CC CC - Certified in Cybersecurity Questions and Answers

IPSec (Internet Protocol Security) operates atLayer 3 – the Network Layerof the OSI model. IPSec is designed to secure IP communications by authenticating and encrypting each IP packet in a data stream. Because it works directly with IP packets, it naturally fits at the network layer.

Operating at Layer 3 gives IPSec a major advantage: it can protectall network traffic, regardless of the application or transport protocol being used. This means IPSec can secure TCP, UDP, and ICMP traffic transparently without requiring changes to applications. IPSec is commonly used to implementVirtual Private Networks (VPNs), including site-to-site and remote-access VPNs.

IPSec uses protocols such asAuthentication Header (AH)andEncapsulating Security Payload (ESP)to provide confidentiality, integrity, authentication, and anti-replay protection. Key management is typically handled by IKE (Internet Key Exchange).

Although IPSec may appear in some diagrams as interacting with other layers, standards bodies such as NIST and IETF clearly define IPSec as aLayer 3 (Network Layer)security protocol.

A session token is used to maintain a user’s authenticated state after login. Once a user successfully authenticates, the server issues a session token that is stored by the client and sent with subsequent requests.

The server uses this token to identify the user without requiring reauthentication on every request. Session tokens must be protected against theft through secure cookies, encryption, and proper expiration.

CAPTCHAs prevent automated abuse, API keys authenticate applications, and CSRF tokens prevent request forgery. Only session tokens authenticate users across requests.

Proper session management is critical for web application security and is emphasized in OWASP and NIST guidance.

The post-incident phase focuses on documenting lessons learned, improving controls, and preventing recurrence.

Buffer overflow attacks target applications, exploiting improper memory handling. Applications operate atLayer 7 (Application Layer), making it the primary target.

Type 1 authentication is “something you know,” such as passwords or PINs. Other options represent possession-based or biometric authentication.

The Internet Engineering Task Force (IETF) develops and maintains Internet standards through RFCs.

Guidelines are non-binding recommendations within a security policy framework. They provide best practices, suggestions, and advice to help users and administrators make informed decisions, but they do not require mandatory compliance.

Policies are high-level, mandatory statements approved by senior management. Standards define specific, mandatory requirements that must be followed to comply with policies. Procedures provide step-by-step instructions for implementing policies and standards.

Guidelines offer flexibility and allow organizations to adapt recommendations to different environments, technologies, or risk levels. Because they are not enforceable, guidelines are often used to encourage secure behavior without imposing strict controls.

For example, a guideline might recommend using a password manager, while a standard would require minimum password length. Security frameworks such as ISO/IEC 27001 and NIST distinguish clearly between mandatory controls and advisory guidance to balance security with operational flexibility.

An IPSec replay attack occurs when an attacker captures legitimate encrypted packets and attempts to retransmit (replay) them to gain unauthorized access or disrupt communication. The attacker does not need to decrypt the packets; instead, they rely on resending previously valid packets within an existing session.

Without proper protections, replayed packets could be accepted as valid, allowing attackers to impersonate legitimate users or repeat sensitive actions. IPSec defends against replay attacks usingsequence numbers and sliding windows, which ensure packets are processed only once and in the correct order.

Packet modification, eavesdropping, and traffic flooding are different attack types and are not specifically replay attacks. Replay attacks are particularly dangerous in authentication and session-based protocols, which is why anti-replay protection is a mandatory IPSec feature defined by the IETF.

Policies created by leadership to define acceptable behavior and usage areadministrative (management) controls. They guide organizational behavior, define responsibilities, and establish governance expectations.

Technical controls enforce policies, while physical controls protect facilities. This scenario clearly describes governance and oversight, making it an administrative control.

Risk assessment is the structured process of identifying risks, estimating their likelihood and impact, and prioritizing them for treatment. It forms the analytical foundation of risk management and enables informed decision-making. Risk assessment typically includes threat identification, vulnerability analysis, likelihood determination, and impact analysis.

