1/20/25, 12:36 AM CC3 - CertPreps

Home Practice Exams Exam Concepts Storified (Videos) Contact My Practice History Logout

You can do better!

Find your weak areas and improve.

Your score is 64%

 Restart quiz

1. An IT specialist receives reports of slow system performance and excessive hard drive activity on
multiple computers within an organization. Initial investigation does not reveal any significant storage
consumption or active user processes that could explain the symptoms. Which type of virus is MOST
likely responsible for these observations, and what preventative measure could effectively mitigate this
threat?

A. Rootkit; Regularly update operating system and security software

B. Polymorphic virus; Employ advanced heuristic-based antivirus detection

C. Logic bomb; Schedule regular audits of system configurations and software

D. Stealth virus; Enable real-time monitoring and protection on all systems

The scenario of slow system performance and excessive hard drive activity without apparent cause is
suggestive of a stealth virus. Stealth viruses are designed to evade detection by hiding their presence on
an infected system, often by intercepting and altering system calls that monitor file and process
activities. This can result in symptoms like those described, where traditional monitoring tools fail to
identify the cause of the system's behavior. The preventative measure most effective against this type of

https://certpreps.com/cc3/ 1/62
1/20/25, 12:36 AM CC3 - CertPreps

threat is enabling real-time monitoring and protection on all systems. Real-time protection provides
continuous scanning of files, processes, and system activities, allowing for the immediate detection and
isolation of malicious behavior, including that which might be obscured by a stealth virus. While regular
updates and heuristic-based detection are important security practices, they address broader
categories of malware threats. Regular audits could help identify unauthorized changes but may not
prevent the initial infection. Real-time monitoring and protection directly target the covert operations
of stealth viruses, enhancing the ability to detect and mitigate them before they can cause significant
harm.

2. A healthcare provider with a highly sensitive data environment is evaluating its update management
process to better protect patient information. What policy adjustment would MOST effectively reduce
the risk of exploitation through unpatched vulnerabilities?

A. Establishing a policy for immediate mandatory updates upon release.

B. Adopting a tiered update approach, prioritizing systems based on sensitivity and exposure.

C. Limiting updates to bi-annual comprehensive system overhauls.

D. Allowing department heads to determine the update schedule for their respective areas.

Adopting a tiered update approach, prioritizing systems based on sensitivity and exposure, is the most
effective policy adjustment for a healthcare provider looking to reduce the risk of exploitation through
unpatched vulnerabilities. This approach ensures that systems handling the most sensitive data or
those most susceptible to attacks are updated first, providing an additional layer of protection where it
is most needed. By categorizing systems and applications according to their criticality and exposure to
potential threats, the healthcare provider can allocate resources and attention to securing high-priority
areas swiftly, thereby minimizing the window of opportunity for attackers. This strategy also allows for
more efficient use of resources, ensuring that updates are applied in a manner that reflects the actual
risk landscape. Immediate mandatory updates (Option A) might not consider the specific needs and
risks associated with different systems, while bi-annual comprehensive system overhauls (Option C)
could leave systems vulnerable for extended periods. Allowing department heads to determine update
schedules (Option D) can lead to inconsistencies and gaps in the security posture. Thus, a tiered update
approach offers a tailored and strategic method to enhance security effectively.

3. An e-commerce company is leveraging IaaS to host its online platform. The company is looking for
ways to enhance its infrastructure's security posture against Distributed Denial of Service (DDoS)
attacks, which could potentially bring down its website during peak shopping periods. What IaaS
feature should the company implement to protect against such attacks?

A. Elastic Load Balancing to distribute traffic evenly across servers.

B. DDoS protection services that absorb and mitigate attack traffic.

C. Content Delivery Network (CDN) to cache content at edge locations.

https://certpreps.com/cc3/ 2/62
1/20/25, 12:36 AM CC3 - CertPreps

D. Public and private subnet configurations to isolate sensitive components.

Implementing DDoS protection services that absorb and mitigate attack traffic is the most effective
IaaS feature for an e-commerce company looking to enhance its infrastructure's security posture
against Distributed Denial of Service (DDoS) attacks. These services are specifically designed to protect
against large-scale DDoS attacks by identifying and filtering malicious traffic before it reaches the
company's online platform, ensuring that the website remains accessible to legitimate users even
during an attack. This proactive approach allows the company to maintain its operations and protect its
revenue during peak shopping periods, when the risk of DDoS attacks is often higher. While Elastic
Load Balancing (Option A) can help distribute traffic and improve website resilience, and a Content
Delivery Network (CDN) (Option C) can reduce load on origin servers by caching content, neither
specifically targets DDoS attack mitigation like DDoS protection services do. Public and private subnet
configurations (Option D) improve network segmentation and security but do not directly address
DDoS attack mitigation. Therefore, DDoS protection services are the most direct and effective measure
for safeguarding the e-commerce platform against DDoS attacks.

4. A large retail company uses a web application for online transactions. The security team has
implemented secure coding practices, regular vulnerability assessments, and network segmentation.
However, they are concerned about the potential for SQL injection attacks. Which prevention strategy
would BEST protect the web application from SQL injection attacks?

A. Increasing the complexity of network passwords.

B. Applying web application firewalls (WAFs) to inspect incoming traffic for malicious SQL queries.

C. Switching to a less commonly used web server software to reduce the attack surface.

D. Regularly backing up the database to ensure data integrity and availability.

In the context of protecting a web application from SQL injection attacks, the best prevention strategy
is applying web application firewalls (WAFs) to inspect incoming traffic for malicious SQL queries. A
WAF is specifically designed to monitor, filter, and block HTTP traffic to and from a web application. By
inspecting incoming traffic, a WAF can identify and block malicious SQL injection attempts before they
reach the web application, effectively preventing attackers from exploiting vulnerabilities in the
application's code to manipulate the database. Increasing the complexity of network passwords, while a
good security practice, does not directly mitigate the risk of SQL injection attacks, which exploit
vulnerabilities in the application's interaction with its database, not network-level credentials.
Switching to less commonly used web server software may reduce certain risks but does not address
the specific threat of SQL injection. Regularly backing up the database is important for data recovery
but does not prevent the occurrence of SQL injection attacks. Therefore, a WAF directly addresses the
prevention of SQL injection attacks by filtering out malicious queries.

5. A financial institution is reviewing its authentication protocols to prevent identity theft and
unauthorized access to customer accounts. They are considering the implementation of a system that
can dynamically adjust authentication requirements based on the risk level of a transaction. For

https://certpreps.com/cc3/ 3/62
1/20/25, 12:36 AM CC3 - CertPreps

example, high-value transactions might require additional verification steps compared to low-risk
activities. Which of the following authentication strategies best fits this description?

A. Single-factor authentication

B. Multifactor authentication

C. Continuous authentication

D. Adaptive authentication

Adaptive authentication, also known as risk-based authentication, dynamically adjusts the

authentication requirements in real-time based on the perceived risk level of an access request or
transaction. This method assesses various risk indicators, such as user behavior, transaction context,
device integrity, and location, to decide the appropriate level of authentication needed. High-risk
scenarios may trigger additional verification steps, whereas low-risk activities might require simpler
authentication. This approach offers a balance between security and user convenience, tailoring the
authentication process to the specific risk level of each transaction. In contrast, single-factor and
multifactor authentication (A and B) provide static levels of security, and continuous authentication (C)
focuses on constantly verifying the user's identity during a session without necessarily adjusting to the
risk level of individual transactions. Therefore, D) Adaptive authentication is the correct answer,
illustrating the significance of flexible and context-aware security measures in protecting against
unauthorized access in sensitive environments like financial institutions.

6. During a routine security audit, an auditor discovers that an organization's network is using outdated
encryption protocols. Considering the organization operates in a highly regulated industry, which of
the following actions should be prioritized in the risk identification process?

A. Upgrading network hardware to the latest models

B. Implementing stronger access control policies

C. Replacing outdated encryption protocols with current standards

D. Increasing cybersecurity awareness training for employees

Replacing outdated encryption protocols with current standards should be prioritized in the risk
identification process when an auditor discovers such vulnerabilities, especially in a highly regulated
industry. This action directly addresses a critical cybersecurity risk by ensuring that the data in transit
across the organization’s network is protected by modern, secure encryption standards, which are less
susceptible to interception or decryption by unauthorized entities. This focus is essential because
outdated encryption protocols can be exploited by attackers, leading to data breaches, loss of sensitive
information, and potential non-compliance with industry regulations, which often mandate the use of
specific encryption standards to protect data privacy and integrity. Upgrading network hardware,
implementing stronger access control policies, and increasing cybersecurity awareness training for
employees are also important security measures. However, these actions do not directly address the
immediate risk posed by the use of outdated encryption protocols. By prioritizing the update of
https://certpreps.com/cc3/ 4/62
1/20/25, 12:36 AM CC3 - CertPreps

encryption protocols, the organization can significantly reduce its exposure to cyber threats and align
its practices with regulatory requirements, thereby mitigating potential legal, financial, and
reputational consequences. This decision reflects a strategic approach to risk management, focusing on
remediation efforts that directly contribute to the protection of critical assets and compliance with
legal and regulatory standards.

7. An organization's IT department is implementing a new policy to enhance their defense-in-depth

strategy, focusing on protecting sensitive customer data. They currently have network security and
endpoint protection in place. What additional measure should be PRIORITIZED to secure the data
effectively according to a defense-in-depth approach?

A. Implementing strong data encryption for data at rest and in transit.

B. Increasing the frequency of changing employee passwords from 90 to 30 days.

C. Enforcing stricter firewall rules to block all incoming traffic from unknown IPs.

D. Purchasing additional antivirus licenses for future expansion of the company's infrastructure.

Implementing strong data encryption for data at rest and in transit should be prioritized to secure
sensitive customer data effectively according to a defense-in-depth approach. Encryption serves as a
critical layer of protection that ensures data confidentiality and integrity by making the data unreadable
to unauthorized users, even if they manage to bypass other security measures such as network security
controls and endpoint protection. This measure safeguards the data itself, complementing perimeter
defenses and endpoint security by protecting the data throughout its lifecycle, regardless of where it
resides or how it is transmitted. Increasing the frequency of changing employee passwords (Option B)
can enhance security but does not directly protect the data if an attacker gains access. Enforcing
stricter firewall rules (Option C) strengthens the perimeter defense but might not safeguard the data
once an attacker is inside the network. Purchasing additional antivirus licenses (Option D) extends
protection to more endpoints but still focuses on preventing malware infections rather than securing
the data itself. Therefore, data encryption directly addresses the need to protect sensitive information
in a comprehensive, multi-layered security strategy, making it the most effective measure to
complement existing security controls.

8. During a security review, an organization identifies the need to securely exchange files between their
internal network and a partner company. The files contain sensitive information that must be kept
confidential and ensure non-repudiation. What is the MOST effective method to achieve these security
objectives?

A. Encrypting files with the organization's private key

B. Encrypting files with the partner company's public key

C. Using a symmetric key agreed upon by both parties for encryption

D. Sending files without encryption but including a digital signature

https://certpreps.com/cc3/ 5/62
1/20/25, 12:36 AM CC3 - CertPreps

Encrypting files with the partner company's public key is the most effective method to meet the
security objectives of confidentiality and non-repudiation in this scenario. Asymmetric encryption
allows anyone with the public key to encrypt data, but only the holder of the corresponding private key
can decrypt it. By encrypting files with the partner's public key, the organization ensures that only the
partner, who possesses the private key, can decrypt and access the sensitive information, thereby
maintaining confidentiality. To address non-repudiation, the organization can sign the encrypted files
with its private key, allowing the partner to verify the sender's identity using the public key and
ensuring that the sender cannot deny having sent the message. Using a symmetric key (C) would also
secure the files but requires secure key exchange, which can be challenging, and does not inherently
provide non-repudiation. Encrypting with the organization's private key (A) is incorrect because private
keys are for signing or decryption, not for encrypting messages intended for others. Sending files
without encryption (D) fails to ensure confidentiality.

9. A fintech startup is evaluating its cybersecurity strategy to accommodate rapid growth. The Chief
Security Officer (CSO) is considering implementing an aggressive intrusion detection system (IDS) that
could potentially reduce the system's usability due to false positives. Knowing that the startup operates
in a highly competitive market where user experience is paramount, how should the CSO align the
implementation with the company's risk tolerance?

A. Implement the aggressive IDS as planned, prioritizing security over usability.

B. Opt for a less aggressive IDS, accepting higher risk for better usability.

C. Avoid any IDS implementation to maximize system usability and accept all associated risks.

D. Conduct a cost-benefit analysis of IDS options to align with the company's risk tolerance and market

position.

In this scenario, the most effective approach that aligns with the fintech startup's risk tolerance and
operational priorities is to conduct a cost-benefit analysis of intrusion detection system (IDS) options.
This approach allows the Chief Security Officer (CSO) to thoroughly evaluate the trade-offs between
enhancing security measures and maintaining an optimal user experience, which is crucial in a highly
competitive market. By conducting a cost-benefit analysis, the CSO can assess the potential impact of
various IDS implementations on system usability and compare this against the security benefits and the
likelihood and impact of potential security incidents. This detailed evaluation enables the company to
choose an IDS solution that strikes the best balance between securing the system against intrusions
and ensuring that the user experience remains seamless, thereby adhering to the company's strategic
focus on user satisfaction and competitive advantage. This method also reflects a strategic application
of risk management principles, specifically risk tolerance, by considering the organization's willingness
to accept certain risks in exchange for operational benefits, ensuring that the chosen cybersecurity
strategy aligns with the company's overall objectives and market position.

10. A financial institution relies heavily on real-time transaction processing. They are assessing their
business continuity plan (BCP) to address the risk of cyber-attacks that could disrupt their transaction
processing system. Which of the following updates to the BCP would most effectively mitigate this risk?

https://certpreps.com/cc3/ 6/62
1/20/25, 12:36 AM CC3 - CertPreps

A. Increasing cybersecurity awareness training for all employees.

B. Establishing a redundant, synchronized transaction processing system in a secure, off-site location.

C. Conducting regular penetration testing on the transaction processing system.

D. Implementing stricter access controls and encryption for transaction data.

Establishing a redundant, synchronized transaction processing system in a secure, off-site location is

the most effective update to the business continuity plan (BCP) for mitigating the risk of cyber-attacks
disrupting the financial institution's transaction processing system. This strategy directly addresses the
need for continuous operation of critical functions—like real-time transaction processing—by ensuring
that there is an immediate fallback system that can take over without interruption in service. A
redundant system, especially one that is geographically dispersed, offers resilience not only against
cyber-attacks but also against physical threats such as natural disasters. This solution allows the
institution to maintain the integrity and availability of its transaction processing capabilities under
various scenarios, thereby safeguarding against potential financial losses, reputational damage, and
regulatory non-compliance. While increasing cybersecurity awareness, conducting penetration testing,
and implementing stricter access controls and encryption (options A, C, D) are important cybersecurity
measures, they do not provide a comprehensive solution for maintaining operational continuity in the
face of an actual disruption to the transaction processing system. The establishment of a redundant
system exemplifies a strategic and proactive application of business continuity principles, focusing on
the preservation of critical business operations through redundancy and geographical diversity.

11. A small online retailer identifies a risk of DDoS attacks that could potentially take its website offline
during peak shopping seasons. What risk treatment action should the retailer take?

A. Accept the risk, considering the cost of advanced protective measures

B. Transfer the risk by using a cloud-based DDoS protection service

C. Mitigate the risk by manually monitoring traffic for anomalies

D. Avoid the risk by closing the website during peak shopping seasons

For a small online retailer identifying a risk of DDoS attacks, the most appropriate risk treatment action
is to transfer the risk by using a cloud-based DDoS protection service. This approach allows the retailer
to leverage the expertise and resources of a third-party provider specialized in mitigating DDoS attacks,
which can detect, absorb, and disperse the excessive traffic associated with such attacks, keeping the
website operational even during peak shopping seasons. This option is particularly viable for small
businesses that may lack the in-house capabilities to effectively manage the complexity and scale of
DDoS attacks. Accepting the risk could lead to significant business disruption and financial loss, while
manually monitoring traffic for anomalies is unlikely to be effective against sophisticated or large-scale
DDoS attacks. Avoiding the risk by closing the website during peak shopping seasons would directly
impact sales and customer satisfaction, negating the benefits of peak shopping periods. Therefore,

https://certpreps.com/cc3/ 7/62
1/20/25, 12:36 AM CC3 - CertPreps

transferring the risk through the use of a cloud-based service is a cost-effective solution that ensures
business continuity and protects against the potential impact of DDoS attacks.

12. The intrusion detection system (IDS) of a technology company detects an unusual pattern of internal
traffic, where a workstation is making rapid, sequential connections to multiple internal servers across
various departments. The pattern does not match any known user behavior or application protocol
within the company. What type of threat is the IDS MOST likely detecting, and what is the
recommended course of action?

A. Network Scanning; Immediately isolate the workstation and review its security logs.

B. Worm Infection; Apply the latest security patches to all systems and initiate a network-wide malware

scan.

C. Command and Control (C2) Traffic; Block outbound connections and analyze network traffic for further

indicators of compromise.

D. Insider Threat; Audit user activities and access privileges for the associated account.

The unusual pattern of internal traffic characterized by rapid, sequential connections to multiple
internal servers suggests that the intrusion detection system is detecting network scanning activity.
This type of threat typically involves the automated probing of networks and systems to identify open
ports, services, and vulnerabilities, often as a precursor to more targeted attacks. The recommended
course of action is to immediately isolate the workstation from the rest of the network to prevent
further unauthorized access or scanning. Isolating the affected workstation helps to contain the
potential threat and prevent it from spreading or escalating. Following isolation, a thorough review of
the workstation's security logs is essential to determine the scope of the scanning activity, identify any
accessed or compromised data, and understand the intent behind the scanning. This approach allows
the security team to assess the situation accurately, implement necessary countermeasures, and
remediate any identified vulnerabilities. While worm infections, C2 traffic, and insider threats are valid
security concerns, the specific behavior identified by the IDS—rapid, sequential connections across
multiple internal servers—most directly points to network scanning, necessitating immediate isolation
and detailed log analysis as the most appropriate response.

