ISC2 CYBERSECURITY
CERTIFICATION (CC) EXAM 2025
QUESTIONS AND ANSWERS
Which access control is more effective at protecting a door against unauthorized access?
A. Fences
B. Turnstiles
C. Barriers
D. Locks - ANS D. Locks
A lock is a device that prevents a physical structure (typically a door) from being opened,
indicating that only the authorized person (i.e. the person with the key) can open it. A fence or
a barrier will prevent ALL access. Turnstiles are physical barrier that can easily overcome (after
all, it is common knowledge that intruders can easily jump over a turnstile when no one is
watching).
Which type of attack PRIMARILY aims to make a resource inaccessible to its intended users?
A. Phishing
B. Denial of Service
C. Trojans
D. Cross-site scripting - ANS B. Denial of Service
A denial of service attack (DoS) consists in compromising the availability of a system or service
through a malicious overload of requests, which causes the activation of safety mechanisms
that delay or limit the availability of that system or service. Due to this, systems or services are
rendered inaccessible to their intended users, Trojans, phishing, and cross-site scripting attacks
try to gain access o the system or data, and therefore do not primarily aim at compromising the
system's availability.
Which devices have the PRIMARY objective of collecting and analyzing security events?
1 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
,A. Firewalls
B. Hubs
C. Routers
D. SIEM - ANS D. SIEM
A security Information and Even Management (SIEM) system is an application that gathers
security data from information system components and presents actionable information
through a unified interface. Routers and Hubs aim to receive and forward traffic. Firewalls filter
incoming traffic. Neither of these last three options aim at collecting and analyzing security
events.
Which access control model specifies access to an object based on the subject's role in the
organization?
A. RBAC
B. MAC
C. ABAC
D. DAC - ANS A. RBAC
The role-based access control (RBAC) model is well known for governing access to objects based
on the roles of individual users within the organization. Mandatory access control is based on
security classification. Attribute-access control is based on complex attribute rules. In
discretionary access control, subjects can grant privileges to other subjects and change some of
the security attributes of the object they have access to,
When a company hires an insurance company to mitigate risk, which risk management
technique is being applied?
A. Risk transfer
B. Risk avoidance
C. Risk mitigation
D. Risk tolerance - ANS A. Risk transfer
Risk transfer is a risk management strategy that contractually shifts a pure risk from one party
to another (in this case, to an insurance company.) Risk avoidance consists in stopping activities
and exposures that can negatively affect an organization and its assets. Risk mitigation consists
of mechanism to reduce the risk. Finally, risk tolerance is the degree of risk that an investor is
willing to endure.
2 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
,Which type of attack will most effectively provide privileged access (root access in Unix/Linux
platforms) to a computer while hiding its presence?
A. Rootkits
B. Phishing
C. Cross-Site Scripting
D. Trojans - ANS A. Rootkits
A rootkit tries to maintain root-level access while concealing malicious activity. It typically
creates a backdoor and attempts to remain undetected by anti-malware software. A rootkit is
active while the system is running. Trojans can also create backdoors but are only active while a
specific application is running, and thus are not as effective as a rootkit. Phishing is used to
initiate attacks by redirecting the user to fake websites. Cross-site scripting is used to attack
websites.
Which device is used to connect a LAN to the Internet?
A. Router
B. Firewall
C. HIDS
D. SIEM - ANS A. Router
A router is a device that acts as a gateway between two or more networks by relaying and
directing data packets between them. A firewall is a device that filters traffic coming from the
Internet but does not seek to distribute traffic. Neither Security Information and Event
Management (SIEM) systems nor Host Intrusion Detection Systems (HIDS) are monitoring
devices nor applications that aim at inter-network connectivity.
How many data labels are considered manageable?
A. 1-2
B. 1
C. 2-3
D. >4 - ANS C. 2 - 3
According to data handling and labeling best practices, two or three classifications for data are
typically considered manageable for most organizations. In the ISC2 Study Guide, Ch. 5, Module
1, under Data Handling Practices in Labeling, "two or three classification are manageable, but
3 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
, more than four tend to be challenging to manage,". These classifications could be labels such as
Public, Confidential, and Restricted, each representing a different level of data sensitivity. The
Labeling system allows the organization to easily identify and manage data based on its
sensitivity level, ensuring that appropriate security measures are in place for each classification.
The principle is that labeling data based on its sensitivity level should be based on a limited,
unambiguous set of labels that correspond to different levels of data sensitivity. The key is to
have a system that differentiates data sensitivity levels without being overly complex to
implement and maintain. (Having more that 4 can make the system overly complex and difficult
to manage, increasing the risk of misclassification and potential data breaches.
In Change Management, which component addresses the procedures needed to undo changes?
A. Request for Approval
B. Rollback
C. Request for Change
D. Disaster and Recover - ANS B. Rollback
In Change Management, the Request for Change (RFC) is the first stage of the request; it
formalizes the change from the stakeholder's point of view. The next phase is the Approval
phase, where each stakeholder reviews the change, identifies and allocates the corresponding
resources, and eventually either approves or rejects the change (appropriately documenting
the approval or rejection). Finally, the Rollback phase addresses the actions to take when the
monitoring change suggests a failure or inadequate performance.
Which of the following is an example of 2FA?
A. One-time passwords (OTA)
B. Keys
C. Badges
D. Passwords - ANS A. One-time passwords (OTA)
One-time passwords are typically generated by a device (i.e. "something you have") and are
required in addition to the actual password (i.e. "something you know"). Badges, keys and
passwords with no overlapping authentication controls are considered single-factor.
Which cloud deployment model is suited to companies with similar needs and concerns?