Risk treatment and mitigation occur after risks have been assessed, while risk management is the broader lifecycle that includes assessment, response, monitoring, and communication. Standards such as NIST SP 800-30 emphasize risk assessment as a critical early step in managing cybersecurity risk.

Preparation includes asset identification, system classification, and readiness planning.

An Advanced Persistent Threat (APT) involves stealthy, long-term access to systems for espionage, data theft, or sabotage.

Integrityis the primary factor in system and information reliability. Reliable systems must ensure that data is accurate, complete, and protected from unauthorized modification. If integrity is compromised, decisions based on the data become unreliable—even if systems are available or confidential. NIST and ISO frameworks emphasize integrity as essential to trustworthiness and operational reliability.

Availabilityensures that authorized users can access information and systems when needed, a core element of the CIA triad.

Cross-site scripting (XSS) attacks exploitinput validation vulnerabilitiesin web applications. These vulnerabilities occur when an application fails to properly validate, sanitize, or encode user-supplied input before including it in web pages. As a result, attackers can inject malicious scripts that are executed in the browsers of other users.

XSS attacks commonly occur through form fields, URL parameters, cookies, or HTTP headers. Once executed, malicious scripts can steal session cookies, capture keystrokes, redirect users to malicious sites, or perform actions on behalf of the victim.

ARP spoofing and DNS poisoning target network-level trust relationships, not application input validation. Pharming redirects users to fake websites by manipulating DNS or host files, again unrelated to input validation.

Preventing XSS relies heavily on strong input validation, output encoding, content security policies (CSP), and secure coding practices. OWASP and NIST explicitly identify XSS as a validation-related vulnerability and emphasize defensive coding as the primary mitigation.

Risk tolerance, risk appetite, and acceptable risk are closely related terms describing how much risk an organization is willing to accept.

A URL filter is specifically designed to block access to prohibited websites based on domain names, URLs, or content categories. It provides granular and user-friendly control over web access.

IP address blocking is less effective because many websites use shared IP addresses and dynamic hosting. DLP focuses on data protection, not web browsing. IPS detects and blocks attacks, not policy-based browsing restrictions.

URL filtering is commonly implemented in firewalls, secure web gateways, and proxy servers and is a best-practice control for acceptable use enforcement.

Detective controls such as IDS and logging systems identify malicious activity.

Defense in depth begins by identifying assets, followed by administrative controls (policies), technical controls (logical), and physical controls to protect systems at multiple layers.

A complete BCP includes response procedures, communication plans, and management authority to ensure coordinated recovery.

NIST publishes standards and frameworks. GDPR and HIPAA are regulations and laws, not standards bodies.

Transport Layer Security (TLS) helps mitigateman-in-the-middle (MITM) attacksby providing encryption, authentication, and integrity protection for data transmitted between communicating systems. TLS ensures that data exchanged between a client and server cannot be intercepted, modified, or read by unauthorized third parties.

TLS uses digital certificates and public key cryptography to authenticate servers (and sometimes clients), preventing attackers from impersonating legitimate endpoints. It also encrypts session data using symmetric encryption, protecting confidentiality even if traffic is captured.

TLS does not prevent application-layer attacks such as XSS or SQL injection, which are caused by insecure application logic. It also does not address social engineering, which targets human behavior rather than network protocols.

Because MITM attacks exploit unencrypted or improperly authenticated connections, TLS is a primary defense recommended by NIST and all modern security standards for protecting data in transit.

Digital signatures provideauthentication,integrity, andnon-repudiation, but they donot provide confidentiality. A digital signature verifies who sent the message and ensures it was not altered, but the content remains readable unless encryption is also applied.

Confidentiality requires encryption, typically using symmetric or asymmetric cryptography. Digital signatures are often combined with encryption (such as in TLS or secure email), but by themselves they do not hide message contents.

