, access reviews, and compliance. Poor entitlement management often leads to excessive permissions and increased security risk.

Multi-factor authentication (MFA) requires two or more authentication factors from different categories: something you know, something you have, and something you are.

MFA significantly increases security by reducing reliance on any single factor. Even if one factor is compromised, attackers still cannot authenticate without the others.

MFA is widely recommended by NIST, CIS, and virtually all modern security frameworks, especially for privileged accounts and remote access.

At Layer 3 (Network Layer), data is encapsulated intopacketsfor routing across networks.

Crime Prevention Through Environmental Design (CPTED) uses environmental design principles such as visibility, lighting, access control, and territorial reinforcement to deter criminal activity.

VLANslogically separate networks at Layer 2 while sharing the same physical infrastructure.

A URL filter is specifically designed to block access to prohibited websites based on domain names, URLs, or content categories. It provides granular and user-friendly control over web access.

IP address blocking is less effective because many websites use shared IP addresses and dynamic hosting. DLP focuses on data protection, not web browsing. IPS detects and blocks attacks, not policy-based browsing restrictions.

URL filtering is commonly implemented in firewalls, secure web gateways, and proxy servers and is a best-practice control for acceptable use enforcement.

A Risk Management Framework (RMF) provides a structured, continuous process for identifying, assessing, and mitigating risk across an organization.

Authentication is the process of verifying that a user is who they claim to be. Identification occurs first (username), authentication verifies the claim (password, token, biometrics), and authorization determines access rights.

DDoS attacks can target bothLayer 3 (Network)andLayer 4 (Transport)by overwhelming IP routing, ICMP traffic, TCP SYN floods, or UDP floods. Hence, both layers are impacted.

AVirtual Private Network (VPN)creates an encrypted tunnel across untrusted networks such as the Internet. VPNs protect confidentiality and integrity by encrypting authentication credentials and data traffic.

When a device does not meet security baseline requirements, it poses a risk to the environment. Best practice is todisable or quarantine the deviceto prevent potential compromise or lateral movement. Network Access Control (NAC) solutions commonly automate this process.

Isolation ensures the device cannot interact with production systems until it is patched, configured correctly, and verified as compliant. This approach aligns with NIST and Zero Trust principles, emphasizing continuous compliance and containment.

MITRE ATTandCK maps adversary tactics, techniques, and procedures (TTPs) across the attack lifecycle.

“Something you know” authentication refers to knowledge-based credentials such as passwords, PINs, or passphrases. This is widely regarded as the weakest form of authentication because it is highly susceptible to compromise through phishing, brute-force attacks, credential stuffing, shoulder surfing, and social engineering.

Passwords can be guessed, reused, written down, or stolen through malware and data breaches. Users often choose weak or reused passwords, further reducing security. Even when password complexity rules are enforced, attackers frequently bypass them using previously leaked credentials.

In contrast, “something you have” (tokens, smart cards), “something you are” (biometrics), and biometric authentication provide stronger assurance because they are harder to steal or replicate. Modern security standards recommend combining factors using multi-factor authentication (MFA) to reduce reliance on knowledge-based authentication alone.

NIST SP 800-63 explicitly discourages password-only authentication for sensitive systems, emphasizing that “something you know” should be augmented with additional factors whenever possible.

Preparation is the foundational phase of incident response. It defines policies, roles, responsibilities, tools, training, and communication procedures. Without preparation, all other phases become chaotic and ineffective.

NIST SP 800-61 emphasizes preparation as the first phase because it ensures responders understand escalation paths, legal considerations, evidence handling, and authority. A new security engineer must understand preparation to operate effectively during real incidents.

Risk acceptance acknowledges the risk and chooses to proceed without additional controls, often due to cost or low impact.

Tunneling encapsulates packets to securely transmit them across networks, commonly used in VPNs.

A cryptographic hash uniquely represents the contents of a file or message. Even a small change produces a completely different hash value, making it an effective digital fingerprint.

Security testing is used to verify that a specific control is functioning as intended. In this scenario, John wants to confirm that authentication controls operate correctly, which requires actively testing them under real or simulated conditions.

Security assessments evaluate overall security posture and risk, audits focus on compliance and policy adherence, and walkthroughs are informal reviews or demonstrations. None of these directly validate control effectiveness as precisely as testing.

Security testing may include functional testing, penetration testing, or control validation exercises to confirm expected behavior. For authentication controls, this might involve testing login mechanisms, MFA enforcement, failure handling, and session management.

NIST SP 800-53 and ISO/IEC 27001 both emphasize testing as a critical step in ensuring security controls are implemented correctly and remain effective over time.

A security incident is any event that actually or potentially compromises confidentiality, integrity, or availability.

Two-Person Integrityensures no single individual can complete a sensitive action alone, reducing fraud and insider threats.