13. A financial services company has decided to upgrade its existing network infrastructure to enhance
security and performance. The current setup includes multiple VLANs, a firewall, and a legacy VPN
solution for remote access. The company wants to implement a more secure, scalable, and efficient way
to manage remote access and protect sensitive data traffic within its on-premises network. Which of
the following would be the MOST appropriate solution to meet these requirements?

A. Replace the firewall with a next-generation firewall (NGFW) and implement a Zero Trust Network Access

(ZTNA) model.

B. Increase the number of VLANs to segregate network traffic further and continue using the legacy VPN

solution.

https://certpreps.com/cc3/ 8/62
1/20/25, 12:36 AM CC3 - CertPreps

C. Upgrade the existing VPN solution to a faster VPN protocol without changing the firewall or VLAN setup.

D. Implement an intrusion detection system (IDS) alongside the existing VPN solution without changing

other infrastructure components.

Opting for a next-generation firewall (NGFW) combined with the implementation of a Zero Trust
Network Access (ZTNA) model addresses the company's requirements for enhanced security, scalability,
and efficiency in managing remote access. A NGFW provides advanced inspection capabilities of
incoming and outgoing traffic, including encrypted traffic, and integrates various security functions
such as intrusion prevention, application control, and advanced visibility across the network. The ZTNA
model shifts the security focus from perimeters to directly securing access to resources based on
identity verification, context, and security policies, regardless of the user's or resource's location. This
approach significantly improves security by ensuring that only authenticated and authorized users and
devices can access network services and data. It aligns with modern security needs by providing more
granular control over access and traffic, making it a superior choice over simply increasing VLAN
numbers (Option B), upgrading VPN protocols for speed without addressing security comprehensively
(Option C), or adding an IDS without upgrading the fundamental access and segmentation strategy
(Option D). The detailed explanation highlights the synergy between NGFWs and ZTNA in creating a
secure, scalable network environment that adapts to modern cybersecurity threats and the growing
demand for remote access flexibility.

14. An online retailer experiences seasonal spikes in traffic, particularly during holiday sales, and uses a
cloud-based infrastructure to host its e-commerce platform. To ensure business continuity and
minimize potential revenue loss during these critical periods, the retailer is reassessing its disaster
recovery (DR) plan. Which of the following enhancements to the DR plan would best address the
increased risk of system overload and potential downtime during peak traffic times?

A. Implementing an elastic cloud computing model that automatically scales resources based on traffic

demand.

B. Negotiating a fixed-cost contract with the cloud provider to control expenses during traffic spikes.

C. Deploying a content delivery network (CDN) to cache static website content.

D. Conducting regular performance testing only during off-peak seasons to avoid disrupting peak traffic.

Implementing an elastic cloud computing model that automatically scales resources based on traffic
demand is the best enhancement to the disaster recovery (DR) plan for an online retailer experiencing
seasonal spikes in traffic. This model allows the retailer's cloud-based infrastructure to dynamically
adjust computing resources (such as server instances, processing power, and bandwidth) in real-time,
in response to actual traffic patterns. This capability ensures that the e-commerce platform can handle
sudden increases in user traffic without suffering from system overload or downtime, thereby
minimizing the risk of revenue loss during critical sales periods. Elastic scaling directly addresses the
challenge of maintaining high availability and performance during peak traffic times, making it an
essential component of a robust DR plan tailored to the retailer's operational needs. While a fixed-cost
contract (B) can help manage expenses, it does not address scalability or availability issues. Deploying a

https://certpreps.com/cc3/ 9/62
1/20/25, 12:36 AM CC3 - CertPreps

CDN (C) improves content delivery but is complementary to, rather than a substitute for, elastic scaling
in addressing system overload. Conducting performance testing (D) is important but focusing only on
off-peak seasons misses the opportunity to prepare for and mitigate the risks associated with peak
traffic periods. This approach illustrates the application of cloud computing principles to disaster
recovery planning, aligning with the ISC2 CC Exam's focus on leveraging technology solutions to ensure
business continuity in the face of operational challenges.

15. A corporate building with sensitive information stored on-premises employs security guards to
manage entry points and conduct random checks within the building. Recently, a security review
highlighted a lack of consistent procedures for verifying the identity of individuals claiming to have lost
their access badges. Which of the following would be the MOST effective policy change to address this
vulnerability?

A. Requiring a government-issued photo ID and verification through a centralized access control system

before granting temporary access.

B. Mandating that all visitors and employees display their badges visibly at all times within the building.

C. Increasing the frequency of random checks by security guards inside the building.

D. Implementing a policy where lost badges must be reported immediately, and access is restricted until a

new badge is issued.

Requiring a government-issued photo ID and verification through a centralized access control system
before granting temporary access is the most effective policy change to address the vulnerability
associated with lost badges. This approach ensures that individuals are properly identified using a
reliable form of identification, which is difficult to forge, and their access rights are verified against the
organization's access control system, which maintains up-to-date information on all authorized
personnel. This measure directly targets the issue of inconsistent identity verification practices by
establishing a clear, standardized procedure that reduces the risk of unauthorized access. While
mandating visible badge display (B) and increasing the frequency of random checks (C) are valuable
security measures, they do not address the specific challenge of verifying the identity and access rights
of individuals without their badges. Implementing a policy for immediate reporting of lost badges (D) is
important but does not solve the immediate problem of verifying someone's identity and access rights
in the absence of their badge. The proposed policy change ensures a high level of security by combining
reliable identification with real-time access verification, significantly mitigating the risk associated with
lost or forgotten badges.

16. A healthcare provider is reviewing its business continuity plan to address potential disruptions to its
electronic health record (EHR) system, which is critical for patient care continuity. The plan currently
lacks a detailed strategy for data integrity and accessibility in the event of a cyber-attack. What
addition to the BCP would best ensure the EHR system's resilience against such an event?

A. Implementing an advanced encryption solution for data at rest and in transit.

https://certpreps.com/cc3/ 10/62
1/20/25, 12:36 AM CC3 - CertPreps

B. Establishing a mirrored EHR system in a secure, off-site location.

C. Conducting regular cybersecurity awareness training for all healthcare staff.

D. Upgrading the physical security of the data center housing the EHR system.

Establishing a mirrored EHR system in a secure, off-site location is the best addition to the business
continuity plan for ensuring the EHR system's resilience against cyber-attacks. This strategy creates a
real-time replica of the EHR system that can be quickly activated in the event of a cyber-attack on the
primary system, ensuring continuous access to patient records and minimizing disruption to patient
care. Mirroring provides a high level of redundancy and ensures data integrity and accessibility even
when the primary system is compromised, addressing the critical need for uninterrupted healthcare
services. While implementing advanced encryption (Option A) is essential for protecting data privacy
and security, encryption alone does not address the continuity of access to EHR systems during an
attack. Regular cybersecurity awareness training (Option C) is crucial for preventing breaches but
cannot mitigate the immediate impact of a successful cyber-attack on system availability. Upgrading
physical security (Option D) protects against physical threats but is less effective against cyber threats.
The mirrored EHR system directly addresses the specific challenge of maintaining the availability and
integrity of critical healthcare data in the face of cyber disruptions, exemplifying a targeted and
effective application of business continuity principles in a healthcare context.

17. A multinational corporation is evaluating the cybersecurity risks of its global supply chain. What
should be the focus of its risk assessment to ensure the integrity of its operations?

A. The reliability of logistics partners in meeting delivery timelines

B. The cybersecurity posture of third-party vendors and suppliers

C. The fluctuation in exchange rates affecting procurement costs

D. The efficiency of inventory management systems

For a multinational corporation evaluating the cybersecurity risks of its global supply chain, the focus of
its risk assessment should be on the cybersecurity posture of third-party vendors and suppliers. This
focus is essential because the security practices of these entities directly impact the integrity and
security of the corporation's operations and data. Third-party vendors and suppliers with inadequate
cybersecurity measures can introduce vulnerabilities into the supply chain, leading to potential data
breaches, intellectual property theft, and operational disruptions. These risks are particularly acute in a
global supply chain where the complexity and diversity of partners increase the difficulty of
maintaining uniform security standards. While the reliability of logistics partners, the fluctuation in
exchange rates, and the efficiency of inventory management systems are important operational
considerations, they do not directly address the cybersecurity threats that can compromise the
corporation's sensitive information and disrupt its supply chain. Prioritizing the assessment of third-
party cybersecurity postures enables the corporation to identify and mitigate risks by enforcing strict
security requirements, conducting regular audits, and implementing robust incident response
strategies, thereby protecting its operations from cyber threats originating from its supply chain.

https://certpreps.com/cc3/ 11/62
1/20/25, 12:36 AM CC3 - CertPreps

18. An enterprise implements a new access control policy requiring employees to use smart cards and
personal identification numbers (PINs) for accessing the building. Three months after implementation, a
review shows a decrease in reported security incidents but an increase in complaints about access
delays. Which of the following adjustments would BEST balance security with accessibility?

A. Lowering the authentication timeout settings for the smart card readers.

B. Introducing a machine learning algorithm to predict and allow faster access for regular employees.

C. Implementing a visual verification system to complement the smart card and PIN requirement.

D. Removing the PIN requirement during peak hours.

The correct answer is B) Introducing a machine learning algorithm to predict and allow faster access for
regular employees. This innovative approach leverages technology to enhance both security and
convenience by analyzing access patterns and behavior to facilitate quicker authentication for
individuals with established and predictable access behaviors, without compromising the security
afforded by the smart card and PIN system. Lowering the authentication timeout settings (A) could
potentially reduce access times but might increase security risks by allowing insufficient time for
proper authentication. Implementing a visual verification system (C) adds an additional layer of security
but may further slow down the access process rather than streamline it. Removing the PIN requirement
during peak hours (D) significantly reduces security measures in favor of convenience, exposing the
organization to heightened risk during those times. By using a machine learning algorithm, the
organization can maintain a high level of security while addressing the issue of access delays, providing
a sophisticated solution that dynamically adapts to user behavior.

19. A security engineer is tasked with designing a symmetric encryption solution for a new messaging
application. The goal is to ensure that message confidentiality is maintained even if an attacker gains
temporary access to the encryption key. Which of the following design choices would best achieve this
objective?

A. Implementing key rotation policies where the encryption key is changed at regular intervals.

B. Using a high-complexity encryption algorithm that is not widely adopted.

C. Encrypting each message with a unique key derived from the user's password.

D. Increasing the block size of the encryption algorithm to enhance security.

The design choice that best achieves the objective of maintaining message confidentiality, even if an
attacker gains temporary access to the encryption key, is A) Implementing key rotation policies where
the encryption key is changed at regular intervals. Key rotation is a crucial security practice in
managing encryption keys, as it limits the amount of data an attacker can access with a compromised
key and reduces the time window during which the key can be used to decrypt messages. By regularly
changing the encryption key, even if an attacker were to gain access to a current key, they would only
https://certpreps.com/cc3/ 12/62
1/20/25, 12:36 AM CC3 - CertPreps

be able to decrypt messages encrypted with that specific key and only for the duration until the key is
rotated. This approach significantly mitigates the potential damage of a key compromise. Option B,
using a high-complexity encryption algorithm that is not widely adopted, does not necessarily improve
security, as obscurity does not equate to security. Option C, encrypting each message with a unique key
derived from the user's password, could enhance security but might be impractical and does not
address the issue of key compromise directly. Option D, increasing the block size of the encryption
algorithm, improves resistance against certain types of cryptographic attacks but does not directly
protect against the risks associated with the compromise of the encryption key itself.

20. A university plans to allow remote access to its library's digital archives, which include sensitive
research materials and copyrighted content. The digital archive system needs to be accessible from the
internet but protected against unauthorized access and potential security breaches. What DMZ
configuration should the university implement?

A. Place the digital archive system entirely within the DMZ to ensure it is accessible from the internet.

B. Deploy a proxy server in the DMZ to handle external requests, with the digital archive system located on

the internal network.

C. Configure all user authentication mechanisms within the DMZ, while hosting the digital archive system

and content on the internal network.

D. Establish a VPN gateway in the DMZ for remote users, with no components of the digital archive system

placed in the DMZ.

Deploying a proxy server in the DMZ to handle external requests, with the digital archive system
located on the internal network, is the most secure and effective DMZ configuration for the university's
requirements. This setup utilizes the DMZ to host a proxy server that acts as an intermediary between
users on the internet and the digital archive system. The proxy server can manage, filter, and
authenticate external access requests before they reach the sensitive digital archive system, which
remains protected on the internal network. This arrangement enhances security by providing a
controlled access point that limits direct exposure of the digital archives to the internet, thereby
reducing the risk of unauthorized access and potential security breaches. Unlike placing the entire
digital archive system within the DMZ (Option A), which could expose sensitive materials to greater
security risks, or configuring user authentication mechanisms within the DMZ without an intermediary
proxy server (Option C), which still risks exposing direct access paths to the internal network, deploying
a proxy server offers a strategic layer of protection. Establishing a VPN gateway in the DMZ (Option D)
could provide secure remote access but does not address the need for public accessibility to the
library's digital archives in a controlled manner. Therefore, a proxy server in the DMZ represents the
most balanced solution for public accessibility and security.

21. An e-commerce company is evaluating its current password policy in light of recent data breaches in
the industry. The policy currently requires passwords to be at least 8 characters long with at least one
number and one uppercase letter. Which policy enhancement would most significantly improve the
security of customer accounts against brute force attacks?

https://certpreps.com/cc3/ 13/62
1/20/25, 12:36 AM CC3 - CertPreps

A. Enforcing passwords to include at least one special character and one lowercase letter, increasing the

minimum length to 12 characters.

B. Requiring passwords to be changed every 30 days without introducing new complexity requirements.

C. Implementing an account lockout mechanism after four incorrect password attempts.

D. Mandating that all passwords expire annually, requiring users to create new passwords yearly.

Increasing the minimum password length to 12 characters and requiring a mix of character types
including special characters and lowercase letters drastically increases the number of possible
password combinations, making it significantly harder for attackers to successfully execute brute force
attacks. This complexity not only enhances the security of customer accounts by making passwords
more difficult to guess or crack but also aligns with best practices for password security in protecting
sensitive customer data. While frequent password changes (Option B) can help mitigate the impact of
compromised passwords, they do not directly increase the strength of the passwords and may lead to
password fatigue, where users choose simpler passwords or minor variations of previous passwords. An
account lockout mechanism (Option C) is a useful deterrent against brute force attacks but does not
address the fundamental strength of the passwords themselves. Similarly, annual password expiration
(Option D) encourages regular password updates but does not inherently improve password security
without complexity and length requirements.

22. A tech company with multiple classified research labs uses badge systems for access control. To
enhance security, the company decides to implement additional measures. Which of the following
would provide the MOST comprehensive enhancement to the badge access system?

A. Integrating the badge system with an employee's mobile device for secondary authentication.

B. Upgrading the badge system to include RFID blocking capabilities to prevent unauthorized cloning.

C. Implementing time-of-day restrictions on badges to limit access to specific hours for certain areas.

D. Using machine learning to analyze access patterns and identify potential security breaches.

The correct answer is A) Integrating the badge system with an employee's mobile device for secondary
authentication. This approach combines something the employee has (the badge) with something the
employee knows or possesses (a mobile device), adding a layer of security through two-factor
authentication. It ensures that even if a badge is lost, stolen, or cloned, access to secure areas is still
protected by the requirement of having the linked mobile device. While upgrading the badge system to
include RFID blocking capabilities (B) and implementing time-of-day restrictions (C) are effective
measures, they do not provide as comprehensive a security enhancement as the integration with a
mobile device does. Machine learning analysis (D) can help identify security breaches but does not
prevent unauthorized access in the same proactive manner. By requiring secondary authentication
through a mobile device, the system significantly reduces the risk of unauthorized access due to badge
compromise, offering a robust solution to enhance overall security.

https://certpreps.com/cc3/ 14/62
1/20/25, 12:36 AM CC3 - CertPreps

23. During a security training session, an employee asks why the company's new password policy
prohibits the use of personal information, such as birthdays or pet names, even if the password meets
the complexity requirements. What is the most accurate explanation?

A. Personal information can easily be found on social media, making it easier for attackers to guess

passwords.

B. Using personal information violates privacy laws and regulations governing data protection.

C. Passwords containing personal information are more difficult for employees to remember, leading to

increased support calls.

D. Personal information as part of a password significantly reduces the encryption strength of the

password.

The most accurate explanation is that personal information can easily be found on social media, making
it easier for attackers to guess passwords. Attackers often use social engineering techniques to gather
personal information about their targets from social media platforms and other public records. This
information can then be used in password guessing attacks, significantly increasing the likelihood of
unauthorized access. While complexity requirements make passwords harder to crack by brute force,
they do not mitigate the risk of passwords being guessed through social engineering. Options B, C, and
D do not directly address the vulnerability that personal information in passwords presents. Privacy
laws and data protection regulations (Option B) are concerned with the handling and protection of
personal data by organizations, not with how individuals create their passwords. The ease of
remembering passwords (Option C) and the impact on encryption strength (Option D) are not relevant
to the specific risk posed by using personal information in passwords.

24. A small business is evaluating Software as a Service (SaaS) solutions for its customer relationship
management (CRM) needs. The business is concerned about the security of customer data and wishes
to understand how SaaS providers ensure data protection. Which aspect of SaaS should the business
examine most closely to address its concerns?

A. The SaaS provider's data encryption protocols for data at rest and in transit.

B. The geographic location of the SaaS provider's data centers.

C. The scalability options available for the CRM software.

D. The integration capabilities with other business software.

The small business should examine the SaaS provider's data encryption protocols for data at rest and in
transit most closely to address its concerns about the security of customer data. Encryption is a critical
security measure that protects data from unauthorized access by making it unreadable without the
correct decryption key. By ensuring that the SaaS provider uses strong encryption protocols for data
https://certpreps.com/cc3/ 15/62
1/20/25, 12:36 AM CC3 - CertPreps

both at rest (stored data) and in transit (data being transferred to and from the SaaS application), the
business can safeguard its customer information against potential data breaches and cyber threats. This
focus on encryption offers a direct approach to addressing data security concerns, compared to the
geographic location of data centers (Option B), which may impact data sovereignty but not directly
address data protection. Scalability options (Option C) and integration capabilities (Option D) are
important considerations for operational efficiency and software ecosystem compatibility but do not
specifically relate to the security of customer data, making data encryption protocols the most critical
aspect for the business to examine.