The IPv6 address rangefc00::/7, which includesfc00:: to fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, is reserved forUnique Local Addresses (ULAs). ULAs are the IPv6 equivalent of private IPv4 addresses (such as 10.0.0.0/8 or 192.168.0.0/16). These addresses are intended for internal communications within an organization and arenot routable on the public Internet.

ULAs allow organizations to design internal IPv6 networks without relying on globally routable addresses. This enhances security by reducing external exposure and simplifies internal network design. According to RFC 4193, ULAs are designed to be globally unique within private networks while remaining isolated from the public Internet.

Aprocedureis a detailed, step-by-step set of instructions that explainshowto perform a task in compliance with policies and standards. Procedures translate high-level requirements into actionable guidance for staff.

Policies define what must be done, standards specify mandatory requirements, and procedures explain exactly how to carry them out. Laws are external legal mandates, not internal operational documents.

For example, a security policy may require access reviews, a standard may define review frequency, and a procedure will outline the exact steps to conduct the review. Procedures ensure consistency, reduce errors, and support compliance and auditing efforts.

ATrojandeceives users into executing it by appearing legitimate while performing malicious actions.

Modern organizations depend on IT systems for communication, data processing, transactions, and service delivery. Without IT, critical business functions often cannot operate, making IT recovery essential to business continuity.

Anadverse eventis a harmful occurrence that may or may not constitute a security incident or breach.

Anintrusionis an unauthorized attempt to access systems or resources, whether successful or not.

Modern firewalls operate at Layers 3, 4, and 7, supporting packet filtering, stateful inspection, and application-layer filtering.

BCPs should be testedroutinely(e.g., tabletop, simulations) to ensure readiness and relevance.

Common IRT models includededicated,leveraged, andhybridteams. In these models, response capabilities exist within the organization. While organizations mayusethird-party assistance, a fullyoutsourcedIRT is generally not considered a core internal IRT model because incident response requires immediate organizational authority, access, and accountability.

ABAC supports dynamic, context-aware access decisions based on attributes such as location, device, and time—ideal for global access scenarios.

Availability ensures that systems and data are accessible to authorized users when needed. A power outage that disrupts access to a data center directly impacts availability.

Confidentiality concerns unauthorized disclosure, integrity concerns unauthorized modification, and non-repudiation concerns accountability. None of these are directly affected by a power outage.

Availability risks are commonly addressed through redundancy, backup power supplies, generators, UPS systems, and disaster recovery planning.

Ensuring availability is a core objective of business continuity and disaster recovery programs.

Cross-Site Request Forgery (CSRF) tricks an authenticated user’s browser into sending unauthorized requests to a trusted server. Because the user is already authenticated, the server processes the request as legitimate.

XSS injects malicious scripts, while spoofing involves impersonation. CSRF exploits trust in an existing authenticated session. Defenses include CSRF tokens, same-site cookies, and proper request validation.

BCP requires input from all business units to identify dependencies and ensure continuity of critical functions.

A Demilitarized Zone (DMZ) hosts public-facing services while isolating internal networks. It adds layered security controls to reduce attack impact.

A Business Continuity Plan is enacted when an organization experiences aloss or disruption of critical business operations. The goal of BCP is to ensure that essential business functions continue or are quickly restored, regardless of the cause of the disruption.

While events, incidents, or natural disasters may trigger disruptions, BCP activation is based onimpact to operations, not the type of event itself. BCP focuses on people, processes, facilities, and third parties—not just IT systems.

Azero-day vulnerabilityis typically not identifiable through a standard vulnerability assessment. Vulnerability scanners and routine assessments rely onknown vulnerability signatures, published advisories, and documented weaknesses. By definition, a zero-day vulnerability is unknown to vendors, defenders, and security tools at the time it exists or is exploited.