Senior management is ultimately responsible for approving, signing, and publishing organizational policies. While departments such as security, HR, and legal may draft, review, or advise on policies, executive leadership provides formal authorization and accountability.

This responsibility aligns with governance principles outlined in frameworks like ISO/IEC 27001 and NIST, which emphasize management commitment to information security. Policies require executive endorsement to ensure they are enforceable, aligned with business objectives, and supported with appropriate resources.

Senior management’s involvement demonstrates organizational commitment, establishes authority, and ensures compliance across all departments. Without leadership approval, policies lack legitimacy and may not be consistently followed.

Security operations rely on clear, management-approved policies to guide procedures, incident response, and compliance activities. Executive sponsorship also enables enforcement and disciplinary actions when policies are violated.

An Advanced Persistent Threat (APT) involves stealthy, long-term access to systems for espionage, data theft, or sabotage.

Hashing is the best control for detecting unauthorized changes to source code. By generating cryptographic hash values for approved versions of files, any modification—intentional or accidental—will result in a different hash, immediately indicating tampering.

Backups help recover data but do not prevent or detect unauthorized changes. File labels provide classification but do not ensure integrity. Security audits review compliance but do not continuously detect changes.

Hashing supports integrity assurance, which is a core security objective. Tools such as file integrity monitoring (FIM) systems rely on hashing to alert administrators when files are altered unexpectedly.

NIST and CIS controls emphasize hashing and integrity monitoring as essential for protecting code repositories, system files, and critical configurations, especially in DevOps and CI/CD environments.

A VPC endpoint is the best solution for enabling secure, private connectivity between systems in different virtual private clouds (VPCs) without traversing the public internet. VPC endpoints allow private communication using the cloud provider’s internal network.

VPNs introduce additional overhead and complexity, while internet gateways and public IP addresses expose systems to the public internet, increasing attack surface.

VPC endpoints provide strong security, reduced latency, and simplified architecture. They are recommended by cloud providers and security frameworks for private, internal cloud communication.

Mandatory Access Control (MAC) enforces centrally managed security labels and clearances, making it suitable for classified and government systems.

HTTPS (Hypertext Transfer Protocol Secure) is the most suitable protocol for secure communication between clients and servers. HTTPS uses TLS to encrypt data in transit, ensuring confidentiality, integrity, and authentication. This prevents attackers from eavesdropping, tampering, or impersonating servers.

HTTP and FTP transmit data in clear text, making them vulnerable to interception. SMTP is used for email delivery, not client-server web communication. Modern security standards mandate HTTPS for all production web applications.

HVAC (Heating, Ventilation, and Air Conditioning)systems regulate temperature, humidity, and airflow in data centers. Proper environmental controls are critical to prevent equipment failure and ensure system reliability.

GDPR directly addresses privacy, while FIPS and MOUs can also relate to privacy controls and data handling requirements.

Data backupsare essential to disaster recovery, enabling restoration of systems and data following failures or disasters.

Effective DLP solutions monitor all egress channels to prevent unauthorized data exfiltration, including web uploads, APIs, and removable media.

SSDs do not reliably respond to overwriting or degaussing due to wear-leveling. Physical destruction such as disintegration is the most secure sanitization method, per NIST SP 800-88.

Zenmap is the graphical front end for Nmap. It performs host discovery, port scanning, service enumeration, and OS fingerprinting.

A Content Delivery Network (CDN) ensures low latency by caching content at geographically distributed edge locations close to end users. When customers access a website, content is served from the nearest CDN node rather than a centralized server.

This significantly reduces round-trip time, network congestion, and load on origin servers. CDNs are especially effective for static content such as images, scripts, and videos, which dominate e-commerce traffic.

Load balancing distributes traffic but does not reduce geographic distance. SaaS is a service model, not a latency solution. Decentralized data centers help but lack the optimized edge caching and routing capabilities of a CDN.

CDNs are a core performance and availability control for global online services and are widely used by large e-commerce platforms to improve customer experience and resilience.

Subnetting divides a large network into smaller, logical segments called subnets. One of the primary benefits of subnetting isreducing network congestion. In a flat network, broadcast traffic is sent to all devices, which can significantly degrade performance as the network grows. By creating subnets, broadcast domains are limited, ensuring that broadcast traffic stays within a specific segment instead of flooding the entire network.

While subnetting can indirectly improve security and management, its most direct and measurable benefit is performance improvement through reduced broadcast traffic. Smaller subnets result in fewer devices competing for bandwidth, which enhances efficiency and reliability.

Subnetting also supports scalability and fault isolation. Network issues in one subnet are less likely to impact others. This concept is foundational in enterprise networks and is heavily emphasized in network design standards and certifications such as Security+, CCNA, and CISSP.

An Incident Response Plan (IRP) defines procedures for managing and mitigating security incidents.