A. Community cloud
B. Private cloud
4 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
CERTIFICATION (CC) EXAM 2025
QUESTIONS AND ANSWERS
Which access control is more effective at protecting a door against unauthorized access?
A. Fences
B. Turnstiles
C. Barriers
D. Locks - ANS D. Locks
A lock is a device that prevents a physical structure (typically a door) from being opened,
indicating that only the authorized person (i.e. the person with the key) can open it. A fence or
a barrier will prevent ALL access. Turnstiles are physical barrier that can easily overcome (after
all, it is common knowledge that intruders can easily jump over a turnstile when no one is
watching).
Which type of attack PRIMARILY aims to make a resource inaccessible to its intended users?
A. Phishing
B. Denial of Service
C. Trojans
D. Cross-site scripting - ANS B. Denial of Service
A denial of service attack (DoS) consists in compromising the availability of a system or service
through a malicious overload of requests, which causes the activation of safety mechanisms
that delay or limit the availability of that system or service. Due to this, systems or services are
rendered inaccessible to their intended users, Trojans, phishing, and cross-site scripting attacks
try to gain access o the system or data, and therefore do not primarily aim at compromising the
system's availability.
Which devices have the PRIMARY objective of collecting and analyzing security events?
1 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
,A. Firewalls
B. Hubs
C. Routers
D. SIEM - ANS D. SIEM
A security Information and Even Management (SIEM) system is an application that gathers
security data from information system components and presents actionable information
through a unified interface. Routers and Hubs aim to receive and forward traffic. Firewalls filter
incoming traffic. Neither of these last three options aim at collecting and analyzing security
events.
Which access control model specifies access to an object based on the subject's role in the
organization?
A. RBAC
B. MAC
C. ABAC
D. DAC - ANS A. RBAC
The role-based access control (RBAC) model is well known for governing access to objects based
on the roles of individual users within the organization. Mandatory access control is based on
security classification. Attribute-access control is based on complex attribute rules. In
discretionary access control, subjects can grant privileges to other subjects and change some of
the security attributes of the object they have access to,
When a company hires an insurance company to mitigate risk, which risk management
technique is being applied?
A. Risk transfer
B. Risk avoidance
C. Risk mitigation
D. Risk tolerance - ANS A. Risk transfer
Risk transfer is a risk management strategy that contractually shifts a pure risk from one party
to another (in this case, to an insurance company.) Risk avoidance consists in stopping activities
and exposures that can negatively affect an organization and its assets. Risk mitigation consists
of mechanism to reduce the risk. Finally, risk tolerance is the degree of risk that an investor is
willing to endure.
2 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
,Which type of attack will most effectively provide privileged access (root access in Unix/Linux
platforms) to a computer while hiding its presence?
A. Rootkits
B. Phishing
C. Cross-Site Scripting
D. Trojans - ANS A. Rootkits
A rootkit tries to maintain root-level access while concealing malicious activity. It typically
creates a backdoor and attempts to remain undetected by anti-malware software. A rootkit is
active while the system is running. Trojans can also create backdoors but are only active while a
specific application is running, and thus are not as effective as a rootkit. Phishing is used to
initiate attacks by redirecting the user to fake websites. Cross-site scripting is used to attack
websites.
Which device is used to connect a LAN to the Internet?
A. Router
B. Firewall
C. HIDS
D. SIEM - ANS A. Router
A router is a device that acts as a gateway between two or more networks by relaying and
directing data packets between them. A firewall is a device that filters traffic coming from the
Internet but does not seek to distribute traffic. Neither Security Information and Event
Management (SIEM) systems nor Host Intrusion Detection Systems (HIDS) are monitoring
devices nor applications that aim at inter-network connectivity.
How many data labels are considered manageable?
A. 1-2
B. 1
C. 2-3
D. >4 - ANS C. 2 - 3
According to data handling and labeling best practices, two or three classifications for data are
typically considered manageable for most organizations. In the ISC2 Study Guide, Ch. 5, Module
1, under Data Handling Practices in Labeling, "two or three classification are manageable, but
3 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
, more than four tend to be challenging to manage,". These classifications could be labels such as
Public, Confidential, and Restricted, each representing a different level of data sensitivity. The
Labeling system allows the organization to easily identify and manage data based on its
sensitivity level, ensuring that appropriate security measures are in place for each classification.
The principle is that labeling data based on its sensitivity level should be based on a limited,
unambiguous set of labels that correspond to different levels of data sensitivity. The key is to
have a system that differentiates data sensitivity levels without being overly complex to
implement and maintain. (Having more that 4 can make the system overly complex and difficult
to manage, increasing the risk of misclassification and potential data breaches.
In Change Management, which component addresses the procedures needed to undo changes?
A. Request for Approval
B. Rollback
C. Request for Change
D. Disaster and Recover - ANS B. Rollback
In Change Management, the Request for Change (RFC) is the first stage of the request; it
formalizes the change from the stakeholder's point of view. The next phase is the Approval
phase, where each stakeholder reviews the change, identifies and allocates the corresponding
resources, and eventually either approves or rejects the change (appropriately documenting
the approval or rejection). Finally, the Rollback phase addresses the actions to take when the
monitoring change suggests a failure or inadequate performance.
Which of the following is an example of 2FA?
A. One-time passwords (OTA)
B. Keys
C. Badges
D. Passwords - ANS A. One-time passwords (OTA)
One-time passwords are typically generated by a device (i.e. "something you have") and are
required in addition to the actual password (i.e. "something you know"). Badges, keys and
passwords with no overlapping authentication controls are considered single-factor.
Which cloud deployment model is suited to companies with similar needs and concerns?
A. Community cloud
B. Private cloud
4 Copyright ©BRIGHSTARS ALL RIGHTS RESERVED 2025