File permission issues, buffer overflows, and cross-site scripting (XSS) vulnerabilities are commonly detected through automated scans, configuration reviews, and application testing because they are well understood and documented classes of weaknesses. Scanners are specifically designed to identify these known issues.

Zero-day vulnerabilities, however, require alternative detection approaches such as behavioral monitoring, anomaly detection, threat intelligence, or post-exploitation forensics. This limitation is why vulnerability assessments alone are insufficient and must be complemented withdefense-in-depth, monitoring, and incident response capabilities.

Security frameworks consistently emphasize that organizations should not rely solely on vulnerability scanning, as it cannot detect unknown or newly emerging threats like zero-day vulnerabilities.

VLAN hopping exploits weaknesses in Layer 2 switching mechanisms such as trunking and tagging.

ASecurity Operations Center (SOC)is a centralized function responsible for continuous monitoring, detection, analysis, and response to cybersecurity events. SOC teams use tools such as SIEM, SOAR, IDS/IPS, and threat intelligence feeds to identify threats before they escalate into incidents.

Incident response training enables professionals to recognize malicious activity versus routine IT failures and respond appropriately.

Anti-malware solutions provide broader detection than traditional antivirus by covering multiple malware classes.

Separation of duties prevents fraud by ensuring no single individual can complete critical actions alone, enabling detection through checks and balances.

Registered ports (1024–49151) are typically assigned to vendor-specific or proprietary applications, such as database services.

GDPR is a privacy regulation governing the protection of personal data for individuals in the EU.

Port forwarding is commonly referred to by all these terms depending on context and implementation.

Symmetric encryption uses a single shared key for both encryption and decryption. This means that both the sender and receiver must securely possess the same key.

Symmetric algorithms are fast and efficient, making them ideal for encrypting large amounts of data. Common examples include AES and ChaCha20.

Asymmetric (public key) encryption uses two keys—public and private—and is slower. “TCB key” is not a recognized encryption type.

Because of key distribution challenges, symmetric encryption is often combined with asymmetric encryption for secure key exchange. This hybrid approach is used in protocols like TLS and is recommended by modern cryptographic standards.

Multitenancy allows shared infrastructure while maintaining logical isolation between customers.

The ISC2 Code of Ethics prioritizesprotecting society and the public, including users, over employer interests.

The primary goal of incident management is toreduce the impact of an incidenton the organization. Incident management focuses on minimizing damage, limiting scope, and restoring stability as quickly as possible.

Preparation is handled before incidents occur, and disaster recovery focuses on long-term system restoration. Protecting life and safety is important but not the core definition of incident management in cybersecurity frameworks.

NIST SP 800-61 emphasizes rapid containment, mitigation, and impact reduction as the central objectives of incident management.

The primary objective of incident management is to minimize business impact and restore normal operations as quickly as possible. Analysis and lessons learned occur later in the lifecycle.

Software-Defined Networking (SDN) separates the control plane from the data plane, enabling centralized and programmable network management.

All listed protocols provide encrypted email communication using SSL/TLS for sending or retrieving email securely.

A Content Delivery Network (CDN) ensures low latency by caching content at geographically distributed edge locations close to end users. When customers access a website, content is served from the nearest CDN node rather than a centralized server.

This significantly reduces round-trip time, network congestion, and load on origin servers. CDNs are especially effective for static content such as images, scripts, and videos, which dominate e-commerce traffic.

Load balancing distributes traffic but does not reduce geographic distance. SaaS is a service model, not a latency solution. Decentralized data centers help but lack the optimized edge caching and routing capabilities of a CDN.

CDNs are a core performance and availability control for global online services and are widely used by large e-commerce platforms to improve customer experience and resilience.

Zenmap is the graphical front end for Nmap. It performs host discovery, port scanning, service enumeration, and OS fingerprinting.

Apolicyis a high-level, mandatory statement approved by senior management that defines what is allowed or required within an organization. In this scenario, the governing board establishes a rule that only the legal department may review third-party contracts, making it a policy decision.