An exploit is the method or code used to take advantage of a known vulnerability. Successful exploitation may result in an intrusion or breach.

Sensitivity refers to thedegree of protection required for information, as determined by its owner. Highly sensitive data requires stronger confidentiality controls because unauthorized disclosure could cause significant harm.

Input validation ensures user inputs are sanitized and conform to expected formats, preventing injection attacks such as SQL injection and command injection.

Guidelines are non-binding recommendations within a security policy framework. They provide best practices, suggestions, and advice to help users and administrators make informed decisions, but they do not require mandatory compliance.

Policies are high-level, mandatory statements approved by senior management. Standards define specific, mandatory requirements that must be followed to comply with policies. Procedures provide step-by-step instructions for implementing policies and standards.

Guidelines offer flexibility and allow organizations to adapt recommendations to different environments, technologies, or risk levels. Because they are not enforceable, guidelines are often used to encourage secure behavior without imposing strict controls.

For example, a guideline might recommend using a password manager, while a standard would require minimum password length. Security frameworks such as ISO/IEC 27001 and NIST distinguish clearly between mandatory controls and advisory guidance to balance security with operational flexibility.

MAC enforces access based on classification labels and user clearances, commonly used in military and government systems.

The CIA triad provides a foundational framework for understanding and designing security controls.

Logical access controls are implemented through software and system configurations. They include settings such as user permissions, authentication mechanisms, firewall rules, and system policies managed through GUIs or command-line interfaces. Logical controls protect digital assets by restricting access based on identity and authorization.

A security assessment evaluates the effectiveness of security controls and verifies whether they meet security requirements. It differs from risk assessments, which focus on identifying threats and vulnerabilities.

Internet of Things (IoT)devices include embedded systems such as sensors, smart appliances, cameras, and industrial controllers that connect to networks and exchange data. These devices often have limited security controls and are common attack targets, making them a significant cybersecurity concern.

SOAR (Security Orchestration, Automation, and Response) platforms are designed to collect security data from multiple tools, analyze events, and automatically execute response actions using predefined playbooks. This automation allows security teams to respond quickly and consistently to incidents.

While SIEM systems collect and correlate logs and generate alerts, they typically require manual analyst intervention for response. SOAR extends SIEM capabilities by orchestrating workflows across tools such as firewalls, endpoint protection, ticketing systems, and threat intelligence platforms.

Log repositories store logs without analysis or response capabilities. Intrusion Prevention Systems (IPS) focus on blocking malicious traffic in real time but do not coordinate broader incident response actions.

SOAR solutions reduce alert fatigue, improve response time, and standardize incident handling procedures. They are a key component of mature Security Operations Centers (SOCs) and are strongly recommended by modern security operations frameworks.

A Red Book is ahard-copy version of critical business continuity and emergency procedures. It is essential when disasters such as hurricanes, earthquakes, or cyberattacks disable power, networks, or electronic backups. In such scenarios, electronic access may be impossible, making physical documentation vital.

Non-repudiation ensures that an individual or system cannot deny having performed a specific action, such as sending or receiving a message or approving a transaction. It provides proof of origin and proof of delivery.

This security principle is typically implemented using cryptographic techniques such as digital signatures, public key infrastructure (PKI), hashing, and secure audit logs. For example, a digitally signed message can later be verified, preventing the sender from denying authorship.

Non-repudiation supports accountability, legal enforceability, and forensic investigations. It differs from confidentiality (preventing unauthorized access), integrity (preventing unauthorized modification), and availability (ensuring access).

Non-repudiation is especially important in financial systems, legal communications, and regulated industries where disputes may arise.

Side-channel attacks exploit physical characteristics such as power usage, timing, or electromagnetic emissions to infer sensitive information like cryptographic keys.

The purpose of multi-factor authentication (MFA) in Identity and Access Management (IAM) is to strengthen authentication by requiring users to present two or more independent factors from different categories: something you know, something you have, or something you are. This layered approach significantly reduces the risk of unauthorized access, even if one factor—such as a password—is compromised.

MFA addresses common attack techniques such as phishing, credential stuffing, and brute-force attacks. For example, even if an attacker steals a user’s password, they would still need access to the user’s hardware token or biometric factor to authenticate successfully.

MFA does not simplify access, remove authentication, or grant unrestricted access. Instead, it deliberately increases verification requirements to improve security. NIST SP 800-63 and other security frameworks strongly recommend MFA for privileged accounts, remote access, and cloud services because of its proven effectiveness in preventing account compromise.

DRP focuses on restoring IT infrastructure, applications, and communications to operational status.

Carbon dioxide (CO₂) systems suppress fire without leaving residue or damaging electronic equipment. While they pose risks to people, they are effective for protecting electronics compared to water or foam.

ABAC supports dynamic, context-aware access decisions based on attributes such as location, device, and time—ideal for global access scenarios.