25. A multinational corporation is drafting a new policy for email communication to prevent disputes
over the origin and content of messages. Which solution should be mandated for all sensitive email
communications to ensure non-repudiation?

A. Email encryption using AES

B. Mandatory use of VPNs for email transmission

C. Email digital signatures

D. Secure password policies

Email digital signatures are the optimal solution to ensure non-repudiation in sensitive email
communications within a multinational corporation. By applying a digital signature to an email, the
sender can cryptographically link their identity to the message, providing a verifiable means to assert
the authenticity and integrity of the email content. This method uses Public Key Infrastructure (PKI)
where the sender's private key is used to create the signature, and the corresponding public key is used
by the recipient to verify the signature. Unlike Email encryption using AES (Option A) which secures the
content of the message but does not provide a mechanism for non-repudiation, or Mandatory use of
VPNs (Option B) which secures the transmission of the message without addressing the issue of
verifying the sender's identity and message integrity, digital signatures provide a robust framework for
preventing disputes over the origin and content of messages. Secure password policies (Option D) are
essential for overall security hygiene but do not directly contribute to the non-repudiation of email
communications. Thus, implementing email digital signatures ensures that both the sender and
recipient can trust the authenticity of the communication, significantly reducing the potential for
disputes related to email transactions.

26. A company's security team detects irregular outbound network traffic patterns, including attempts
to connect to several external command and control servers across the globe. The traffic originates
from a server that hosts the company's customer database. Upon investigation, no malware files are
found on the server, but there is evidence of unauthorized database queries and extraction of data.
What type of attack is MOST likely being conducted, and which security measure should be prioritized?

A. Insider Threat; Implement strict access controls and monitoring.

B. Ransomware; Ensure all data is backed up and can be restored.

https://certpreps.com/cc3/ 16/62
1/20/25, 12:36 AM CC3 - CertPreps

C. Advanced Persistent Threat (APT); Engage in network segmentation and hardening.

D. Cross-Site Scripting (XSS); Deploy web application firewalls (WAFs) and input validation.

The described scenario, featuring irregular outbound network traffic to external command and control
servers and unauthorized access to a customer database without any malware files being detected, is
characteristic of an Advanced Persistent Threat (APT). APTs are sophisticated, long-term cyberattack
campaigns conducted by highly skilled attackers aiming to steal data or surveil systems over extended
periods. The focus on stealth and persistence, along with the strategic targeting of valuable data,
distinguishes APTs from other types of cyber threats. The recommended security measure in response
to an APT is to engage in network segmentation and hardening. Network segmentation involves
dividing the network into smaller, controlled zones to limit the spread of attacks and make lateral
movement more difficult for attackers. Hardening refers to the process of securing systems and
applications, removing unnecessary services, and applying security patches. Together, these measures
can significantly reduce the attack surface, making it more challenging for APT actors to maintain
access and carry out their objectives. While implementing strict access controls and monitoring,
ensuring data backups, and deploying WAFs are important security practices, prioritizing network
segmentation and hardening directly addresses the sophistication and stealthy nature of APT attacks,
providing a robust defense against these advanced threats.

27. A university is preparing to open its campus network to students, faculty, and guests, with varying
levels of access rights to resources. The university IT department seeks to deploy a NAC solution that
effectively segregates network traffic and enforces access policies based on user group and device type.
What approach should the IT department take to achieve this goal?

A. Implementing a guest network separate from the main campus network, with all other users subject to

the same access policies.

B. Deploying a NAC solution that integrates with the existing directory services for identity-based access

control across multiple user groups.

C. Applying a uniform security policy for all devices, relying on personal firewalls on each device for

additional security.

D. Enforcing physical network segmentation for students, faculty, and guests, requiring different network

ports for each group.

Deploying a NAC solution that integrates with the existing directory services for identity-based access
control across multiple user groups is the most effective approach for the university IT department to
achieve the goal of segregating network traffic and enforcing access policies based on user group and
device type. This approach leverages the university's directory services, which already contain detailed
information about each user's role (student, faculty, or guest), to dynamically assign access rights and
policies at the moment of network connection. By integrating NAC with directory services, the IT
department can automate the process of identifying users and their devices, applying the appropriate
level of access based on their status, and ensuring that each group can only access the resources

https://certpreps.com/cc3/ 17/62
1/20/25, 12:36 AM CC3 - CertPreps

relevant and necessary to them. This method is superior to implementing a separate guest network
(Option A), which addresses only one user group and does not provide the granularity needed for
differentiating between students and faculty. Relying on a uniform security policy for all devices (Option
C) oversimplifies network access control and misses the opportunity to enforce role-specific policies,
while enforcing physical network segmentation (Option D) is logistically challenging and does not offer
the flexibility or scalability of a NAC solution integrated with directory services. Therefore, integrating
NAC with directory services for identity-based access control is the strategic choice for managing
complex access requirements in a diverse campus environment.

28. In response to regulatory requirements, a bank is revising its data classification policy to include a
new category: "Regulated". This category applies to data subject to specific regulatory compliance
standards, such as transaction records and customer financial information. What key factor should the
bank consider when defining security measures for data classified as "Regulated"?

A. The speed of data retrieval and processing to ensure operational efficiency.

B. The level of encryption needed for archival data to reduce storage costs.

C. The specific compliance requirements and legal obligations associated with the data.

D. The preference of customers regarding how their data is secured and accessed.

When defining security measures for data classified as "Regulated", the key factor the bank should
consider is C) the specific compliance requirements and legal obligations associated with the data.
Regulatory compliance standards, such as those set by financial regulatory bodies, dictate precise
requirements for handling, storing, and protecting sensitive customer and transaction data. These
standards often specify the need for strong encryption, access controls, auditing capabilities, and other
security measures to ensure the confidentiality, integrity, and availability of the data. Adhering to these
requirements is essential for the bank to remain compliant with laws and regulations, avoid legal
penalties, and maintain customer trust. While operational efficiency (A) and storage costs (B) are
important considerations, they must not compromise compliance. Customer preferences (D) are also
valuable but must align with regulatory mandates to ensure that the bank meets its legal obligations
while protecting sensitive customer information.

29. During a security review, an auditor discovers that an employee was able to access a restricted area
using an outdated badge, despite not having authorization for over six months. What should be the
PRIMARY focus of the subsequent security investigation?

A. Reviewing the employee’s access logs to determine the frequency of unauthorized access.

B. Auditing the process for updating access permissions when employee roles change.

C. Interviewing the employee to understand the reason for accessing the restricted area.

D. Checking the physical security measures in place to prevent unauthorized access.

https://certpreps.com/cc3/ 18/62
1/20/25, 12:36 AM CC3 - CertPreps

The discovery that an employee could access a restricted area using an outdated badge despite lacking
authorization for an extended period highlights a critical lapse in the process for updating access
permissions following changes in employee roles or statuses. The primary focus of the security
investigation should be on auditing this process to identify where the breakdown occurred. This could
involve examining the protocols for communication between HR, security, and IT departments to
ensure that changes in employment status or role are promptly reflected in access permissions. This
incident reveals a systemic issue rather than an isolated event, suggesting that the organization's
procedures for managing access control may be flawed or inadequately enforced. While reviewing the
employee's access logs (A), interviewing the employee (C), and checking physical security measures (D)
are important steps, they address the symptoms rather than the root cause. By focusing on the process
for updating access permissions, the organization can identify and rectify procedural weaknesses or
communication gaps that led to this security oversight, thereby preventing similar incidents in the
future and enhancing overall security posture.

30. A corporate office is assessing its security measures and identifies the need to monitor sensitive
areas, such as server rooms and executive offices, more effectively with its CCTV system. Which of the
following enhancements would BEST fulfill this requirement without compromising privacy concerns?

A. Integrating audio recording capabilities with CCTV cameras

B. Implementing motion-activated recording in these areas

C. Increasing the storage capacity for 24/7 continuous recording

D. Upgrading to 4K resolution cameras for better image quality

Implementing motion-activated recording in sensitive areas like server rooms and executive offices is
the best enhancement to fulfill the requirement of effective monitoring without compromising privacy
concerns. This approach ensures that recording is triggered only when there is activity, which
minimizes unnecessary surveillance and data storage while still capturing potential security incidents.
Audio recording (A) could raise significant privacy issues and legal concerns, as it involves capturing
conversations without explicit consent. Increasing storage capacity for 24/7 continuous recording (C)
ensures comprehensive coverage but does not address privacy concerns and could lead to the
unnecessary collection of vast amounts of data, much of which may not be relevant to security.
Upgrading to 4K resolution cameras (D) improves image quality but also significantly increases the
amount of data generated and stored, again without directly addressing privacy considerations.
Motion-activated recording strikes a balance between security and privacy by focusing resources on
moments of actual activity, making it the most appropriate and effective solution for monitoring
sensitive areas.

31. A cybersecurity analyst notices an anomaly in the network traffic, where a series of requests are
made to a web server in rapid succession, attempting to enumerate valid usernames by incrementing
username parameters in each request. What type of threat is being attempted?

A. SQL Injection

https://certpreps.com/cc3/ 19/62
1/20/25, 12:36 AM CC3 - CertPreps

B. Brute Force Attack

C. Cross-Site Scripting (XSS)

D. Directory Traversal

This scenario describes a brute force attack, where attackers attempt to gain unauthorized access to a
system or data by systematically checking all possible combinations of usernames (in this case),
passwords, or other security credentials until the correct one is found. The distinctive sign of a brute
force attack in this scenario is the rapid succession of requests to the web server, each trying different
username parameters, aiming to discover a valid username. Unlike SQL Injection, which involves
inserting malicious SQL statements into an input field for execution, or Cross-Site Scripting (XSS),
which involves injecting malicious scripts into web pages viewed by others, a brute force attack is more
about persistence and trial-and-error. Directory traversal is a technique used to access files and
directories that are stored outside the web root folder, which does not fit the described activity of
enumerating usernames.

32. Following a data breach, a healthcare provider is reviewing its incident response plan to identify
shortcomings in its risk management practices. The breach was traced back to a phishing attack that
exploited human vulnerabilities. Which of the following improvements would MOST effectively reduce
the risk of a similar incident occurring in the future?

A. Conduct regular security audits of all IT systems and processes.

B. Implement a robust email filtering solution to detect phishing attempts.

C. Increase the frequency of data backups to ensure quicker recovery times.

D. Initiate a comprehensive security awareness training program for all employees.

Initiating a comprehensive security awareness training program for all employees is the most effective
improvement to reduce the risk of future incidents similar to a data breach resulting from a phishing
attack. This approach targets the human element of cybersecurity, which was the exploited
vulnerability in the incident. By educating employees about the risks of phishing attacks, the tactics
used by attackers, and how to recognize and respond to suspicious emails, organizations can
significantly reduce the likelihood of employees inadvertently compromising system security. Security
awareness training empowers employees with the knowledge and skills they need to act as a first line of
defense against cyber threats, making it more difficult for attackers to succeed with phishing attempts.
While regular security audits, implementing email filtering solutions, and increasing the frequency of
data backups are valuable components of a comprehensive cybersecurity strategy, they do not directly
address the human vulnerabilities that led to the breach. By focusing on improving employee awareness
and behavior regarding cybersecurity, the healthcare provider can build a more resilient organization
capable of mitigating the risk of phishing and other social engineering attacks.

https://certpreps.com/cc3/ 20/62
1/20/25, 12:36 AM CC3 - CertPreps

You have not answered this question

33. An online retailer is revising its data retention strategy in light of increasing concerns over data
privacy and security. The retailer processes large volumes of personal data, including customer
names, addresses, and purchase histories. Which strategy should be prioritized to balance
operational needs with privacy concerns?

A. Retaining data for the maximum period allowed by law to ensure a comprehensive customer

purchase history is available for marketing analysis.

B. Deleting all personal data immediately after the transaction is completed to maximize customer

privacy.

C. Implementing a tiered data retention approach that anonymizes personal data after a certain period

but retains aggregated data for trend analysis.

D. Relying solely on customer consent for data retention periods, adjusting the retention timeline based

on individual customer preferences.

The strategy that should be prioritized by the online retailer to balance operational needs with
privacy concerns is C) implementing a tiered data retention approach that anonymizes personal
data after a certain period but retains aggregated data for trend analysis. This approach allows the
retailer to continue benefiting from valuable insights into customer behavior and market trends
through the analysis of aggregated data, which does not identify individual customers, thereby
reducing privacy risks. Anonymizing personal data after a specific timeframe helps ensure
compliance with data protection regulations, such as the General Data Protection Regulation
(GDPR), and addresses customer privacy concerns by limiting the amount of time personal data is
kept in identifiable form. Option A may conflict with data minimization principles and privacy
regulations. Option B, while prioritizing privacy, may not be practical for operational and customer
service purposes, such as handling returns or customer inquiries. Option D places an undue burden
on customers to understand and manage data retention preferences and may not ensure
compliance with legal requirements for data retention and protection.

34. Following the introduction of a new international data protection regulation, a tech company needs
to ensure its privacy policy complies with cross-border data transfer rules. What is the most important
addition to the privacy policy to meet these requirements?

A. Detailing the specific countries to which data may be transferred and the legal mechanisms in place for

such transfers.

B. Requiring user consent for each instance of cross-border data transfer.

C. Implementing end-to-end encryption for data in transit between countries.

https://certpreps.com/cc3/ 21/62
1/20/25, 12:36 AM CC3 - CertPreps

D. Limiting cross-border transfers to only those necessary for the performance of a contract with the user.

Detailing the specific countries to which data may be transferred and the legal mechanisms in place for
such transfers is the most important addition to the privacy policy to comply with international data
protection regulation concerning cross-border data transfers. This addition addresses the transparency
and accountability requirements of such regulations by informing users about where their data might
be processed and the safeguards that are in place to protect their data in accordance with the
regulation's standards. It helps build trust with users by demonstrating the company's commitment to
protecting their data regardless of where it is processed. While requiring user consent for each transfer
(Option B) can be part of compliance, it may not be practical or sufficient on its own for all types of data
transfers, especially those that are integral to the service provided. Implementing end-to-end
encryption (Option C) is a good security practice but does not address the regulatory requirements for
transparency and legal justification for cross-border data transfers. Limiting transfers to those
necessary for the performance of a contract (Option D) is one legal mechanism for transfer, but it does
not provide the comprehensive information about cross-border data transfer practices that detailing
the countries and legal mechanisms does, making Option A the most critical addition for compliance
and user trust.

35. An IT company is planning to build a new data center in an area prone to natural disasters, including
floods and earthquakes. To ensure the resilience of the data center's environmental controls against
these potential threats, which of the following design considerations should be prioritized?

A. Elevate the data center's foundation and critical infrastructure above flood levels.

B. Design the data center with flexible building materials that can withstand earthquake vibrations.

C. Implement an advanced fire suppression system to protect against wildfires.

D. Ensure all environmental control systems are equipped with backup power sources.

Elevating the data center's foundation and critical infrastructure above flood levels is the most crucial
design consideration to ensure resilience against natural disasters in an area prone to floods and
earthquakes. This proactive measure significantly reduces the risk of water damage to essential
hardware and electrical systems, which is vital for maintaining continuous operations during and after a
flood event. By situating the data center and its critical components above known flood levels, the
organization can safeguard against one of the most common and destructive natural disasters, ensuring
the protection of valuable IT assets and data. While designing the data center with flexible building
materials (Option B) is important for earthquake resilience, and implementing an advanced fire
suppression system (Option C) is crucial for wildfire-prone areas, these measures do not directly
address the immediate threat posed by flooding. Ensuring backup power sources for environmental
control systems (Option D) is also essential for overall disaster preparedness but does not specifically
mitigate the risk of flood damage to the data center infrastructure. Thus, elevating the foundation and
critical infrastructure represents a targeted and effective strategy to protect against the environmental
impacts of flooding, ensuring the long-term viability and operational integrity of the data center in a
disaster-prone region.

https://certpreps.com/cc3/ 22/62
1/20/25, 12:36 AM CC3 - CertPreps

36. A cybersecurity analyst is tasked with verifying the integrity of files received after a data migration
between two data centers. The analyst decides to use hashing to ensure that the files were not altered
during the transfer. Which of the following actions should the analyst take to accomplish this?

A. Compare the file sizes before and after the migration.

B. Encrypt the files before migration and decrypt them after migration.

C. Generate and compare hash values of the files before and after the migration.

D. Use a symmetric encryption algorithm to verify the files' integrity.

The most effective action the analyst can take to verify the integrity of files received after a data
migration is C, generate and compare hash values of the files before and after the migration. Hashing
functions generate a unique, fixed-size string (hash) based on the input (the file content in this case),
which changes dramatically even with a minor alteration of the input. By generating hashes of the files
before migration and comparing them with the hashes of the files after migration, the analyst can
ensure that the files have not been altered in transit. This method is effective because it is
computationally infeasible to find two different inputs that produce the same hash output, making
hashes reliable indicators of file integrity. Options A and D do not provide the same level of assurance
because file sizes can remain the same despite modifications, and using symmetric encryption without
a comparison of pre- and post-migration states does not verify integrity. Option B, while ensuring
confidentiality during migration, does not directly verify integrity unless combined with hashing or
another form of integrity check.

37. In an effort to secure personal devices used for work, a company's BYOD policy mandates the use of
encrypted communication for accessing corporate email. Which of the following options best aligns
with this policy requirement?

A. Configuring email clients on personal devices to use SSL/TLS when connecting to the corporate email

server.

B. Restricting email access on personal devices to within the corporate office premises only.

C. Allowing only web-based access to corporate email from personal devices without requiring encryption.

D. Permitting access to corporate email from personal devices over public Wi-Fi networks without

additional security measures.