Procedures provide step-by-step instructions, standards define specific technical or operational requirements, and laws are external legal mandates imposed by governments. None of those best describe this situation.

Policies establish authority, accountability, and organizational intent. They are enforceable and form the foundation for standards and procedures. Governance frameworks emphasize management-approved policies as essential for consistent and compliant operations.

Anentitlementrefers to the inherent set of privileges or access rights granted to a user when an account is created. Entitlements define what resources a user can access and what actions they are allowed to perform.

A baseline refers to standard configurations, not user permissions. Aggregation and transitivity relate to access control models but do not describe default assigned privileges.

Managing entitlements is a key function of IAM systems and is critical for enforcing least privilege, access reviews, and compliance. Poor entitlement management often leads to excessive permissions and increased security risk.

Spoofing involves falsifying identity information such as IP or MAC addresses to bypass security controls.

A subject in cybersecurity is an active entity that initiates actions and requests access to resources. Among the options provided, auseris the correct example of a subject because users actively authenticate, request access, and perform operations on systems.

Files and filenames are objects, not subjects. They are passive entities that store data and do not initiate actions. A fence is a physical security control and does not function as a subject within access control models.

Subjects can include human users, system processes, applications, or services acting on behalf of users. In access control decisions, systems evaluate whether a subject is authorized to perform a specific action on an object based on identity, role, or security label.

Understanding the distinction between subjects and objects is essential for designing secure systems and implementing access control policies. It supports core principles such as least privilege and separation of duties. Without clearly identifying subjects, organizations cannot accurately enforce permissions, monitor activity, or perform effective auditing and incident response.

Non-repudiation requires strong identity verification, message integrity, and tamper resistance, typically implemented using digital signatures and PKI.

The CIA triad provides a foundational framework for understanding and designing security controls.

A wall is a physical deterrent that prevents and discourages unauthorized access. Signs are administrative deterrents, cameras are detective controls, and razor tape is a physical barrier but typically supplements perimeter defenses rather than serving as the primary deterrent.

ABusiness Continuity Plan (BCP)ensures critical operations continue during and after significant disruptions, regardless of the cause.

A session key is a temporary cryptographic key used to encrypt communication between two systems for a single session. Session keys are typically symmetric keys generated during secure key exchange processes such as TLS handshakes.

They provide confidentiality and efficiency because symmetric encryption is much faster than asymmetric encryption. Once the session ends, the key is discarded, limiting exposure even if the key is later compromised.

Public keys are used for key exchange and authentication, not bulk data encryption. “Temporary key” and “section key” are not standard cryptographic terms.

Session keys are fundamental to secure network communications and are recommended by all modern cryptographic standards due to their performance and security benefits.

Disaster Recovery Planning focuses specifically on restoring IT infrastructure, systems, and communications.

Metal detectors are effectivepreventive physical controlsthat detect electronic devices and storage media. They are commonly used in high-security environments to enforce device restrictions.

Identification is the act of claiming an identity (e.g., username). Authentication is the process of verifying that claim (e.g., password, biometrics). Authorization follows authentication.

A zero-day vulnerability is one that is unknown to the vendor and has no available patch at the time it is exploited. Attackers take advantage of the fact that defenders have “zero days” to fix the issue.

Routine vulnerability scans cannot detect zero-days because scanners rely on known signatures. This is why defense-in-depth, monitoring, and anomaly detection are critical security strategies.

Hashing ensuresintegrityby allowing detection of unauthorized changes to data.

Integrity applies broadly—to data, systems, processes, and organizational operations—ensuring accuracy, completeness, and trustworthiness.

A breach occurs when unauthorized access results in the disclosure, theft, or loss of sensitive data. An intrusion may not always result in data loss, but a breach does.

Hashing produces a fixed-length value that uniquely represents data. Any modification to the data changes the hash, allowing integrity verification. Hashing does not provide confidentiality but is critical for detecting tampering.