Business Continuity encompasses the strategies, processes, and tools needed to keep critical operations running during a contingency.

If CIA is not impacted, the occurrence remains asecurity event, not an incident or breach.

This scenario describes areplay attack, in which an attacker captures valid authentication data and reuses it later to gain unauthorized access. Juli is passively monitoring network traffic, capturing credentials as they are transmitted, and planning to reuse them in a future attack.

Replay attacks often occur when authentication mechanisms do not use protections such as encryption, nonces, timestamps, or session tokens. If credentials are transmitted in clear text or without replay protection, attackers can intercept and reuse them without needing to crack passwords.

Brute-force and dictionary attacks involve guessing credentials, not capturing them. Social engineering relies on human manipulation rather than technical interception.

Replay attacks highlight the importance of secure protocols such as TLS, encrypted authentication exchanges, challenge-response mechanisms, and one-time passwords. NIST authentication guidance explicitly identifies replay resistance as a critical requirement for secure authentication systems.

Intercepting traffic to capture credentials is commonly achieved throughpacket sniffing, which targets theData Link layer (Layer 2). Techniques such as ARP poisoning operate at this layer to redirect traffic to the attacker.

While credentials belong to applications, the interception itself occurs at Layer 2.

Honeytokens are decoy data elements designed to lure attackers and detect unauthorized access. Examples include fake credentials, files, or database entries that have no legitimate use.

When a honeytoken is accessed, it triggers an alert, indicating a compromise. Honeytokens are valuable for detecting insider threats and lateral movement.

They do not encrypt data, improve performance, or manage access. Honeytokens are part of deception-based security strategies that enhance detection capabilities.

Security policies are high-level, mandatory statements approved by management that define security objectives, principles, and rules. Procedures and standards support policies but do not establish overarching intent.

Segregation of duties ensures no single individual can propose, approve, and implement changes alone, reducing fraud and errors.

A session key is a temporary cryptographic key used to encrypt communication between two systems for a single session. Session keys are typically symmetric keys generated during secure key exchange processes such as TLS handshakes.

They provide confidentiality and efficiency because symmetric encryption is much faster than asymmetric encryption. Once the session ends, the key is discarded, limiting exposure even if the key is later compromised.

Public keys are used for key exchange and authentication, not bulk data encryption. “Temporary key” and “section key” are not standard cryptographic terms.

Session keys are fundamental to secure network communications and are recommended by all modern cryptographic standards due to their performance and security benefits.

Availabilityensures that authorized users can access information and systems when needed, a core element of the CIA triad.

IPv6 was introduced primarily due toIPv4 address exhaustion, enabling vastly expanded address space.

Discretionary Access Control (DAC) allows the owner or creator of an object to decide who can access it and what permissions they receive. This delegation capability is a defining feature of DAC systems.

MAC enforces centrally controlled policies, RBAC assigns permissions through roles, and ABAC uses attributes evaluated by a policy engine. Only DAC explicitly allows object owners to grant or revoke access at their discretion.

GRC (Governance, Risk, and Compliance) integrates business objectives with risk management and regulatory compliance.

Platform as a Service (PaaS) provides customers with an environment tobuild, deploy, and manage applicationswithout managing underlying infrastructure. PaaS includes operating systems, middleware, runtime environments, and development tools.

SaaS delivers fully managed applications, while IaaS provides raw infrastructure. PaaS best balances flexibility and operational efficiency for software development.

Non-repudiationensures that a party involved in a transaction cannot later deny having performed an action, such as sending a message or authorizing a payment. This is a critical security property in digital communications and e-commerce environments.

Non-repudiation is typically achieved throughdigital signatures, cryptographic hashing, timestamps, and public key infrastructure (PKI). These mechanisms provide proof of origin and integrity, allowing actions to be traced back to the responsible party.

Authentication verifies identity, identification claims who a user is, and verification confirms correctness—but none of these alone prevent denial after the fact. Only non-repudiation provides legally and technically enforceable proof.

A disaster recovery team typically includes executive leadership, IT personnel, legal representatives, and public relations staff. These roles are critical for decision-making, technical recovery, and external communication.

A billing clerk is unlikely to be part of the disaster recovery team because the role does not typically contribute to recovery strategy, system restoration, or crisis communication.

Governancedefines oversight, accountability, and decision-making structures within an organization.

Digital signatures provideauthentication,integrity, andnon-repudiation, but they donot provide confidentiality. A digital signature verifies who sent the message and ensures it was not altered, but the content remains readable unless encryption is also applied.

Confidentiality requires encryption, typically using symmetric or asymmetric cryptography. Digital signatures are often combined with encryption (such as in TLS or secure email), but by themselves they do not hide message contents.

Data Loss Prevention (DLP)systems monitor, detect, and block unauthorized data exfiltration across endpoints, networks, and cloud services.