Free ISC CC Practice Exam with Questions & Answers | Set: 3

Logical access controls enforce security through software-based mechanisms such as access control lists, authentication systems, and configuration settings.

Risk identification is the first step in the risk management process. Organizations must first identify assets, threats, and vulnerabilities before they can assess likelihood or impact. Without knowing what risks exist, meaningful assessment and mitigation are impossible.

Transport Layer Security (TLS) helps mitigateman-in-the-middle (MITM) attacksby providing encryption, authentication, and integrity protection for data transmitted between communicating systems. TLS ensures that data exchanged between a client and server cannot be intercepted, modified, or read by unauthorized third parties.

TLS uses digital certificates and public key cryptography to authenticate servers (and sometimes clients), preventing attackers from impersonating legitimate endpoints. It also encrypts session data using symmetric encryption, protecting confidentiality even if traffic is captured.

TLS does not prevent application-layer attacks such as XSS or SQL injection, which are caused by insecure application logic. It also does not address social engineering, which targets human behavior rather than network protocols.

Because MITM attacks exploit unencrypted or improperly authenticated connections, TLS is a primary defense recommended by NIST and all modern security standards for protecting data in transit.

Cloud computing is defined by five essential characteristics per NIST: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Therefore, all listed options are valid characteristics.

Identification is the act of claiming an identity (e.g., username). Authentication is the process of verifying that claim (e.g., password, biometrics). Authorization follows authentication.

Metal detectors are effectivepreventive physical controlsthat detect electronic devices and storage media. They are commonly used in high-security environments to enforce device restrictions.

Dumpster diving is a physical social engineering attack in which an attacker searches trash bins to recover sensitive information such as passwords, financial records, network diagrams, or personal data. Because the attack targets discarded physical materials, technical controls such as anti-malware software or data loss prevention tools are ineffective in preventing it.

Shredding is the most effective defense because it physically destroys sensitive documents before disposal, making the information unreadable and unusable. Security best practices recommend cross-cut or micro-cut shredders for documents containing confidential or regulated data. This control directly addresses the attack vector and eliminates the risk at its source.

A clean desk policy reduces exposure during business hours but does not address improper disposal. DLP tools focus on electronic data movement, not physical waste. Therefore, shredding is considered a critical administrative and physical security control for preventing information leakage via dumpster diving, as emphasized in NIST SP 800-53 and ISO/IEC 27001 physical security guidelines.

Elliptic Curve Cryptography (ECC) does not rely on the prime factorization problem. Instead, ECC is based on the mathematical difficulty of solving elliptic curve discrete logarithm problems.

RSA relies directly on the difficulty of factoring large prime numbers. GPG and PGP are encryption tools and standards that may use RSA or other algorithms internally.

ECC provides equivalent security with much smaller key sizes, making it efficient for mobile devices, embedded systems, and environments with limited processing power.

Modern security standards increasingly recommend ECC due to its performance and strong security properties.

Zero Trust assumes no implicit trust and requires continuous verification of every access request. Microsegmentation is a core Zero Trust technique that limits lateral movement.

A Virtual Private Network (VPN) creates an encrypted tunnel between a user’s device and a remote network or server. This tunnel protects data confidentiality and integrity by encrypting all traffic passing through it, even when using untrusted networks such as public Wi-Fi.

HTTPS encrypts only web traffic, antivirus detects malware, and IDS monitors for suspicious activity. Only a VPN provides full-tunnel encryption for all network communications. VPNs are commonly implemented using protocols such as IPSec or SSL/TLS and are widely recommended for secure remote access.