ABusiness Impact Analysis (BIA)identifies critical systems, dependencies, and acceptable downtime to prioritize recovery and continuity strategies.

Black box penetration testing requires the most effort because the testing team hasno prior knowledgeof the target system. Testers must perform reconnaissance, discovery, enumeration, vulnerability identification, and exploitation without any internal documentation or credentials.

In contrast, white box testing provides full knowledge of systems, source code, and configurations, significantly reducing discovery effort. Gray box testing provides partial information, offering a balance between realism and efficiency. “Blue box” is not a standard penetration testing category.

Black box testing closely simulates real-world external attackers, making it valuable for assessing perimeter defenses, but it is time-consuming and resource-intensive. Testers must identify attack surfaces from scratch and may miss internal vulnerabilities due to lack of access.

Security frameworks recognize black box testing as the most labor-intensive but also the most realistic external threat simulation.

Policies are administrative controls that define acceptable behavior and organizational rules.

An IPS monitors traffic, detects malicious activity, and actively blocks attacks. Encryption is handled by protocols such as TLS or IPSec, not IPS devices.

Defense in depth uses multiple layers of controls—administrative, technical, and physical—so that failure of one layer does not compromise security.

Business Continuity (BC) ensures thatcritical business operations continue during and after an incident. Business Continuity Planning focuses on people, processes, and alternative workflows to keep the organization functioning.

Disaster Recovery (DR) focuses specifically on restoring IT systems and infrastructure after a disruption, while Incident Response focuses on detecting and containing security incidents.

Because the question emphasizes maintaining business operations, Business Continuity is the most accurate answer.

Regulations are legally enforceable requirements issued by governments or regulatory bodies. Violating regulations such as GDPR, HIPAA, or PCI DSS can result in fines and penalties.

Standards, policies, and procedures may influence compliance but do not carry direct legal penalties unless codified into law.

An intranet is a private network that uses internet technologies (such as TCP/IP and web browsers) but is accessible only to an organization’s internal users. It mirrors the structure and functionality of the internet while remaining private.

An extranet extends limited access to external partners. A VLAN is a logical network segmentation technique. A VPN is a secure communication tunnel, not a network architecture.

Intranets are commonly used for internal portals, documentation, collaboration tools, and internal services. From a security standpoint, intranets require strong authentication, segmentation, and access controls.

ATrojanis a direct form of malware that disguises itself as legitimate software to perform malicious actions.

Technical (logical) controls are implemented using technology to enforce security policies. A GPS tracking system is a technical control because it relies on electronic systems and software to monitor and record vehicle location.

Security guards and door locks are physical controls. Technical controls include firewalls, encryption, intrusion detection systems, access control systems, and monitoring tools.

Technical controls play a major role in preventing, detecting, and responding to cyber threats and are emphasized heavily in modern cybersecurity frameworks.

Risk Avoidanceeliminates risk by discontinuing activities that expose the organization to unacceptable threats.

Effective DLP solutions monitor all egress channels to prevent unauthorized data exfiltration, including web uploads, APIs, and removable media.

Ethernet (IEEE 802.3) defines wired LAN communication standards.

Most VPNs (e.g., IPSec) operate atLayer 3 (Network layer), encapsulating IP packets to create secure tunnels.

The primary goal of arisk assessmentis to identify, estimate, and prioritize risks based on likelihood and impact. This allows organizations to make informed decisions about how to handle risk. Risk avoidance, mitigation, or transfer occurafterthe assessment phase.

Logical (technical) controls such as encryption, access controls, DLP, and firewalls directly prevent unauthorized data access and exfiltration.

Network Access Control (NAC) enforces policies that determine whether devices can connect to a network based on posture, identity, and compliance.

Backups are one of the most critical components of any disaster recovery (DR) strategy. Disaster recovery focuses on restoring systems, data, and operations after a disruptive event such as a cyberattack, natural disaster, hardware failure, or human error. Without reliable backups, recovery may be impossible or severely delayed.