Configuring email clients on personal devices to use SSL/TLS (Secure Sockets Layer/Transport Layer
Security) when connecting to the corporate email server directly aligns with the mandate for encrypted
communication and is the most secure option provided. SSL/TLS encryption ensures that all data
transmitted between the email client and the server is encrypted, protecting the confidentiality and
integrity of corporate email communication from eavesdropping or interception, particularly when

https://certpreps.com/cc3/ 23/62
1/20/25, 12:36 AM CC3 - CertPreps

used over unsecured networks. This approach allows employees to securely access their corporate
email from any location, addressing the BYOD policy requirement without unnecessarily restricting
access to corporate resources like restricting email access to corporate premises (Option B) or allowing
potentially insecure web-based access without encryption (Option C). Permitting access over public
Wi-Fi without additional security measures (Option D) poses significant security risks and would
contravene the policy's emphasis on encrypted communication for protecting sensitive corporate
information.

38. A university utilizes a DAC system for its online learning platform. Professors have the ability to
create course materials and decide who can access them. Professor Johnson wants to ensure that only
students enrolled in her class can view and interact with the course content, while also allowing a TA to
manage and update the content. Which of the following access control setups should she use?

A. Set the course material to "public" to ensure all students can easily access the content without specific

permissions.

B. Grant read and write access to the TA and read-only access to students enrolled in her class.

C. Assign full control over the course materials to all students and the TA to foster a collaborative learning

environment.

D. Provide the TA with the link to the materials, instructing them to share it with the enrolled students.

In a Discretionary Access Control (DAC) system, the owner of the resource (in this case, Professor
Johnson) has the discretion to set access permissions based on her assessment of what is necessary and
appropriate for her course materials. The best setup to meet her requirements is to grant read and
write access to the Teaching Assistant (TA) and read-only access to students enrolled in her class (B).
This arrangement allows the TA to manage and update the course content, reflecting the trust and
responsibility placed in the TA's role, while ensuring that students can view and interact with the
materials without the ability to alter them, preserving the integrity of the educational content. Setting
the course material to "public" (A) would violate privacy and security policies by allowing unrestricted
access. Assigning full control to all students and the TA (C) could lead to unintentional or malicious
modifications of the content, disrupting the educational process. Providing the TA with the link and
instructing them to share it with enrolled students (D) does not adequately control access or leverage
the capabilities of the DAC system to directly manage permissions, potentially leading to unauthorized
access if the link is shared beyond the intended audience. The chosen setup (B) effectively utilizes DAC
to balance the need for content integrity with the collaborative and dynamic nature of an educational
environment.

39. A multinational corporation with offices in multiple countries is updating its cybersecurity policy to
include guidelines for remote work. The policy must accommodate diverse legal and cultural
environments, ensuring data protection across different jurisdictions. What strategy should the policy
include to address these requirements effectively?

A. Standardize remote work policies across all jurisdictions without exception.

https://certpreps.com/cc3/ 24/62
1/20/25, 12:36 AM CC3 - CertPreps

B. Tailor remote work policies to comply with the local laws of each jurisdiction.

C. Prohibit remote work in jurisdictions with stringent data protection laws.

D. Require all remote work to be conducted through company-provided VPNs, regardless of location.

Tailoring remote work policies to comply with the local laws of each jurisdiction (Option B) is the most
effective strategy for a multinational corporation to ensure that its cybersecurity policy accommodates
diverse legal and cultural environments. This approach acknowledges the complexity of operating
across multiple countries with varying data protection regulations and cultural practices. By
customizing the policy to align with local laws, the organization can ensure compliance, reduce the risk
of legal penalties, and demonstrate respect for local norms, thereby enhancing its reputation and
operational effectiveness. Standardizing policies without consideration for local differences (Option A)
could lead to non-compliance and alienate employees in different regions. Prohibiting remote work in
certain areas (Option C) might not be feasible or productive, limiting the organization's flexibility and
employee satisfaction. While requiring VPN use (Option D) is a good security practice, it does not fully
address the nuances of legal and cultural differences across jurisdictions. A tailored approach ensures
that the organization's cybersecurity measures are both effective and compliant worldwide.

40. After a security breach, an organization discovered that several servers were missing critical
security patches, leading to the exploitation of known vulnerabilities. The organization decides to
implement security configuration baselines. Which of the following steps should be taken FIRST to
ensure the effectiveness of these baselines?

A. Regularly scheduled security audits to ensure compliance with the baselines.

B. Immediate application of all missing security patches to affected servers.

C. Development of a process for continuous monitoring of security configurations.

D. Creation of a comprehensive inventory of all IT assets and their current security configurations.

Creating a comprehensive inventory of all IT assets and their current security configurations is the first
critical step to ensure the effectiveness of security configuration baselines. This inventory provides a
foundational understanding of the existing IT landscape, including hardware, software, and the current
state of security configurations. It enables the organization to identify discrepancies between the
current configurations and the desired state as defined by the security baselines. This gap analysis is
essential for prioritizing the application of security patches (Option B) and ensuring that all assets are
compliant with the organization's security standards. While regularly scheduled security audits (Option
A) and the development of a process for continuous monitoring (Option C) are important for
maintaining compliance over time, these activities depend on a clear understanding of what assets exist
and their baseline compliance status, which can only be achieved through a comprehensive inventory.
This strategic approach ensures that security measures are systematically applied and maintained
across all IT assets, enhancing the organization's overall security posture.

https://certpreps.com/cc3/ 25/62
1/20/25, 12:36 AM CC3 - CertPreps

41. An enterprise discovers a zero-day vulnerability in a critical application, with no patch available from
the vendor yet. What is the MOST effective interim measure to mitigate the risk associated with this
vulnerability?

A. Completely disable the critical application until a patch is released.

B. Implement compensating controls to mitigate the risk until the patch is available.

C. Continue normal operations but monitor the application for signs of compromise closely.

D. Isolate the application from the network to prevent external access.

Implementing compensating controls to mitigate the risk until a patch is available is the most effective
interim measure to address a zero-day vulnerability in a critical application. Compensating controls
may include additional monitoring, stricter access controls, the application of intrusion detection
systems, or the use of web application firewalls to protect against potential exploitation of the
vulnerability. These measures allow the organization to continue using the application while reducing
the risk of a security breach. This approach enables business operations to proceed with an enhanced
level of security until the vendor releases a patch to address the vulnerability directly. Completely
disabling the critical application (Option A) may not be feasible due to its importance to business
operations. Simply monitoring the application for signs of compromise (Option C) does not proactively
reduce the risk of exploitation. While isolating the application from the network (Option D) can reduce
the risk, it may also severely impact the application's functionality or availability, making compensating
controls a more balanced and effective approach to managing the risk associated with a zero-day
vulnerability.

42. A government agency is migrating its public-facing web applications to a PaaS solution to improve
agility and reduce maintenance overhead. The agency requires a PaaS offering that enables it to
implement stringent access controls and audit trails to enhance security and accountability. Which
PaaS feature is most critical for meeting the agency's needs?

A. Built-in identity and access management (IAM) services.

B. Automated scaling of application instances.

C. Support for serverless computing architectures.

D. Pre-configured machine learning and analytics tools.

The most critical PaaS feature for a government agency migrating its public-facing web applications to
improve agility and reduce maintenance overhead, while requiring stringent access controls and audit
trails, is built-in identity and access management (IAM) services. IAM services within a PaaS offering
provide the tools necessary to manage user identities, authenticate users, and authorize access to
resources based on predefined policies. This capability is essential for the agency to implement the
stringent access controls needed to protect sensitive information and ensure that only authorized
https://certpreps.com/cc3/ 26/62
1/20/25, 12:36 AM CC3 - CertPreps

individuals can access specific functions or data. Additionally, IAM services often include features for
generating and managing audit trails, which are crucial for tracking user actions, enhancing security,
and providing accountability, thereby meeting regulatory and compliance requirements. While
automated scaling (Option B) addresses performance and efficiency, support for serverless computing
architectures (Option C) enables flexibility in application deployment, and pre-configured machine
learning and analytics tools (Option D) offer advanced data analysis capabilities, none directly address
the foundational need for stringent access control and accountability as effectively as built-in IAM
services do, making it the most critical feature for the agency's needs.

43. Following a security breach, a retail company is overhauling its data access procedures to prevent
unauthorized access to customer information. The current procedures do not adequately restrict
access based on user roles. Which of the following updates would MOST effectively prevent
unauthorized access while ensuring legitimate business needs are met?

A. Implementing a tiered data access model based on employee seniority.

B. Applying strict role-based access control (RBAC) mechanisms for all data systems.

C. Increasing the complexity requirements for user passwords across the organization.

D. Introducing an annual compliance audit to review data access levels and permissions.

Applying strict role-based access control (RBAC) mechanisms for all data systems (Option B) is the most
effective update to prevent unauthorized access to customer information while accommodating
legitimate business needs. RBAC is a method of restricting system access to authorized users based on
their specific roles within the organization. This ensures that individuals can only access the
information and resources necessary for their job functions, adhering to the principle of least privilege.
RBAC mechanisms enable precise control over access rights, reducing the risk of unauthorized data
exposure by ensuring that access is granted based on roles that align with the users' responsibilities.
While a tiered access model (Option A), enhanced password policies (Option C), and annual audits
(Option D) contribute to overall security posture, they do not directly address the issue of access
control with the same specificity and effectiveness as RBAC. By clearly defining and enforcing access
based on roles, RBAC provides a targeted and efficient means to safeguard customer information,
directly addressing the shortcomings identified in the wake of the security breach.

44. In the context of industrial control systems (ICS) used in energy production, which approach to
network security should be prioritized to protect against targeted cyberattacks without compromising
system performance?

A. Encrypting all data within the ICS network to prevent unauthorized access and data breaches.

B. Utilizing a single, robust firewall at the network perimeter to defend against external threats.

C. Implementing segmentation to isolate production control systems from administrative and other non-

critical networks.

https://certpreps.com/cc3/ 27/62
1/20/25, 12:36 AM CC3 - CertPreps

D. Requiring biometric authentication for all users accessing the ICS network to enhance access control.

Implementing segmentation to isolate production control systems from administrative and other non-
critical networks is the most effective approach to network security for industrial control systems (ICS)
used in energy production. This strategy ensures that critical components of the ICS, responsible for
managing and monitoring energy production, are segregated from less critical parts of the network. By
creating separate network segments, the energy company can apply specific security policies and
controls to the production control systems, minimizing the risk of a targeted cyberattack spreading
across the network and affecting system performance. Segmentation helps in limiting the attack
surface and provides an additional layer of protection, making it more difficult for attackers to reach
and compromise critical infrastructure components. Unlike encrypting all data within the network
(Option A), which secures data but does not prevent system access by attackers, or utilizing a single
firewall at the perimeter (Option B), which leaves the internal network vulnerable to lateral movement,
and requiring biometric authentication (Option D), which strengthens access control but does not
address internal network threats, network segmentation offers a comprehensive and performance-
sensitive method for safeguarding critical ICS components in the energy sector.

45. An organization implements an anomaly-based intrusion detection system (IDS) as part of its
network security infrastructure. Shortly after deployment, the IDS begins to generate alerts for what
appears to be normal user activity, such as large file transfers during business hours. What type of scan
might be causing these false positives, and how should the organization adjust its IDS settings?

A. ARP Scan; Configure the IDS to recognize legitimate network hardware addresses.

B. Behavior Scan; Tune the IDS to better understand normal network behavior and reduce sensitivity.

C. Service Scan; Whitelist known internal services and their communication patterns in the IDS.

D. Compliance Scan; Update the IDS ruleset to align with regulatory compliance requirements.

The generation of alerts by an anomaly-based intrusion detection system (IDS) for normal user
activities, such as large file transfers during business hours, suggests that the IDS may be overly
sensitive to patterns of behavior that are not actually indicative of a threat. This situation doesn't
directly describe a specific type of external scan causing false positives, but rather an internal challenge
with the IDS's ability to accurately differentiate between normal and malicious activities. The
appropriate response is to tune the IDS to better understand normal network behavior, thereby
reducing its sensitivity to legitimate activities that are being mistakenly flagged as suspicious. This
process, sometimes referred to as behavior scanning or behavior analysis adjustment within the context
of IDS tuning, involves configuring the IDS to recognize and allow for normal variations in network
traffic patterns. By doing so, the organization can minimize false positives without compromising the
IDS's ability to detect genuine threats. Configuring the IDS to recognize legitimate network hardware
addresses, whitelisting known internal services, and updating the IDS ruleset for compliance may all be
parts of maintaining an IDS but do not specifically address the issue of an IDS generating false positives
due to normal business activities as effectively as tuning the system to better understand and
accommodate normal behavior patterns.

https://certpreps.com/cc3/ 28/62
1/20/25, 12:36 AM CC3 - CertPreps

46. A healthcare provider is transitioning to a new electronic health record (EHR) system and needs to
dispose of old computer equipment that stored patient data. What is the most critical factor to consider
when selecting a data destruction service provider for this task?

A. The cost of the data destruction service.

B. The geographical location of the service provider.

C. The data destruction methods and standards used by the provider.

D. The time it will take for the service provider to complete the destruction process.

The most critical factor to consider when selecting a data destruction service provider for disposing of
old computer equipment that stored patient data is C) the data destruction methods and standards
used by the provider. For healthcare providers, maintaining the confidentiality and security of patient
data is paramount, and this extends to the disposal of data and equipment. The selected service
provider must use data destruction methods that comply with legal and regulatory requirements, such
as those specified by HIPAA in the United States, which ensure that the data cannot be reconstructed
or recovered. The methods might include physical destruction, degaussing, or advanced overwriting
techniques that adhere to recognized standards like NIST guidelines for media sanitization. While
factors such as cost (A), geographical location (B), and the time required for destruction (D) are practical
considerations, they do not outweigh the importance of ensuring that the chosen methods of
destruction meet the necessary security standards to protect sensitive patient information effectively.
The integrity and compliance of the data destruction process are crucial in preventing potential data
breaches and maintaining patient trust.

47. An international NGO with remote workers worldwide is implementing a new data management
system. To ensure secure access, the organization plans to use MFA. Considering the diverse and often
unstable internet connectivity in various regions, which MFA method would be most suitable?

A. Biometric authentication.

B. Time-based One-Time Passwords (TOTP) via a mobile app.

C. Hardware security tokens.

D. Voice recognition systems.

Hardware security tokens are the most suitable MFA method for an international NGO with remote
workers facing diverse and often unstable internet connectivity. These tokens generate a code used in
conjunction with a password, offering a reliable form of MFA that does not rely on internet connectivity.
Unlike biometric authentication (Option A) and voice recognition systems (Option D), which may
require stable internet for verification processes or updates, hardware tokens operate independently of
network conditions, ensuring consistent access. TOTP via a mobile app (Option B) also provides secure
authentication but can be challenging in areas with poor internet service, as it may prevent the app
https://certpreps.com/cc3/ 29/62
1/20/25, 12:36 AM CC3 - CertPreps

from syncing accurately. Hardware tokens, therefore, provide a universally accessible solution that
ensures high security without depending on the availability of internet service, making it particularly
suitable for organizations with a global, remote workforce operating in varied connectivity conditions.

48. A security researcher discovers that an attacker can reconstruct a secret key used in a hardware
encryption module by measuring and analyzing the sound emitted by the module during operation.
This type of attack relies on the high-pitched noise produced by certain electronic components under
stress. Which type of side-channel attack does this represent, and what preventative action can be
taken?

A. Differential power analysis; Apply frequency filtering

B. Acoustic cryptanalysis; Implement sound-dampening measures

C. Electromagnetic analysis; Use conductive paint for shielding

D. Cache timing attack; Randomize cache access patterns

This scenario describes acoustic cryptanalysis, a form of side-channel attack where an attacker
reconstructs secret keys or sensitive information by measuring and analyzing the sounds emitted by
electronic components during operation. The attack exploits the fact that different operations can
produce distinct sounds, especially the high-pitched noise generated by electronic components under
stress, such as capacitors or inductors in a power supply. The preventative action most effective against
acoustic cryptanalysis is the implementation of sound-dampening measures around the hardware
encryption module or in the environment where sensitive operations occur. These measures can
include using materials that absorb sound or constructing barriers that prevent sound from traveling.
By reducing the ability of an attacker to clearly capture the sounds associated with cryptographic
operations, sound-dampening significantly complicates the process of acoustic cryptanalysis, making it
more challenging to derive meaningful information from the captured audio. Differential power
analysis, electromagnetic analysis, and cache timing attacks exploit different physical phenomena, such
as power consumption, electromagnetic emissions, and timing information, respectively, each requiring
their specific countermeasures, such as filtering, shielding, and randomization, which do not address
the unique challenges posed by acoustic side-channel attacks.

49. An organization plans to decommission old servers that contain sensitive customer information.
What is the most effective method to ensure that the data cannot be recovered once the servers are
disposed of?

A. Formatting the hard drives in the servers.

B. Performing a full disk encryption before decommissioning.

C. Degaussing the hard drives to disrupt the magnetic data.

D. Deleting all files and folders from the server’s operating system.

https://certpreps.com/cc3/ 30/62
1/20/25, 12:36 AM CC3 - CertPreps

The most effective method to ensure that data cannot be recovered once the servers are disposed of is
C) degaussing the hard drives to disrupt the magnetic data. Degaussing is a process that uses a high-
powered magnet to disrupt the magnetic field of the storage medium, effectively destroying all data
stored on the hard drive, making it unrecoverable. This method is particularly suitable for dealing with
sensitive information, as it addresses the risk of data recovery by forensic methods that could
potentially be used on hard drives that have only been formatted (A) or had their files deleted (D). Full
disk encryption (B) is a preventive measure that protects data while the disk is in use but does not
prevent data recovery if the encryption keys are also compromised or if the drive is accessed by
sophisticated means post-decommissioning. Degaussing ensures the physical destruction of data,
aligning with best practices for data handling and the secure disposal of storage media containing
sensitive information.

50. In response to regulatory requirements, a financial institution needs to ensure that all inbound
email traffic is inspected for potential threats before reaching the internal network. The institution
already has a firewall in place. What feature or additional component should be integrated with the
firewall to meet this specific need?

