Free Practice Questions for ISC CC Exam

Cross-Site Request Forgery (CSRF) tricks an authenticated user’s browser into sending unauthorized requests to a trusted server. Because the user is already authenticated, the server processes the request as legitimate.

XSS injects malicious scripts, while spoofing involves impersonation. CSRF exploits trust in an existing authenticated session. Defenses include CSRF tokens, same-site cookies, and proper request validation.

Most VPNs (e.g., IPSec) operate atLayer 3 (Network layer), encapsulating IP packets to create secure tunnels.

Defense in depth uses multiple layers of controls—administrative, technical, and physical—so that failure of one layer does not compromise security.

A Content Delivery Network (CDN) ensures low latency by caching content at geographically distributed edge locations close to end users. When customers access a website, content is served from the nearest CDN node rather than a centralized server.

This significantly reduces round-trip time, network congestion, and load on origin servers. CDNs are especially effective for static content such as images, scripts, and videos, which dominate e-commerce traffic.

Load balancing distributes traffic but does not reduce geographic distance. SaaS is a service model, not a latency solution. Decentralized data centers help but lack the optimized edge caching and routing capabilities of a CDN.

CDNs are a core performance and availability control for global online services and are widely used by large e-commerce platforms to improve customer experience and resilience.

Risk Avoidanceeliminates risk by discontinuing activities that expose the organization to unacceptable threats.

These areType 1 (bare-metal) hypervisors, running directly on hardware without a host operating system, offering higher performance and security.

Bell–LaPadula is a Mandatory Access Control (MAC) model focused on confidentiality. It uses security labels and clearances to enforce access rules such as “no read up, no write down.”

Risk assessment is the structured process of identifying risks, estimating their likelihood and impact, and prioritizing them for treatment. It forms the analytical foundation of risk management and enables informed decision-making. Risk assessment typically includes threat identification, vulnerability analysis, likelihood determination, and impact analysis.

Risk treatment and mitigation occur after risks have been assessed, while risk management is the broader lifecycle that includes assessment, response, monitoring, and communication. Standards such as NIST SP 800-30 emphasize risk assessment as a critical early step in managing cybersecurity risk.

The purpose of multi-factor authentication (MFA) in Identity and Access Management (IAM) is to strengthen authentication by requiring users to present two or more independent factors from different categories: something you know, something you have, or something you are. This layered approach significantly reduces the risk of unauthorized access, even if one factor—such as a password—is compromised.

MFA addresses common attack techniques such as phishing, credential stuffing, and brute-force attacks. For example, even if an attacker steals a user’s password, they would still need access to the user’s hardware token or biometric factor to authenticate successfully.

MFA does not simplify access, remove authentication, or grant unrestricted access. Instead, it deliberately increases verification requirements to improve security. NIST SP 800-63 and other security frameworks strongly recommend MFA for privileged accounts, remote access, and cloud services because of its proven effectiveness in preventing account compromise.

Two-Person Integrityensures no single individual can complete a sensitive action alone, reducing fraud and insider threats.