Backups ensure that critical data can be restored to a known good state, minimizing data loss and downtime. Industry frameworks such as NIST SP 800-34 and ISO/IEC 27031 emphasize backups as a foundational DR control. They support recovery time objectives (RTOs) and recovery point objectives (RPOs), which define how quickly systems must be restored and how much data loss isacceptable.

While routers, laptops, and firewalls are important infrastructure components, they can typically be replaced or reconfigured. Lost or corrupted data, however, may be irreplaceable without backups. Best practices include maintaining regular, automated backups, storing them offsite or in the cloud, and protecting them from ransomware using immutable or offline storage. Testing backups regularly is also essential to ensure they are usable during an actual disaster.

Governancedefines oversight, accountability, and decision-making structures within an organization.

Microsegmentation enables fine-grained, software-defined security controls, limiting lateral movement within networks.

Operating system logs are the most relevant source of information for detecting and investigating privilege escalation attacks. These logs record authentication events, privilege changes, process executions, and system-level actions.

Because the attacker already had authorized access, firewall and IDS logs may show little or no suspicious activity. Database logs focus on database-level operations, not OS privilege changes.

OS logs provide the best visibility into actions such as sudo usage, kernel exploits, and unauthorized permission changes. They are essential for forensic analysis and incident response involving insider threats.

Carbon dioxide (CO₂) systems suppress fire without leaving residue or damaging electronic equipment. While they pose risks to people, they are effective for protecting electronics compared to water or foam.

A security incident is an event that threatens or violates CIA principles. Not all incidents result in breaches.

A Virtual Private Network (VPN) creates an encrypted tunnel between a user’s device and a remote network or server. This tunnel protects data confidentiality and integrity by encrypting all traffic passing through it, even when using untrusted networks such as public Wi-Fi.

HTTPS encrypts only web traffic, antivirus detects malware, and IDS monitors for suspicious activity. Only a VPN provides full-tunnel encryption for all network communications. VPNs are commonly implemented using protocols such as IPSec or SSL/TLS and are widely recommended for secure remote access.

Defense in Depth employs administrative, technical, and physical controls across multiple layers to reduce reliance on any single security mechanism. This approach increases resilience and detection capability.

Network segmentation isolates systems and resources into separate security zones to limit lateral movement by attackers. By segmenting networks, organizations protect critical assets and reduce the impact of breaches.

If one segment is compromised, segmentation prevents attackers from easily accessing other systems. This approach supports defense-in-depth and zero trust architectures.

Network segmentation is implemented using VLANs, firewalls, and access controls and is a foundational security practice recommended by NIST and CIS.

Business Continuity Plans (BCP) focus on sustaining operations using alternative processes and resources during disruptions.

A zero-day vulnerability is unknown to the vendor and security community and has no available patch. Because defenders have “zero days” to fix it, zero-day vulnerabilities are highly dangerous.

Website spoofing involves impersonating legitimate sites to deceive users. Phishing often uses spoofed sites but is the broader attack method.

In Business Continuity Planning (BCP), the termbusinessrefers primarily to theoperational aspects of the organization—the people, processes, and activities required to deliver products and services. While IT systems, finances, and facilities support operations, BCP focuses on ensuring thatcritical business functions continueduring and after disruptions.

This includes customer service, supply chain operations, payroll, compliance activities, and decision-making processes. BCP is broader than disaster recovery, which focuses mainly on restoring IT systems. According to NIST SP 800-34, business continuity emphasizes mission-essential functions and their dependencies, including personnel, third parties, facilities, and technology.

Load balancing distributes incoming traffic across multiple servers or resources to improve performance, scalability, and availability. It prevents overload of a single system and supports high availability architectures.

DDoS attacks can target bothLayer 3 (Network)andLayer 4 (Transport)by overwhelming IP routing, ICMP traffic, TCP SYN floods, or UDP floods. Hence, both layers are impacted.