A. Intrusion Prevention System (IPS) to actively block identified threats in email traffic.

B. A dedicated email security gateway to scan incoming emails for malware and phishing attempts.

C. Anomaly-based detection system to identify unusual patterns in email traffic.

D. A virtual private network (VPN) gateway to secure and encrypt all incoming email traffic.

Integrating a dedicated email security gateway with the existing firewall is the most effective solution
to meet the regulatory requirements of inspecting all inbound email traffic for potential threats before
it reaches the internal network of the financial institution. An email security gateway is specifically
designed to scan incoming (and outgoing) emails for various types of threats, including malware,
phishing attempts, spam, and other malicious content. By filtering and sanitizing email traffic at the
gateway level, it ensures that only clean, threat-free emails are delivered to the recipients within the
organization. This approach directly addresses the need for comprehensive email security by providing
targeted protection against email-based threats, which are common vectors for cyber attacks. While an
Intrusion Prevention System (IPS) can block threats in network traffic and an anomaly-based detection
system can identify unusual patterns, neither is as specifically tailored to the nuances of email security
as an email security gateway. A VPN gateway secures and encrypts traffic but does not provide the
content inspection or threat detection capabilities required for email security compliance. Therefore, a
dedicated email security gateway offers the specialized functionality necessary to fulfill the institution's
regulatory obligations regarding email traffic inspection.

51. A cloud service provider is looking to enhance the security of its multi-tenant environment, where
different clients' data and applications are hosted on shared infrastructure. The provider wants to
ensure that a breach in one client's environment does not compromise another's. Which approach to
network security should be prioritized to meet this requirement?

A. Implementing traditional firewall rules at the perimeter of the cloud environment.

https://certpreps.com/cc3/ 31/62
1/20/25, 12:36 AM CC3 - CertPreps

B. Deploying micro-segmentation to isolate each client's environment within the cloud infrastructure.

C. Utilizing a single, strong encryption method for data at rest and in transit across the entire cloud

environment.

D. Establishing a Virtual Private Network (VPN) for each client accessing the cloud services.

Deploying micro-segmentation to isolate each client's environment within the cloud infrastructure is
the most effective approach to enhancing the security of a multi-tenant environment offered by a cloud
service provider. Micro-segmentation goes beyond traditional perimeter security by dividing the cloud
environment into distinct security segments down to the workload level. This allows for fine-grained
security policies to be applied to individual or groups of workloads, effectively isolating each client's
environment from others. In the event of a breach, micro-segmentation limits the attacker's lateral
movement within the cloud infrastructure, significantly reducing the risk of compromise to other
clients' data and applications. Unlike traditional firewall rules that primarily focus on perimeter defense
(Option A), micro-segmentation provides in-depth defense inside the perimeter. While encryption
(Option C) is crucial for protecting data privacy, it does not prevent unauthorized access within the
cloud environment. A VPN (Option D) secures the connection from clients to the cloud services but
does not address the isolation of environments within the cloud infrastructure. Therefore, micro-
segmentation stands out as the strategic choice for ensuring robust security in a shared cloud
environment, aligning with the provider's goal of safeguarding each client's assets independently.

52. A healthcare provider is transitioning from paper-based patient records to a digital Electronic
Health Record (EHR) system. The organization wants to ensure the confidentiality of patient
information while enabling access for authorized medical staff. Which of the following solutions would
best balance accessibility with confidentiality?

A. Deploying antivirus software on all devices accessing the EHR system.

B. Utilizing a Virtual Private Network (VPN) for remote access to the EHR system.

C. Implementing an attribute-based access control (ABAC) system for the EHR.

D. Regularly backing up EHR data to an offsite location.

Implementing an attribute-based access control (ABAC) system for the Electronic Health Record (EHR)
system best balances the need for accessibility with the need for confidentiality. ABAC allows for fine-
grained access control by evaluating a set of policies that consider multiple attributes of the user, the
resource being accessed, and the context of the access request. This means access decisions can be
dynamically made based on the role, department, or even the time of day, ensuring that medical staff
have access to patient information necessary for their duties while preventing unauthorized access.
Deploying antivirus software (Option A) is essential for protecting systems from malware but does not
directly contribute to data confidentiality in terms of access control. Utilizing a Virtual Private Network
(VPN, Option B) provides secure remote access but does not address fine-grained access control within
the system itself. Regularly backing up data (Option D) is critical for data recovery but does not impact
the confidentiality of patient information in terms of access control. ABAC's flexible and dynamic nature

https://certpreps.com/cc3/ 32/62
1/20/25, 12:36 AM CC3 - CertPreps

makes it the optimal choice for healthcare providers looking to secure digital patient records while
ensuring that authorized staff can access the information they need to provide care.

53. An international corporation is looking to enhance its VPN access security for remote employees
across various regions. Given the critical need for both secure and flexible access, which authentication
method should the corporation prioritize to ensure a high level of security without significantly
impacting user experience?

A. Pre-shared keys for all employees.

B. Digital certificates based on Public Key Infrastructure (PKI).

C. Reusable passwords updated quarterly.

D. Security questions based on personal information.

Digital certificates based on Public Key Infrastructure (PKI) offer the optimal solution for enhancing
VPN access security for a globally dispersed workforce. This method leverages asymmetric
cryptography to authenticate users through digital certificates, ensuring that only authorized users can
access the VPN. Unlike pre-shared keys (Option A), which can become a security risk if compromised
and are less practical for a large number of users due to management complexity, PKI certificates
provide a scalable and secure authentication mechanism. Reusable passwords (Option C), even when
updated quarterly, remain vulnerable to phishing, brute force, and social engineering attacks. Security
questions (Option D) are inherently insecure due to the predictable and often publicly accessible nature
of the information they rely on. PKI certificates, on the other hand, offer a robust layer of security by
binding public keys with user identities through a trusted certificate authority, ensuring that users are
who they claim to be without significantly impacting the user experience. This method effectively
mitigates risks associated with password theft and unauthorized access, making it particularly suitable
for an organization needing secure, manageable, and scalable remote access solutions.

54. A financial services firm is implementing a hybrid cloud strategy to improve its agility in developing
and deploying new financial products. The firm is concerned about the potential for data breaches and
regulatory non-compliance. What architectural consideration is MOST critical for the firm's hybrid
cloud environment?

A. Centralized management and monitoring of cloud resources across both on-premise and public cloud

environments.

B. Deployment of financial applications exclusively in the public cloud for enhanced agility.

C. Use of public cloud resources for non-sensitive development and testing, while keeping sensitive data

on-premise.

D. Consolidation of all regulatory compliance functions in the on-premise component of the hybrid cloud.

https://certpreps.com/cc3/ 33/62
1/20/25, 12:36 AM CC3 - CertPreps

Centralized management and monitoring of cloud resources across both on-premise and public cloud
environments is the most critical architectural consideration for the financial services firm
implementing a hybrid cloud strategy. This approach enables the firm to maintain a comprehensive
overview of its entire hybrid cloud infrastructure, facilitating the consistent application of security
policies, regulatory compliance measures, and risk management practices across all components.
Centralized management ensures that any changes, threats, or compliance deviations are quickly
identified and addressed, regardless of whether they occur in the on-premise or public cloud portion of
the hybrid environment. This holistic oversight is crucial for a financial services firm, where data
breaches can have significant legal and reputational repercussions, and regulatory compliance is non-
negotiable. While deploying financial applications in the public cloud (Option B) and using public cloud
resources for non-sensitive tasks (Option C) can contribute to agility and security, respectively, and
consolidating compliance functions on-premise (Option D) may seem like a straightforward approach to
meeting regulatory requirements, none of these options provides the same level of comprehensive
control and oversight as centralized management and monitoring does, making it the most critical
consideration for ensuring data security and regulatory compliance in a hybrid cloud environment.

55. In response to increasing cyber threats, a government agency is revising its cybersecurity strategy
to align with both national security policies and international cybersecurity standards. The agency's
primary goal is to protect critical infrastructure and sensitive data from sophisticated cyber-attacks.
Which of the following frameworks should the agency prioritize to achieve this alignment?

A. The National Institute of Standards and Technology (NIST) Cybersecurity Framework.

B. The Payment Card Industry Data Security Standard (PCI DSS).

C. The General Data Protection Regulation (GDPR) for data protection.

D. ISO/IEC 27002 for information security controls.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (Option A) should
be the agency's priority to achieve alignment with both national security policies and international
cybersecurity standards while protecting critical infrastructure and sensitive data. The NIST
Cybersecurity Framework is designed to help organizations manage and reduce cybersecurity risk in a
comprehensive manner, particularly focusing on industries vital to national and economic security,
including energy, banking, and healthcare sectors. It provides a policy framework of computer security
guidance for how private sector organizations in the U.S. can assess and improve their ability to
prevent, detect, and respond to cyber attacks. The framework's flexibility allows it to be implemented
across various sectors and can complement existing processes. It encourages organizations to align
their cybersecurity practices with their specific needs, risk tolerances, and resources, making it highly
effective for government agencies tasked with protecting critical infrastructure. While PCI DSS (Option
B) is focused on payment card security, GDPR (Option C) on data protection within the EU, and ISO/IEC
27002 (Option D) provides guidelines for information security controls, the NIST Cybersecurity
Framework offers a more comprehensive approach suitable for a government agency's broader security
objectives. It facilitates the integration of cybersecurity practices into an organization's risk
management processes, thereby enhancing the protection of critical infrastructure and sensitive
information against a wide array of cyber threats.

https://certpreps.com/cc3/ 34/62
1/20/25, 12:36 AM CC3 - CertPreps

56. A company's IT department is implementing a remote access solution for employees. They want to
ensure that the solution provides secure, encrypted communication for accessing internal resources.
Which of the following protocols should be used for the remote access solution?

A. Telnet

B. SSH

C. HTTP

D. FTP

SSH (Secure Shell) is the optimal protocol for providing a secure, encrypted communication channel for
remote access solutions. SSH encrypts all data transmitted between the client and the server, including
login credentials and the data being transferred, protecting against eavesdropping and man-in-the-
middle attacks. This makes it particularly suitable for securely accessing internal resources over
potentially insecure networks, such as the internet. Telnet (Option A) offers unencrypted
communication, which exposes data to interception. HTTP (Option C) is primarily used for transferring
web pages and does not inherently provide encryption for secure access to internal resources, unless
used in conjunction with SSL/TLS as HTTPS. FTP (Option D), while used for file transfers, also does not
provide encryption for data in transit, making it unsuitable for secure remote access without additional
security measures like FTP over SSL/TLS. Therefore, SSH stands out as the most appropriate protocol
for implementing a remote access solution that requires secure, encrypted communication.

57. A social media company is developing a new feature that uses location data to suggest friends and
content. To align with privacy principles, what mechanism should be implemented to ethically use this
data?

A. Collecting location data without user consent to improve the accuracy of suggestions

B. Providing users with clear options to opt-out of location tracking

C. Using only past location data for suggestions

D. Anonymizing user data before processing for suggestions

Providing users with clear options to opt-out of location tracking is the mechanism that most aligns
with privacy principles for the ethical use of location data in developing new social media features. This
approach empowers users by giving them control over their personal data, allowing them to choose
whether or not to participate in location-based services. Unlike Collecting location data without user
consent (Option A), which violates privacy norms and potentially legal requirements by not allowing
users control over their personal information, and Using only past location data for suggestions (Option
C), which may reduce privacy concerns but still involves the use of personal data without ongoing
consent, and Anonymizing user data before processing for suggestions (Option D), which is a step
towards privacy but does not address the core issue of user control and consent, providing clear opt-
https://certpreps.com/cc3/ 35/62
1/20/25, 12:36 AM CC3 - CertPreps

out options directly addresses the need for transparency and user autonomy in privacy practices. This
method ensures that the social media company respects user preferences and adheres to privacy
regulations that require informed consent for the collection and use of personal data, thereby building
trust and ensuring ethical engagement with location-based features.

58. A company deploys an intrusion prevention system (IPS) to detect and prevent malicious network
traffic automatically. Following a DDoS attack, it was observed that the IPS was unable to prevent the
website from going offline. Which of the following is the MOST likely reason the IPS was ineffective
against the DDoS attack?

A. The IPS was configured to monitor outbound traffic only.

B. The DDoS attack utilized encrypted traffic.

C. The attack volume exceeded the processing capacity of the IPS.

D. The IPS signatures were not up to date.

In the context of a DDoS attack, the most likely reason an intrusion prevention system (IPS) would fail
to prevent the website from going offline is that the attack volume exceeded the processing capacity of
the IPS. DDoS attacks are characterized by overwhelming the target with a flood of internet traffic,
which can surpass the hardware and software limitations of security devices such as IPS. When the
volume of malicious traffic is too high, the IPS itself can become a bottleneck, unable to process and
filter out malicious packets quickly enough, leading to a denial of service. This scenario is less about the
configuration for monitoring traffic direction, the use of encrypted traffic, or the currency of IPS
signatures, and more about the sheer scale of the DDoS attack overwhelming the IPS's ability to
function effectively under extreme load.

59. A global financial institution plans to enhance its network infrastructure to ensure uninterrupted
service to its customers worldwide. The institution's current setup experiences occasional downtime
during peak transaction periods. Which of the following strategies would MOST effectively improve
network redundancy and reduce the risk of downtime?

A. Implementing load balancers to distribute network traffic evenly across multiple servers.

B. Upgrading the bandwidth of the existing internet connection to handle peak loads.

C. Deploying additional firewalls to improve network security and prevent potential cyberattacks.

D. Migrating all physical servers to cloud-based solutions to ensure scalability during peak times.

Implementing load balancers to distribute network traffic evenly across multiple servers is the most
effective strategy to improve network redundancy and reduce the risk of downtime, especially during
peak transaction periods for a global financial institution. Load balancers enhance the availability and
reliability of network resources by automatically distributing incoming traffic across several servers,
preventing any single server from becoming overwhelmed. This ensures that no single point of failure
https://certpreps.com/cc3/ 36/62
1/20/25, 12:36 AM CC3 - CertPreps

can compromise the entire network, significantly reducing downtime and improving the user
experience. While upgrading the bandwidth (Option B) can alleviate congestion, it does not address the
issue of a server or service point failing. Deploying additional firewalls (Option C) improves security but
does not directly contribute to network redundancy or performance during high load times. Migrating
to cloud-based solutions (Option D) offers scalability, but without proper load balancing, this alone may
not fully prevent downtime during unexpected surges in demand. Therefore, load balancers provide a
critical layer of redundancy that directly addresses the institution's need for high availability and
resilience in its network infrastructure.

60. A company's AUP explicitly prohibits the installation of unauthorized software on company
computers to mitigate security risks. Which of the following scenarios most directly contravenes this
aspect of the AUP?

A. An employee uses a licensed company software for a personal project after hours.

B. A manager approves the temporary use of a free trial version of a data analysis tool for a specific project.

C. An IT specialist installs an open-source tool on a company server for testing purposes without prior

approval.

D. Employees use a web-based project management tool not listed in the AUP for team collaboration.

An IT specialist installing an open-source tool on a company server for testing purposes without prior
approval directly violates the AUP's prohibition against the installation of unauthorized software. The
AUP is designed to prevent security risks associated with unvetted software, which can include
vulnerabilities, malware, or incompatibilities with existing security policies and controls. While using
licensed company software for personal projects (Option A) may breach the AUP's terms regarding
personal use, it does not introduce the same level of risk as unauthorized installations. A manager's
approval of software for specific projects (Option B) suggests a level of oversight and potential vetting,
aligning with controlled exceptions within the AUP. Using a web-based tool for collaboration (Option D)
might skirt the edges of the AUP's restrictions but does not involve installing software on company
systems, thus posing less immediate security risk. The act of installing software without approval,
especially on critical infrastructure like servers, bypasses security controls and vetting processes
essential for maintaining the integrity, confidentiality, and availability of company data and systems.

61. A network administrator is setting up a secure communication channel over the internet for a
remote office connection. The goal is to ensure that data transmitted remains confidential and is not
altered during transit. Focusing on the OSI model, which layer is MOST critical in providing a secure
tunnel for data transmission?

A. Layer 3 (Network Layer)

B. Layer 4 (Transport Layer)

C. Layer 5 (Session Layer)

https://certpreps.com/cc3/ 37/62
1/20/25, 12:36 AM CC3 - CertPreps

D. Layer 6 (Presentation Layer)

The Transport Layer (Layer 4) of the OSI model is crucial for setting up secure communication channels
over the internet, as it is responsible for end-to-end communication between host systems. This layer
provides the necessary protocols (such as TCP and UDP) and includes mechanisms for ensuring that
data packets are transmitted reliably and in order. For secure data transmission, protocols like TLS
(Transport Layer Security) and SSL (Secure Sockets Layer) operate at this layer to encrypt data before it
is sent over the network, ensuring that any data transmitted remains confidential and is not altered
during transit. This encryption safeguards the data against eavesdropping and tampering, which are
critical security concerns for remote office connections over the internet. By focusing on the Transport
Layer, network administrators can implement encryption protocols that provide a secure tunnel for
data transmission, meeting the goals of confidentiality and integrity in network communication.

62. In a high-security research facility using Mandatory Access Control (MAC) for its information
system, a researcher is assigned to two projects with different classification levels: "Top Secret" and
"Secret". The researcher's clearance is "Top Secret". How does MAC determine the researcher's access
to project data?

A. The researcher will have access to both "Top Secret" and "Secret" project data due to their "Top Secret"

clearance.

B. Access to "Secret" project data will be automatically restricted to ensure the researcher does not

inadvertently compromise "Top Secret" information.

C. The researcher must choose one project to retain their "Top Secret" clearance, as MAC does not allow

dual classification access.

D. The system requires re-authentication each time the researcher switches between accessing "Top

Secret" and "Secret" project data.

In a Mandatory Access Control (MAC) system, the access to data is determined by the security labels
(clearance for users and classification for data) that are predefined and enforced according to the
security policy. A researcher with a "Top Secret" clearance level in a high-security research facility
would have access to data classified at both "Top Secret" and "Secret" levels (A). This is because, in MAC
systems, individuals are granted access to all information that is classified at their clearance level or
below, ensuring they can access necessary information for their roles while protecting more sensitive
information from lower clearance levels. The principle of MAC is to maintain strict control over access
based on the clearance and classification system, without requiring re-authentication for accessing
data at different classification levels within the user's clearance (D), automatically restricting access to
lower classification levels to prevent data compromise (B), or forcing users to choose access to only one
classification level (C). This system ensures that sensitive information is only accessible to authorized
personnel, according to their clearance level, thus protecting against unauthorized disclosure while
enabling necessary access for operational effectiveness.

https://certpreps.com/cc3/ 38/62
1/20/25, 12:36 AM CC3 - CertPreps

63. A network administrator at a medium-sized company needs to segment the internal network to
improve security and performance. The current network consists of a single broadcast domain, which
includes sensitive financial servers, employee workstations, and a guest Wi-Fi network. Which of the
following actions should the administrator take to best address these requirements?

A. Implement a VLAN for each group of devices based on function.

B. Increase the subnet size to accommodate more hosts.

C. Deploy an additional firewall between the guest Wi-Fi network and the employee workstations.

D. Replace all switches with 10Gbps models to improve performance.

Implementing a VLAN (Virtual Local Area Network) for each group of devices based on function is the
most effective way to segment the internal network to enhance both security and performance. VLANs
enable network segmentation into separate broadcast domains within a single switch or across multiple
switches, which helps isolate sensitive information and manage network traffic more efficiently. In this
scenario, creating separate VLANs for sensitive financial servers, employee workstations, and the guest
Wi-Fi network ensures that sensitive data is isolated and reduces the risk of unauthorized access. This
isolation also limits the broadcast domain size, which can improve network performance by reducing
unnecessary broadcast traffic on segments of the network that do not require it. Increasing the subnet
size (Option B) would actually exacerbate the problem by allowing more hosts into the broadcast
domain, potentially leading to performance degradation and increased security risks. Deploying an
additional firewall (Option C) could enhance security between networks but does not address the issue
of network segmentation or broadcast domain containment. Replacing all switches with 10Gbps models
(Option D) would improve the overall bandwidth but would not address the fundamental issue of
network segmentation for security and performance optimization.

64. An organization implements a new policy where the system administrators are responsible for
configuring and maintaining server settings, while a separate security team is tasked with monitoring
system logs and detecting security incidents. What is the primary security benefit of this policy?

A. It streamlines the process of server configuration and maintenance.

B. It reduces the overall workload for the system administration team.

C. It enhances the detection of unauthorized system changes or potential security incidents.

D. It allows for faster server deployment and configuration changes.

The primary security benefit of having the system administrators responsible for configuring and
maintaining server settings while a separate security team monitors system logs and detects security
incidents (C) lies in the enhanced detection of unauthorized system changes or potential security
incidents. This arrangement exemplifies the principle of segregation of duties by clearly delineating the
responsibilities related to system configuration and security monitoring between two distinct teams.
https://certpreps.com/cc3/ 39/62
1/20/25, 12:36 AM CC3 - CertPreps

This separation ensures that the team making changes to the system (system administrators) is
different from the team monitoring those systems (security team), thereby increasing the likelihood of
detecting unauthorized or malicious activities, configuration errors, or compliance deviations. It
creates an effective system of checks and balances that reduces the risk of insider threats and increases
the organization's resilience to external attacks. While streamlining server configuration (A), reducing
workload for system administrators (B), and allowing for faster server deployment (D) might be
secondary benefits, they do not directly contribute to the enhanced security posture provided by the
segregation of duties. This approach not only improves security incident detection capabilities but also
strengthens the overall security framework of the organization by preventing unauthorized access and
ensuring that any malicious or unintentional misconfigurations are promptly identified and addressed.

65. A security analyst is configuring ACLs (Access Control Lists) on a router to allow only a specific
range of IP addresses from the 172.16.4.0/22 subnet to access a secured server. If the server's IP address
is 172.16.6.50, and the company wants to restrict access to only devices within the fourth quartile of the
subnet's address range, which IP address range should the analyst permit through the ACL?

A. 172.16.4.0 - 172.16.4.255

B. 172.16.5.0 - 172.16.5.255

C. 172.16.6.0 - 172.16.6.255

D. 172.16.7.0 - 172.16.7.255

The subnet 172.16.4.0/22 spans IP addresses from 172.16.4.0 to 172.16.7.255, which includes 1024 IP
addresses (1022 usable addresses, excluding the network and broadcast addresses). This subnet is
divided into four quartiles, each representing a /24 network within the larger /22 subnet. The fourth
quartile of this address range, which corresponds to the highest range of IP addresses within the
subnet, is 172.16.7.0 - 172.16.7.255. This range represents the last 256 addresses of the subnet and aligns
with the company's requirement to restrict access to only devices within the fourth quartile. Options A,
B, and C represent the first, second, and third quartiles of the subnet, respectively, and do not meet the
specified criteria of restricting access to the fourth quartile. By configuring ACLs to permit only IP
addresses from 172.16.7.0 to 172.16.7.255, the security analyst effectively limits access to the secured
server to devices within the desired range, enhancing the server's security posture by ensuring that
only a specific subset of devices on the network can communicate with it.

66. During a routine audit, it was discovered that an unauthorized party had access to an organization's
internal network for months without detection. This breach led to the theft of intellectual property.
What aspect of incident response is primarily highlighted by this failure?

A. The need for regular penetration testing to identify vulnerabilities.

B. The importance of having a robust detection mechanism as part of the incident response plan.

C. The benefit of encrypting all sensitive data to prevent unauthorized access.

https://certpreps.com/cc3/ 40/62
1/20/25, 12:36 AM CC3 - CertPreps

D. The value of conducting regular employee training on cybersecurity awareness.

This scenario emphasizes the critical importance of robust detection mechanisms within an
organization's incident response plan. The unauthorized access to the network that remained
undetected for months illustrates a significant failure in the organization's ability to identify and
respond to security incidents promptly. Detection is a foundational aspect of incident response,
enabling organizations to quickly identify breaches and take swift action to mitigate their impact.
Without effective detection mechanisms, incidents can go unnoticed for extended periods, allowing
attackers to steal valuable information or cause significant damage. The theft of intellectual property in
this case highlights the consequences of inadequate detection capabilities. By prioritizing the
improvement of detection mechanisms, an organization can enhance its ability to identify breaches
early, thereby reducing the opportunity for attackers to inflict harm. While regular penetration testing,
encrypting sensitive data, and conducting cybersecurity awareness training for employees are
important security measures, they do not directly address the failure in detection highlighted by this
scenario. Therefore, emphasizing the importance of robust detection mechanisms is crucial in
preventing similar incidents in the future.

67. A high-security government facility is updating its alarm system to ensure a rapid and coordinated
response to security breaches. Which feature should be prioritized to enhance communication and
response times in the event of an alarm activation?

A. Automatic notification to local law enforcement and designated security personnel

B. Loud audible alarms throughout the facility to ensure all occupants are alerted

C. Visual alarms in addition to audio alarms to cater to hearing-impaired individuals

D. A backup power supply to ensure the alarm system remains operational during power outages

Prioritizing automatic notification to local law enforcement and designated security personnel is
crucial for a high-security government facility looking to enhance communication and response times
following an alarm activation. This feature ensures that as soon as the alarm system detects a breach or
unauthorized access, automated systems immediately alert the necessary authorities and security
teams. This rapid notification process facilitates a swift response, potentially mitigating the impact of
the security breach by reducing the time intruders have inside the facility. While loud audible alarms (B)
and visual alarms (C) are important for ensuring that all occupants are aware of an emergency, they do
not directly facilitate a faster security response to the breach itself. A backup power supply (D) is
critical for maintaining the alarm system's functionality during power outages but does not inherently
improve communication or reduce response times to an active security event. Thus, the automatic
notification feature directly addresses the facility's need for a rapid and coordinated response, marking
it as the most effective enhancement for their updated alarm system.

68. An enterprise is deploying a new mission-critical application that will be hosted in a public cloud
environment. The security team is concerned about the potential for data exfiltration and wants to

https://certpreps.com/cc3/ 41/62
1/20/25, 12:36 AM CC3 - CertPreps

ensure that any outbound traffic from the application is monitored and controlled. Which technical
control should be prioritized to address this concern?

A. Implementation of a cloud access security broker (CASB) to monitor and control cloud traffic.

B. Deployment of endpoint protection platforms (EPP) on all cloud-hosted virtual machines.

C. Configuration of security groups and network ACLs to restrict outbound traffic from the cloud

environment.

D. Integration of a security information and event management (SIEM) system to analyze and alert on

suspicious activities.

Implementing a cloud access security broker (CASB) is the most suitable technical control to address
the concern of monitoring and controlling outbound traffic from a mission-critical application hosted
in a public cloud environment. CASBs provide a point of control over multiple types of cloud services
and applications, allowing organizations to extend their security policies beyond their internal
infrastructure to cloud environments. They are specifically designed to monitor and manage the
security of cloud-hosted applications, including the ability to detect and prevent potential data
exfiltration attempts by analyzing and controlling traffic moving between on-premises devices and
cloud applications. While deploying EPP, configuring security groups and network ACLs, and
integrating a SIEM system are valuable security measures, a CASB directly targets the enterprise's
requirement to monitor and control the specific risks associated with the use of cloud services, making
it the most directly applicable and effective solution for this scenario.

69. A new corporate building is being designed with security in mind. The design includes a single main
entrance with multiple exits, natural surveillance opportunities through open spaces and strategic
placement of windows, and barriers to control access to sensitive areas. Which of the following
environmental design principles does this scenario BEST illustrate?

A. Territorial reinforcement

B. Natural access control

C. Natural surveillance

D. Maintenance

The correct answer is B) Natural access control, which refers to the strategic design of the physical
environment to restrict access to a property or specific areas within it naturally, without the need for
intrusive or obvious security measures. The scenario describes a building designed with a single main
entrance and multiple exits, which naturally guides the flow of people in and out of the building, making
it easier to monitor and control access. The incorporation of natural surveillance opportunities through
open spaces and strategic window placement allows for the passive observation of the environment,
which, while contributing to security, is more about visibility than access control. Territorial
reinforcement (A) is related to creating clear distinctions between public and private spaces but is not

https://certpreps.com/cc3/ 42/62
1/20/25, 12:36 AM CC3 - CertPreps

directly addressed through the measures described. Maintenance (D) is crucial for ensuring that
security measures remain effective over time but is not the focus of this scenario. The scenario
emphasizes the use of the environment to naturally control access, making natural access control the
principle that is best illustrated.

70. A healthcare provider is evaluating its disaster recovery plans in the context of protecting patient
health information (PHI) in compliance with regulatory requirements. Which of the following disaster
recovery strategies would BEST ensure the confidentiality, integrity, and availability (CIA) of PHI during
and after a disaster?

A. Implementing strong encryption for data at rest and in transit, along with geographically dispersed

backups.

B. Focusing solely on physical security measures at the primary data center.

C. Relying on paper records as the primary means of backing up PHI.

D. Decreasing the frequency of data backup to reduce operational costs.

Implementing strong encryption for data at rest and in transit, along with geographically dispersed
backups, is the best disaster recovery strategy for ensuring the confidentiality, integrity, and availability
(CIA) of Patient Health Information (PHI) during and after a disaster. This approach addresses the three
fundamental principles of information security (CIA) in the context of disaster recovery. Encryption
ensures that PHI remains confidential and intact (integrity) by preventing unauthorized access and
alteration. Geographically dispersed backups safeguard against data loss due to localized disasters,
ensuring that PHI is available when needed, regardless of the status of the primary data center. This
strategy aligns with regulatory requirements for protecting PHI, such as those outlined in the Health
Insurance Portability and Accountability Act (HIPAA) in the United States, which mandates the
protection of patient information against unauthorized access and data breaches. Focusing solely on
physical security measures (B), relying on paper records (C), and decreasing the frequency of data
backup (D) are inadequate strategies, as they do not comprehensively address the CIA triad or the
specific challenges of protecting digital PHI in disaster scenarios. This explanation highlights the
importance of a holistic approach to disaster recovery planning that incorporates data encryption,
backup strategies, and compliance with legal and regulatory standards to protect sensitive health
information effectively.

71. During a routine security review, it was found that a company's internal communication platform
could be susceptible to man-in-the-middle (MITM) attacks, potentially allowing an attacker to alter
messages in transit. To mitigate this risk and ensure the integrity and confidentiality of the
communications, which of the following actions should the IT department take?

A. Increase the complexity of user passwords for the communication platform.

B. Implement end-to-end encryption for messages sent on the platform.

C. Conduct regular phishing awareness training for employees.

https://certpreps.com/cc3/ 43/62
1/20/25, 12:36 AM CC3 - CertPreps

D. Deploy an intrusion detection system (IDS) to monitor network traffic.

Implementing end-to-end encryption for messages sent on the platform is the most effective action to
mitigate the risk of man-in-the-middle (MITM) attacks and ensure the integrity and confidentiality of
the communications. End-to-end encryption ensures that messages are encrypted on the sender's
device and can only be decrypted by the intended recipient, making it impossible for attackers to alter
or read the messages even if they manage to intercept them during transmission. This measure directly
addresses the vulnerability to MITM attacks by removing the possibility for attackers to access or
tamper with the messages in transit. Increasing the complexity of user passwords (Option A) enhances
the security of user accounts but does not protect messages in transit. Conducting regular phishing
awareness training (Option C) is important for overall security awareness but does not specifically
address the risk of MITM attacks on the communication platform. Deploying an intrusion detection
system (IDS, Option D) can help detect unauthorized access or anomalies in network traffic but does
not prevent the alteration of messages in transit. End-to-end encryption specifically targets the threat
of message interception and alteration, making it the most direct and effective solution for maintaining
the integrity and confidentiality of internal communications.

72. During a routine audit of network access controls, an auditor finds that an intern has been given the
same network privileges as full-time engineers, including access to sensitive development
environments. What should the auditor recommend to adhere to the principle of least privilege?

A. Maintain the current access levels for the intern until the end of their internship to avoid access

reconfiguration efforts.

B. Restrict the intern's access to only those systems and environments necessary for their assigned tasks.

C. Increase monitoring of the intern's activities rather than adjusting access levels, to avoid impacting their

productivity.

D. Provide the intern with guest access, limiting them to internet access only.

The auditor's discovery that an intern has the same network privileges as full-time engineers is a clear
violation of the principle of least privilege, which stipulates that users should only have access to the
resources that are strictly necessary for their work. Maintaining the current access levels (A) would
ignore the principle and leave the organization vulnerable to both accidental and intentional misuse of
access. Increasing monitoring (C) addresses a symptom of the problem rather than its root cause, which
is inappropriate access level. Providing the intern with guest access only (D) might overly restrict their
ability to perform their duties, potentially impeding their learning and contribution to the organization.
The most appropriate recommendation (B) is to restrict the intern's access to only those systems and
environments necessary for their assigned tasks. This approach aligns with the principle of least
privilege by ensuring that the intern has enough access to learn and contribute effectively without
posing an unnecessary risk to sensitive environments. It balances operational and security needs by
tailoring access rights to the individual's role and responsibilities within the organization.

https://certpreps.com/cc3/ 44/62
1/20/25, 12:36 AM CC3 - CertPreps

73. In the process of upgrading the HVAC system of an existing data center, the project manager must
choose between different cooling technologies to enhance energy efficiency and reliability. The data
center houses high-density server racks that generate significant amounts of heat. Which of the
following cooling technologies would MOST effectively meet these needs?

A. Direct Expansion (DX) cooling system.

B. Cold aisle/hot aisle containment system.

C. In-row cooling system.

D. Chilled beam cooling system.

An in-row cooling system is the most effective technology for a data center housing high-density
server racks that generate significant amounts of heat, aiming to enhance energy efficiency and
reliability. This cooling approach places cooling units directly adjacent to server racks, targeting the
removal of heat at its source and significantly improving cooling efficiency. In-row cooling systems can
be closely controlled and adjusted to match the specific heat load of adjacent servers, reducing energy
consumption by minimizing the cooling of unneeded areas and responding dynamically to changes in
server load. This direct cooling method is more effective and energy-efficient than traditional
centralized cooling approaches, such as Direct Expansion (DX) systems (Option A), which may not
provide the same level of precision in cooling specific high-density areas. While cold aisle/hot aisle
containment systems (Option B) improve airflow management and can be part of an effective cooling
strategy, they do not inherently address the direct cooling of heat generated by high-density racks.
Chilled beam cooling systems (Option D) are generally used in office environments and are not suitable
for the high heat loads typical of data centers. Therefore, the in-row cooling system offers the targeted,
efficient cooling necessary for maintaining optimal temperatures in high-density server environments,
making it the best choice for the data center upgrade.

74. A cybersecurity analyst is investigating a report that an internal application is transmitting sensitive
data insecurely. The application is supposed to encrypt data before sending it across the network. To
confirm the security of the data in transit, the analyst needs to verify the encryption mechanism in use.
Which layer of the OSI model should the analyst examine?

A. Layer 2 (Data Link)

B. Layer 4 (Transport)

C. Layer 6 (Presentation)

D. Layer 7 (Application)

The investigation into an application transmitting sensitive data insecurely, with a focus on verifying
the encryption mechanism, requires examining Layer 6 (Presentation) of the OSI model. This layer is
responsible for data encryption and decryption as part of its function to translate data between the
https://certpreps.com/cc3/ 45/62
1/20/25, 12:36 AM CC3 - CertPreps

application layer and the network. It ensures that data is presented in a readable format to the
application layer (e.g., encryption, data compression, and conversion of character sets). Although
encryption can be implemented at multiple layers, including the transport layer (Layer 4) for end-to-
end communication security (e.g., TLS/SSL protocols), the context of confirming the application's data
encryption specifically points to the presentation layer's role in defining how data is formatted,
encrypted, and prepared for transmission. Layers 2 (Data Link) and 7 (Application) are not directly
involved in the encryption of application data for secure transmission; Layer 2 focuses on physical
addressing and media access control, while Layer 7 handles application-specific services. Thus, Layer 6
is the appropriate layer to examine for issues related to the encryption mechanisms used by
applications for securing data in transit.

75. An online retailer is redesigning its inventory management system to include RBAC for enhancing
the security of its data. The system is configured to assign roles based on job functions. The project
manager requests a configuration that allows inventory clerks to view and update stock levels, but only
warehouse managers should authorize stock transfers between locations. Which of the following RBAC
configurations aligns MOST closely with the project manager's request?