Data loss affecting availability or integrity is classified as asecurity incident, even if no attacker is involved.

Dumpster diving is a physical social engineering attack in which an attacker searches trash bins to recover sensitive information such as passwords, financial records, network diagrams, or personal data. Because the attack targets discarded physical materials, technical controls such as anti-malware software or data loss prevention tools are ineffective in preventing it.

Shredding is the most effective defense because it physically destroys sensitive documents before disposal, making the information unreadable and unusable. Security best practices recommend cross-cut or micro-cut shredders for documents containing confidential or regulated data. This control directly addresses the attack vector and eliminates the risk at its source.

A clean desk policy reduces exposure during business hours but does not address improper disposal. DLP tools focus on electronic data movement, not physical waste. Therefore, shredding is considered a critical administrative and physical security control for preventing information leakage via dumpster diving, as emphasized in NIST SP 800-53 and ISO/IEC 27001 physical security guidelines.

Asecurity breachrefers to an incident where an unauthorized individual successfully gains access to a system, application, network, or data resource. Unlike a general security event, a breach confirms that confidentiality, integrity, or availability has been compromised. According to NIST SP 800-61, a breach occurs when security controls fail and protected information is accessed, disclosed, altered, or destroyed without authorization.

Not every event or intrusion results in a breach. For example, a blocked attack detected by an IDS is an event, not a breach. A breach has legal, regulatory, and business implications, often triggering notification requirements, forensic investigations, and remediation actions.

Firewalls control and filter network traffic based on security rules to prevent unauthorized access. While they may monitor traffic, their primary function is enforcing access control at network boundaries.

The primary purpose of aWeb Application Firewall (WAF)is tofilter, monitor, and block malicious HTTP/HTTPS trafficdirected at web applications. A WAF operates at theapplication layer (Layer 7)of the OSI model and is specifically designed to protect web applications from common attacks such as SQL injection, cross-site scripting (XSS), command injection, and other OWASP Top 10 vulnerabilities.

Unlike traditional network firewalls, which focus on IP addresses, ports, and protocols, a WAF understands web-specific traffic patterns and inspects the content of HTTP requests and responses. This allows it to detect malicious payloads embedded in URLs, headers, cookies, and request bodies.

While some WAFs may offer limited protection against application-layer DDoS attacks, DDoS mitigation is not their primary function. Intrusion detection is typically handled by IDS/IPS solutions, and SSL certificate management is unrelated to WAF functionality.

Security frameworks such as NIST and OWASP recommend WAFs as a critical compensating control for protecting public-facing web applications, especially when secure coding fixes cannot be deployed immediately.

DNS is an application-layer protocol that resolves domain names to IP addresses using structured queries and responses.

When restoring operations after a disaster,most critical systemsmust be restored first. Systems enable business functions, and without them, functions cannot operate.

Disaster recovery focuses on restoring IT infrastructure in priority order based on business impact analysis (BIA). While functions are important, they depend on systems to operate. Management and least critical functions are lower priorities.

NIST and ISO/IEC business continuity standards emphasize restoring mission-critical systems first to minimize downtime and financial loss.

Security policies are high-level, mandatory statements approved by management that define security objectives, principles, and rules. Procedures and standards support policies but do not establish overarching intent.

An incident response policy establishes authority, scope, and direction. Without management approval, IR activities lack legitimacy.

DR planning includes technical controls, operational checklists, and security solutions to support recovery of IT systems after a disruption.

Aturnstileis a physical access control device designed to allow only one individual to pass at a time. Turnstiles are commonly used to prevent tailgating and unauthorized entry in offices, transit stations, and secure facilities. Unlike mantraps, turnstiles typically allow one-way movement and do not lock a person inside an enclosed space.

Data backupsare essential to disaster recovery, enabling restoration of systems and data following failures or disasters.