A. Assign the "Inventory Update" role with view and update permissions to inventory clerks and the "Stock

Transfer" role with transfer authorization permissions to warehouse managers.

B. Grant all employees the "General Inventory" role with view, update, and transfer permissions but rely on

procedural controls to ensure only managers perform transfers.

C. Provide inventory clerks and warehouse managers the same role with permissions to view, update, and

authorize transfers, depending on individual discretion.

D. Assign the "Warehouse Management" role with all permissions to everyone in the inventory department

to simplify the access control process.

The scenario requires a differentiation in access levels between inventory clerks and warehouse
managers, which is a core function of RBAC by assigning specific roles based on job functions and
access needs. Option A directly addresses the project manager's requirements by creating distinct roles
that align with the responsibilities of each group: "Inventory Update" for clerks with permissions
tailored to their need to view and update stock levels, and "Stock Transfer" for managers with the
additional capability to authorize stock transfers. This configuration enforces the principle of least
privilege and separation of duties, key security principles that minimize risk by ensuring individuals
have access only to the resources necessary for their specific job functions. Options B, C, and D either
amalgamate access levels inappropriately or undermine the specificity and security benefits that RBAC
is intended to provide, thereby increasing the potential for unauthorized or incorrect actions within the
system.

76. An IT service provider and a government agency are negotiating terms for a new cybersecurity
initiative. They need a document to outline their collaborative efforts, resource sharing, and general
objectives before finalizing the detailed contract. What type of document is BEST suited for this
preliminary agreement?

https://certpreps.com/cc3/ 46/62
1/20/25, 12:36 AM CC3 - CertPreps

A. Master Service Agreement (MSA)

B. Memorandum of Agreement (MOA)

C. Statement of Work (SOW)

D. Letter of Intent (LOI)

A Memorandum of Agreement (MOA) is best suited for the preliminary agreement between an IT
service provider and a government agency negotiating terms for a new cybersecurity initiative. An MOA
is similar to a Memorandum of Understanding (MOU) but is generally more formal and specific about
the agreement between the parties. It serves as a collaborative document that outlines the shared goals,
responsibilities, and resource allocation for a project before the finalization of a detailed contract.
Unlike a Master Service Agreement (MSA), which typically outlines the general terms and conditions of
a business relationship, or a Statement of Work (SOW), which defines specific project tasks, milestones,
and deliverables, an MOA provides a framework for cooperation and understanding between entities on
joint initiatives. A Letter of Intent (LOI) signals the intention to enter into an agreement but lacks the
specificity regarding collaboration and roles that an MOA offers. Therefore, an MOA is the most
appropriate document for establishing the groundwork of their collaborative efforts, ensuring both
parties are aligned on their objectives and contributions before committing to detailed contractual
terms.

77. Following a phishing attack that resulted in unauthorized access to the internal network, a
cybersecurity analyst at a financial institution is tasked with coordinating an incident response. Which
of the following actions should the analyst prioritize to align with the primary purpose of incident
response?

A. Conducting a detailed audit of network security controls to identify weaknesses.

B. Identifying and isolating the affected systems to prevent further unauthorized access.

C. Implementing stronger email filtering rules to prevent future phishing attacks.

D. Organizing a training session for employees on the importance of email security.

The primary purpose of incident response is to manage and mitigate incidents to minimize impact on
the organization and prevent further unauthorized access or damage. This involves a systematic
process that starts with the identification of the incident, followed by containment to stop the spread
or escalation of the incident. In this scenario, prioritizing the identification and isolation of affected
systems is crucial because it directly addresses the immediate threat by containing the breach. This
step ensures that the unauthorized access does not extend beyond the initially compromised systems,
thereby limiting the potential damage and disruption to the organization's operations. Conducting a
detailed audit of network security controls, while important for long-term security posture
improvement, does not directly address the immediate need to contain the incident. Similarly,
implementing stronger email filtering rules and organizing training sessions are preventative measures
that focus on reducing the likelihood of future incidents rather than addressing the current breach.

https://certpreps.com/cc3/ 47/62
1/20/25, 12:36 AM CC3 - CertPreps

Therefore, the action of identifying and isolating the affected systems is most aligned with the primary
goal of incident response, which is to quickly and effectively contain incidents to minimize their impact
on the organization.

78. During a security review, it was discovered that the server closets in a company's branch offices lack
consistent physical security measures, potentially exposing sensitive data to unauthorized access.
Which of the following actions should be taken FIRST to address this issue?

A. Install biometric access controls on all server closet doors.

B. Conduct a physical security risk assessment for each branch office.

C. Encrypt all data stored within the server closets.

D. Implement network segmentation to isolate the server closets from the rest of the network.

Conducting a physical security risk assessment for each branch office is the first and most critical
action to address the issue of inconsistent physical security measures in server closets. This assessment
will help identify the specific security vulnerabilities and threats each location faces, taking into
account factors such as the office layout, existing security controls, the sensitivity of the data stored,
and the potential impact of unauthorized access. By evaluating the unique circumstances of each
branch office, the company can prioritize security enhancements based on risk, ensuring that
resources are allocated efficiently to address the most significant threats. This strategic approach
allows for the development of a tailored physical security plan that may include measures such as
biometric access controls (Option A), encryption of data (Option C), or network segmentation (Option
D), depending on the assessed risks and requirements. Without a comprehensive understanding of the
physical security risks, implementing generic security measures might not effectively protect against
specific vulnerabilities, making the risk assessment a crucial first step in strengthening physical
security for server closets.

79. A cybersecurity analyst notices unusual patterns in the encrypted traffic going through an
organization's firewall. Closer inspection reveals that an external entity has been actively intercepting
SSL/TLS encrypted traffic, decrypting it, and then re-encrypting it before sending it to its intended
destination. What type of MITM attack is this, and what preventive measure is most effective?

A. ARP spoofing; Static ARP table entries

B. SSL stripping; Always-on SSL across all websites

C. DNS spoofing; Use DNSSEC

D. SSL/TLS interception; Implement certificate pinning

The scenario describes SSL/TLS interception, a sophisticated form of Man-in-the-Middle (MITM)

attack where an attacker intercepts, decrypts, and re-encrypts SSL/TLS encrypted traffic between two
parties. This type of attack is particularly concerning because it undermines the presumed security
https://certpreps.com/cc3/ 48/62
1/20/25, 12:36 AM CC3 - CertPreps

provided by SSL/TLS encryption. The most effective preventive measure against SSL/TLS interception
attacks is to implement certificate pinning. Certificate pinning involves hardcoding the certificate
known to be valid for a particular service within the application. This way, the application can reject all
other certificates, including those presented by attackers during a MITM attack, even if those
certificates are otherwise valid. This measure ensures that the application communicates only with the
genuine server, based on the known certificate, making it significantly harder for attackers to
successfully perform SSL/TLS interception. ARP spoofing, SSL stripping, and DNS spoofing describe
different types of MITM attacks, each with its unique characteristics and mitigation strategies, such as
using static ARP table entries to combat ARP spoofing, enforcing always-on SSL to prevent SSL
stripping, and adopting DNSSEC to counteract DNS spoofing.

80. Six months after a small business implemented a mandatory security awareness training for all
employees, focusing on password management and secure browsing practices, a security audit revealed
no significant change in the rate of password-related incidents. What is the most likely explanation for
the lack of improvement in this area?

A. The training content was too advanced for the employees to understand.

B. Employees did not perceive the training as relevant to their daily tasks.

C. The training failed to include practical exercises and reinforcement.

D. The majority of cybersecurity threats do not involve password compromise.

The most likely explanation for the lack of improvement in password-related incidents, despite the
mandatory security awareness training, is that the training failed to include practical exercises and
reinforcement. Security awareness is not just about providing information; it's about changing behavior.
Practical exercises, such as creating strong passwords, recognizing phishing attempts, and secure
browsing simulations, help solidify the concepts taught during training sessions. Reinforcement
through regular follow-ups, quizzes, and reminders is crucial for ensuring that the knowledge is not
only understood but also applied in daily routines. The absence of these elements can lead to a situation
where employees might have theoretically understood the importance of password management and
secure browsing practices but failed to implement these practices effectively. This explanation
highlights the importance of interactive and ongoing training approaches in effectively reducing
cybersecurity risks associated with poor password hygiene and unsafe browsing habits.

81. An enterprise with global operations is deploying cloud-based applications to support its
international workforce. The enterprise needs to ensure consistent application performance across all
regions. What SLA factor should be prioritized to meet this global performance requirement?

A. Global Data Center Presence

B. Peak Load Handling Capabilities

C. Cross-Region Data Replication

https://certpreps.com/cc3/ 49/62
1/20/25, 12:36 AM CC3 - CertPreps

D. Real-Time Monitoring and Reporting Tools

The enterprise with global operations should prioritize the Global Data Center Presence factor in the
cloud service-level agreement (SLA) to meet its requirement for consistent application performance
across all regions. This factor is crucial because having a widespread presence of data centers around
the world allows the cloud service provider (CSP) to host applications closer to the end-users,
significantly reducing latency and improving load times for users in different geographical locations. By
ensuring that the SLA includes commitments regarding the availability of data centers in key regions
where the enterprise operates, the company can achieve more uniform application performance for its
international workforce, enhancing user experience and operational efficiency. While Peak Load
Handling Capabilities (Option B), Cross-Region Data Replication (Option C), and Real-Time Monitoring
and Reporting Tools (Option D) are important aspects of cloud service delivery that can impact
performance, they do not directly address the geographical challenges associated with providing
consistent performance across diverse regions as effectively as having a Global Data Center Presence
does. Therefore, this factor is the most critical for the enterprise to prioritize in the SLA to ensure that
its global performance requirements are met.

82. A cybersecurity analyst notices an increase in phishing emails containing attachments that, when
opened, execute malicious code designed to steal personal information. Which antivirus feature is
MOST essential in preventing these types of attacks from being successful?

A. Email scanning

B. Automatic updates

C. Sandbox analysis

D. Network monitoring

In the scenario where there is an increase in phishing emails with attachments that execute malicious
code to steal personal information, the most essential antivirus feature to prevent these attacks from
being successful is email scanning. Email scanning is specifically designed to detect and filter out
malicious emails, including those with dangerous attachments, before they reach the user's inbox. By
analyzing incoming emails for known malware signatures, suspicious links, and harmful attachments,
email scanning helps prevent phishing attacks by blocking or quarantining emails that contain potential
threats. This proactive measure significantly reduces the risk of users inadvertently opening malicious
attachments and becoming victims of information theft. While automatic updates ensure the antivirus
has the latest signatures and sandbox analysis allows for the safe examination of suspicious files, and
network monitoring oversees traffic for signs of malicious activity, email scanning directly addresses
the threat vector described—phishing emails—making it the most relevant and effective feature in this
context.

83. An energy company operates a data center located in a region prone to natural disasters,
specifically earthquakes and floods. Recognizing the need to ensure continuous operation and data

https://certpreps.com/cc3/ 50/62
1/20/25, 12:36 AM CC3 - CertPreps

integrity, which physical control should be prioritized to mitigate the risk associated with these natural
disasters?

A. Installation of biometric access controls at all entry points.

B. Implementation of an environmental monitoring system.

C. Construction of raised flooring systems in the data center.

D. Deployment of uninterruptible power supply (UPS) systems.

The construction of raised flooring systems in the data center is the most effective physical control to
mitigate the risk associated with natural disasters such as earthquakes and floods. Raised floors provide
a critical layer of protection for the infrastructure by elevating equipment above potential floodwaters,
facilitating underfloor cooling systems, and providing an organized space for power, network cabling,
and other essential services. This elevation can help prevent water damage to servers, storage devices,
and networking equipment, which are vital for the data center's continuous operation. Furthermore,
raised flooring systems contribute to the structural integrity of the data center by providing a flexible
and stable platform that can withstand seismic activities better than traditional flooring solutions.
While biometric access controls, environmental monitoring systems, and UPS systems are important
physical controls for a data center, they do not directly address the unique challenges posed by natural
disasters like earthquakes and floods as effectively as raised flooring systems.

84. An organization plans to migrate its on-premises email system to a cloud-based solution. In
alignment with change management policy, which action is essential to ensure a seamless transition for
all users?

A. Informing users about the migration only after it has been completed to avoid unnecessary concerns.

B. Conducting a pilot migration with a select group of users before full-scale implementation.

C. Migrating all user accounts simultaneously to minimize the duration of the transition process.

D. Eliminating the old email system immediately to force a quick adaptation to the new platform.

Conducting a pilot migration with a select group of users before full-scale implementation is an
essential action in alignment with change management policy to ensure a seamless transition for all
users when migrating an on-premises email system to a cloud-based solution. A pilot migration allows
the organization to test the migration process on a smaller scale, identify any issues or challenges, and
gather feedback from a representative user group. This step provides valuable insights into potential
problems that may arise during the migration, enabling the organization to address these issues before
proceeding with the migration for all users. It also allows for the adjustment of training materials and
support processes based on real user experiences. Informing users only after the migration (Option A),
migrating all accounts simultaneously (Option C), and forcing immediate adaptation by eliminating the
old system (Option D) are strategies that could lead to significant user frustration, disruption of email
services, and potential loss of data or productivity. A pilot migration ensures that the organization can

https://certpreps.com/cc3/ 51/62
1/20/25, 12:36 AM CC3 - CertPreps

refine the migration process to minimize impact on users and business operations, demonstrating a
thoughtful and user-centric approach to implementing major system changes.

85. During a routine audit, it's discovered that a company's critical systems have a single point of failure
in their network infrastructure, which could lead to significant downtime in the event of a system
failure. Which of the following actions should be taken to mitigate this risk and ensure the high
availability of critical systems?

A. Implementing a strict password policy for all network devices.

B. Transitioning to a fully cloud-based infrastructure with a single cloud provider.

C. Establishing a redundant network architecture with failover capabilities.

D. Conducting regular vulnerability scans on the existing network infrastructure.

Establishing a redundant network architecture with failover capabilities is the most direct and effective
action to mitigate the risk of a single point of failure in the network infrastructure, ensuring the high
availability of critical systems. Redundancy in network architecture involves creating multiple pathways
for data to travel between devices and the internet or between different parts of a network. If one path
fails due to hardware failure, maintenance, or any other issue, the failover mechanisms automatically
reroute traffic through alternative pathways, minimizing or eliminating downtime. Implementing a
strict password policy (Option A) enhances the security of network devices but does not address the
single point of failure in terms of network availability. Transitioning to a fully cloud-based
infrastructure with a single cloud provider (Option B) might introduce new single points of failure if not
carefully designed for redundancy across different geographical locations or availability zones.
Conducting regular vulnerability scans (Option D) is essential for identifying and mitigating security
risks but does not directly contribute to resolving single points of failure in the network infrastructure.
By creating a redundant network architecture with failover capabilities, the company can ensure that
critical systems remain available and operational, even in the event of a partial network failure, thereby
maintaining continuous business operations and minimizing potential downtime.

86. Alex, a cybersecurity analyst, is offered confidential information about a competitor's security
systems by a disgruntled employee from the competitor's company. According to the (ISC)² Code of
Ethics, how should Alex proceed?

A. Politely decline the offer and report the incident to their own company's compliance department.

B. Accept the information and analyze it to strengthen their own company's security measures.

C. Notify the competitor about their employee's actions to foster industry collaboration.

D. Ignore the offer and take no further action, avoiding involvement in unethical practices.

By politely declining the offer and reporting the incident to their own company's compliance
department, Alex adheres to the (ISC)² Code of Ethics, which mandates professionals to act honorably,
https://certpreps.com/cc3/ 52/62
1/20/25, 12:36 AM CC3 - CertPreps

honestly, justly, responsibly, and legally. This response ensures that Alex does not partake in or condone
unethical behavior, such as exploiting a competitor's confidential information, which could undermine
public trust and confidence in the cybersecurity profession. Reporting the incident internally allows the
company to handle the situation appropriately, possibly leading to a formal notification to the
competitor about the breach in their security through official channels, thereby reinforcing the
importance of ethical conduct within the industry. This choice reflects a commitment to integrity,
supports the protection of all parties' interests, and upholds the professional's duty to contribute to the
security of the digital community at large. Accepting or ignoring the offer would compromise ethical
standards and could potentially involve legal ramifications, while notifying the competitor directly
might overstep boundaries and involve the analyst in further ethical dilemmas.

87. During a risk assessment, an IT security analyst identifies that the current power supply
arrangement for a critical network infrastructure lacks sufficient redundancy. The infrastructure's
power supply is crucial for maintaining network security controls and operational capabilities. Which of
the following recommendations would BEST mitigate the risk of power failure impacting network
security?

A. Implement a dual power supply system for all critical network devices.

B. Conduct regular power outage simulations to ensure operational readiness.

C. Install a centralized UPS system for the entire network infrastructure.

D. Deploy solar panels as an alternative power source for critical devices.

Implementing a dual power supply system for all critical network devices is the best recommendation
to mitigate the risk of power failure impacting network security. This setup involves equipping essential
network components, such as switches, routers, and security appliances, with two independent power
supplies. In the event that one power source fails, the second one automatically takes over, ensuring
that the devices remain operational without interruption. This redundancy is crucial for maintaining
the availability of network security controls and operational capabilities, directly addressing the
identified risk. Conducting power outage simulations (Option B) is a valuable practice for testing
resilience and preparedness but does not provide a solution to the underlying issue of power supply
redundancy. Installing a centralized UPS system (Option C) offers a form of backup power but may not
cover all individual device failures or power supply issues. Deploying solar panels (Option D) as an
alternative power source introduces renewable energy into the power mix, which is beneficial for
sustainability but may not provide the immediate, reliable backup required for critical network devices
during a power outage. Therefore, a dual power supply system for critical devices ensures continuous
operation and security of network infrastructure during power failures.

88. A network administrator is configuring a firewall to enhance the organization's security posture.
They need to ensure secure email transmission via SMTP. Which of the following ports should the
administrator configure the firewall to allow?

A. Port 25 (SMTP)

https://certpreps.com/cc3/ 53/62
1/20/25, 12:36 AM CC3 - CertPreps

B. Port 465 (SMTPS)

C. Port 587 (SMTP with STARTTLS)

D. Port 110 (POP3)

Port 465, designated for SMTPS, is the correct choice for configuring the firewall to allow secure email
transmission via SMTP. SMTPS (Simple Mail Transfer Protocol Secure) utilizes SSL/TLS encryption to
provide a secure channel for email transmission, ensuring that the data is encrypted between the email
client and the server. While Port 25 is traditionally used for SMTP, it does not inherently provide
encryption, making it susceptible to interception and eavesdropping. Port 587 is used for SMTP with
STARTTLS, which can upgrade a connection to encryption, but STARTTLS is opportunistic and not
inherently secure as it can be subject to downgrade attacks if not properly configured. Port 110 is used
for POP3, a protocol for receiving email, and is not relevant to sending email securely. Therefore, Port
465 (SMTPS) is the most appropriate to ensure secure email transmission, as it guarantees that the
connection is encrypted from the start, providing a higher level of security for sensitive email
communications.

89. During a routine security audit, an analyst discovers a pattern of unauthorized access attempts to a
secure database outside of regular business hours. The attempts were made using credentials of
multiple employees, suggesting either compromised credentials or insider threat. Which monitoring
strategy would BEST aid in investigating and preventing future incidents of this nature?

A. Implementing strict access controls

B. Deploying anomaly detection systems

C. Enforcing regular password changes

D. Increasing physical security measures

Deploying anomaly detection systems is the most effective strategy for identifying and preventing
future incidents like the unauthorized access attempts discovered during the audit. Anomaly detection
systems analyze patterns of behavior to identify activities that deviate from the norm, such as access
attempts outside regular business hours or the use of multiple employee credentials in a suspicious
manner. This capability would enable the organization to quickly detect unusual activities, potentially
indicating compromised credentials or insider threats, and respond accordingly. While implementing
strict access controls (A) and enforcing regular password changes (C) are important security measures,
they do not directly address the detection of anomalous behavior patterns. Increasing physical security
measures (D) might help deter unauthorized physical access but would not be effective against the type
of credential misuse or insider threat suggested in this scenario. Anomaly detection systems, by
continuously monitoring for deviations from established patterns of behavior, offer a proactive
approach to identifying and mitigating security threats, making them the best choice for addressing the
challenges highlighted by the audit findings.

https://certpreps.com/cc3/ 54/62
1/20/25, 12:36 AM CC3 - CertPreps

90. During a severe flood, a technology firm's primary data center located in a flood-prone area
experienced significant downtime. The company had previously identified flooding as a potential threat
and implemented a business continuity plan (BCP) that included an alternative data center in a
geographically diverse location. Which of the following actions best illustrates the application of
business continuity principles in this scenario?

A. Increasing the physical security at the primary data center to prevent unauthorized access during the

flood.

B. Relocating the primary data center to a location not prone to flooding.

C. Activating the alternative data center to ensure continued operations during the flood.

D. Purchasing flood insurance for the primary data center to mitigate financial losses.

Activating the alternative data center to ensure continued operations during the flood exemplifies the
application of business continuity principles by focusing on maintaining the organization's critical
functions during and after a disaster. Business continuity planning (BCP) aims to ensure the
continuation of essential functions through a wide range of disruptions, including natural disasters like
floods. In this scenario, the company's decision to have an alternative data center in a geographically
diverse location and its activation during the flood is a direct application of these principles. This action
ensures that the company's operations can continue with minimal disruption, highlighting the core
purpose of business continuity to maintain operational integrity and minimize downtime in the face of
disasters. Unlike the other options, which focus on preventative measures (A, B) or financial mitigation
(D) post-event, option C directly addresses the immediate continuation of business operations,
showcasing a proactive and practical application of business continuity planning.

91. A financial institution is restructuring its network architecture to safeguard against internal and
external threats. The institution operates a complex network that supports transactions, customer
service, and internal operations. To enhance security and operational efficiency, which segmentation
technique should the institution employ?

A. Segmenting the network based on the transactional volume, allocating more resources to high-volume

segments.

B. Creating security zones based on the sensitivity and function of the data, such as transactions

processing, customer data, and internal communications.

C. Deploying a perimeter firewall for the entire network and relying on antivirus solutions for individual

segments.

D. Implementing a single, unified network segment with advanced threat detection and response systems.

https://certpreps.com/cc3/ 55/62
1/20/25, 12:36 AM CC3 - CertPreps

Creating security zones based on the sensitivity and function of the data, such as transactions
processing, customer data, and internal communications, is the most effective segmentation technique
for a financial institution looking to enhance security and operational efficiency. This method allows for
the implementation of tailored security policies and controls that are appropriate for the varying levels
of sensitivity and types of activities within each zone. By segregating the network into distinct security
zones, the institution can apply stronger security measures where needed, such as around transactions
processing and customer data, while still maintaining efficient operations for less sensitive areas. This
approach not only improves the institution's defense against both internal and external threats by
minimizing the potential impact of a breach within any single zone but also facilitates compliance with
financial regulations regarding data protection and privacy. Unlike segmenting the network based on
transactional volume (Option A), which does not account for the diverse security needs of different
types of data and operations, or deploying a perimeter firewall with antivirus solutions for individual
segments (Option C), which lacks the granularity of security zones, creating defined security zones
offers a strategic balance between security and functionality. Implementing a unified network segment
with advanced threat detection (Option D) may simplify management but fails to provide the
compartmentalization necessary to effectively isolate and protect sensitive areas of the network.
Therefore, security zoning is the most suitable strategy for the financial institution's goals of security
enhancement and operational efficiency.

92. Following a data breach, a retail company identified that its incident response plan lacked specific
steps for containment and eradication of threats. This oversight led to prolonged exposure to the
breach. What component of the incident response plan should be enhanced to address this issue?

A. Incident Detection and Analysis

B. Containment, Eradication, and Recovery

C. Prevention Measures

D. Post-Incident Review Process

The oversight in the retail company's incident response plan, specifically the lack of specific steps for
containment and eradication of threats, directly points to a deficiency in the Containment, Eradication,
and Recovery component. This component is critical as it outlines the procedures to isolate affected
systems to prevent the spread of the threat, remove the threat from the environment, and restore
systems to normal operations. The absence of these detailed steps resulted in prolonged exposure to
the data breach, likely exacerbating its impact by allowing the threat actors more time to exploit the
breach. By enhancing this component of the incident response plan to include clear, actionable steps
for containment, eradication, and subsequent recovery, the company can significantly reduce the
duration and impact of future breaches. This improvement is vital for minimizing downtime, protecting
customer data, and maintaining business continuity in the face of cyber threats.

93. For an event management company that frequently hosts events requiring temporary network
setups for vendors, guests, and staff, what VLAN strategy should be implemented to ensure both
operational efficiency and network security?

https://certpreps.com/cc3/ 56/62
1/20/25, 12:36 AM CC3 - CertPreps

A. Deploy a single VLAN for all users to simplify network configuration and management during events.

B. Establish separate VLANs for vendors, guests, and staff, with customized access controls and internet

bandwidth limitations for each group.

C. Organize network access into two VLANs, one for event participants (vendors and guests) and another

for staff, to reduce the number of VLANs needed.

D. Automatically assign users to a common VLAN upon connection and manually adjust access as needed

based on user role and requirements.

Establishing separate VLANs for vendors, guests, and staff, with customized access controls and
internet bandwidth limitations for each group, is the most effective VLAN strategy for an event
management company to ensure operational efficiency and network security during events. This
approach allows for precise control over network access, ensuring that each group has the necessary
resources and connectivity based on their specific needs while maintaining a secure and optimized
network environment. By segregating the network into distinct VLANs, the company can implement
tailored security policies to protect sensitive company data accessible by staff, while also providing
appropriate internet access to vendors and guests. This segmentation effectively minimizes the risk of
unauthorized access to critical network resources and allows for efficient management of network
traffic, reducing potential congestion and ensuring a high-quality experience for all event participants.
Unlike deploying a single VLAN for all users (Option A), which lacks sufficient security and
customization, or organizing network access into only two VLANs (Option C), which does not offer the
granularity needed for effective access control and bandwidth management, and automatically
assigning users to a common VLAN (Option D), which is inefficient and potentially insecure, separate
VLANs for each user group provide a balanced solution that meets the diverse needs of event
participants while maintaining network integrity and performance.

94. During an audit, it was discovered that a company's file server is using outdated security
configurations. Which of the following steps should be PRIORITIZED to align the server with the latest
industry-standard security practices?

A. Performing a complete system backup before making any changes.

B. Instantly updating all server software to the latest versions.

C. Reviewing and updating the server's configuration management policy.

D. Disabling unused services and protocols on the server.

Reviewing and updating the server's configuration management policy should be prioritized to align the
server with the latest industry-standard security practices. This strategic approach ensures that any
action taken is governed by a policy that reflects current best practices and security standards. A
comprehensive configuration management policy provides a framework for managing changes in a
systematic manner, ensuring that all configurations, including security settings, are standardized,

https://certpreps.com/cc3/ 57/62
1/20/25, 12:36 AM CC3 - CertPreps

documented, and aligned with industry benchmarks. This policy would dictate the procedures for
performing system backups (Option A), guide the controlled updating of server software (Option B), and
include directives for disabling unused services and protocols (Option D) as part of regular hardening
practices. By prioritizing the review and update of the configuration management policy, the
organization ensures that all subsequent actions are consistent, repeatable, and aligned with best
practices, thereby enhancing the server's security posture in a structured and policy-driven manner.

95. A network engineer is diagnosing an issue where some IPv6 packets are not reaching their intended
destination within the network. The engineer suspects a problem with the path MTU. To dynamically
discover the optimal path MTU size for packet transmission, which IPv6 feature should be utilized?

A. IPv6 Fragmentation

B. Path MTU Discovery (PMTUD)

C. Neighbor Discovery Protocol (NDP)

D. Automatic Tunneling

Path MTU Discovery (PMTUD) is the IPv6 feature that should be utilized to dynamically discover the
optimal path MTU size for packet transmission across the network. PMTUD is a mechanism used to
determine the maximum transmission unit (MTU) size that can be transmitted without fragmentation
across the path from the source to the destination. This is crucial for ensuring efficient packet
transmission, as packets larger than the path's MTU need to be fragmented, which can lead to increased
latency, reduced performance, and in some cases, packet loss if fragments are dropped or cannot be
reassembled. IPv6 does not allow fragmentation by routers along the path; therefore, it relies on
PMTUD to prevent transmission of packets that are too large for the network path. IPv6 Fragmentation
(Option A) is handled by the source node, not the network, making it less relevant for discovering path
MTU. The Neighbor Discovery Protocol (NDP) (Option C) is used for a variety of purposes, including
address autoconfiguration and discovery of other nodes on the network, but not specifically for path
MTU discovery. Automatic Tunneling (Option D) facilitates the transition from IPv4 to IPv6 but does not
play a role in determining the path MTU. PMTUD enables the source node to send packets efficiently by
adjusting the packet size to match the maximum supported size along the path to the destination,
enhancing network performance and reducing the potential for packet loss.

96. A company is experiencing intermittent connectivity issues between its branch offices. The IT
department suspects a problem with the routing of IP packets. To diagnose the issue, which TCP/IP
model layer should the IT department focus on analyzing?

A. Application Layer

B. Transport Layer

C. Internet Layer

D. Network Access Layer

https://certpreps.com/cc3/ 58/62
1/20/25, 12:36 AM CC3 - CertPreps

When diagnosing issues related to the routing of IP packets between branch offices, the focus should
be on the Internet Layer of the TCP/IP model. This layer is responsible for the logical transmission of
packets across networks, including IP addressing and routing through different network devices and
links. By analyzing the Internet Layer, the IT department can examine how packets are being directed
through the network, identify any misconfigurations or failures in routing devices, and understand the
path that data takes from source to destination. This analysis can reveal whether packets are being lost,
misrouted, or delayed at specific points in the network, contributing to the intermittent connectivity
issues. The Application Layer (A) deals with high-level protocols that enable user applications to
communicate over the network, while the Transport Layer (B) provides end-to-end communication
services between hosts. The Network Access Layer (D) concerns the physical transmission of data over
network links. None of these layers directly addresses the routing of packets across network
boundaries or the logical path that data packets take, making the Internet Layer the appropriate focus
for resolving the suspected issue.

97. A security analyst discovers that a recently installed piece of software on the company's financial
system, which was believed to be a legitimate update for financial analysis, is actually performing
unauthorized transmissions of sensitive data to an external server. Which type of malware is MOST
likely involved in this scenario, and what is the most effective FIRST step in addressing this issue?

A. Ransomware; Pay the ransom to regain access to the files

B. Trojan; Immediately isolate the affected system from the network

C. Spyware; Update the antivirus software to remove the malware

D. Adware; Use an ad blocker to prevent further pop-ups

The scenario describes a situation where software, disguised as a legitimate update, performs malicious
activities, such as unauthorized data transmission. This is characteristic of a Trojan, a type of malware
that misleads users of its true intent. The most effective first step in addressing this issue is to
immediately isolate the affected system from the network. This action prevents further data exfiltration
to the external server and limits the spread of the Trojan to other systems within the network. Isolation
should be followed by a thorough investigation and remediation process, including removing the Trojan,
analyzing how the breach occurred, and implementing measures to prevent similar incidents. Paying a
ransom is related to ransomware, not Trojans, and would not be applicable in this situation. Updating
antivirus software and using an ad blocker might be part of the remediation process but would not
address the immediate threat posed by the Trojan as effectively as network isolation.

98. A company's CFO received an email requesting a swift transfer of funds to a new vendor due to an
urgent and confidential project. The email appeared to come from the CEO, with a slightly altered email
address. Despite the urgency, the CFO decided to verify the request through a direct phone call to the
CEO, uncovering that the CEO had sent no such email. This scenario best illustrates which of the
following social engineering techniques?

A. Phishing

https://certpreps.com/cc3/ 59/62
1/20/25, 12:36 AM CC3 - CertPreps

B. Pretexting

C. Baiting

D. Tailgating

This scenario exemplifies pretexting, a social engineering technique where an attacker creates a
fabricated scenario (the pretext) to steal their victim's personal information. In this case, the attacker
impersonated the CEO, using a sense of urgency and confidentiality to manipulate the CFO into making
a financial transaction. The subtlety of the technique lies in the careful crafting of the story to make it
believable enough that the target acts without seeking verification. However, the CFO's decision to
directly contact the CEO for verification is a best practice in identifying and preventing such attacks.
This incident underscores the importance of awareness and verification processes within an
organization to safeguard against pretexting and other forms of social engineering that exploit human
psychology and trust.

99. A Network Intrusion Detection System (NIDS) alerts the security team to an anomaly in the
network: a large number of SYN packets are being sent to a web server without the corresponding ACK
packets. This unusual activity has caused the server to become unresponsive. Which type of attack is
MOST likely being detected by the NIDS, and what immediate action should the security team take?

A. DDoS Attack; Increase the server's bandwidth and deploy rate limiting on incoming connections.

B. SYN Flood Attack; Implement SYN cookies on the web server to differentiate between legitimate and

malicious traffic.

C. Ping of Death Attack; Update the server's firewall rules to block ICMP packets.

D. SQL Injection Attack; Scan the web application for vulnerabilities and apply necessary patches.

The scenario described, where a large number of SYN packets are sent to a web server without the
corresponding ACK packets, leading to server unresponsiveness, is indicative of a SYN Flood Attack.
This type of DDoS attack exploits the TCP handshake process to consume server resources, preventing
legitimate users from establishing a connection. The immediate and effective action the security team
should take is to implement SYN cookies on the web server. SYN cookies are a mitigation technique
that allows the server to continue accepting legitimate connections by not allocating resources for
connections until a valid response is received, thereby distinguishing between legitimate traffic and
malicious SYN flood attempts. Increasing server bandwidth and deploying rate limiting can offer
temporary relief but do not address the core issue of the attack. Blocking ICMP packets would be an
action against Ping of Death attacks, which is unrelated to the symptoms described. Scanning for and
patching vulnerabilities in the web application would be necessary for an SQL Injection Attack, which
also does not match the attack pattern observed.

https://certpreps.com/cc3/ 60/62
1/20/25, 12:36 AM CC3 - CertPreps

100. A cybersecurity team has implemented a new security information and event management (SIEM)
system for real-time analysis of security alerts generated by applications and network hardware. After a
month of operation, an analyst notices an unusual spike in traffic that the SIEM system flagged as
"anomalous but low risk." What should be the analyst's first course of action?

A. Ignore the alert as the SIEM system has classified it as low risk.

B. Manually review the detailed logs around the time of the spike to assess the context of the traffic.

C. Immediately shut down network access to prevent a potential security breach.

D. Increase the threshold for what is considered anomalous to reduce the number of future alerts.

The analyst's first course of action upon noticing an unusual spike in traffic flagged as "anomalous but
low risk" by the SIEM system should be B) manually review the detailed logs around the time of the
spike to assess the context of the traffic. This action is essential because SIEM systems, while powerful,
may not fully understand the context or potential impact of every alert. A manual review allows the
analyst to use their expertise to interpret the nature of the spike, investigating whether it was due to
legitimate activity or indicative of a security threat such as a reconnaissance scan, distributed denial-
of-service (DDoS) attack initiation, or exfiltration of data. Ignoring the alert (Option A) could potentially
overlook a critical security issue. Immediately shutting down network access (Option C) is an
overreaction without first assessing the situation, potentially disrupting business operations
unnecessarily. Increasing the threshold for anomalies (Option D) may reduce the volume of future alerts
but could also risk missing genuine security threats. A thorough investigation provides a balanced
approach to understanding and responding to security events, ensuring that actions are based on
informed decisions.

Reach Us
Wishlist
Is there a certification
The CertPreps Team practice you would love to

info@certpreps.com
see here? Drop it in the
Wishlist!

47,683 Members Enter a certification practi

0 of 20 max characters.

Wish it!

https://certpreps.com/cc3/ 61/62
1/20/25, 12:37 AM CC3 - CertPreps

© 2025 CertPreps | All Rights Reserved | We do not provide exam dumps and fully discourage the use of such.
Your data is safe with us. Privacy Policy

https://certpreps.com/cc3/ 62/62