CUSECO Exam Questions Version 1/CUSECO Exam
prep Exam Questions and Answers Practice Questions
with Solutions Newest | Already Graded A+
1. During a high-risk international relocation of a corporate executive, the security team must
choose between two routes: Route A passes through a region with a history of petty crime but has
reliable cellular coverage, while Route B is a longer, remote route with no cellular service but lower
crime statistics. Which of the following analytical frameworks best supports a decision prioritizing
executive safety?
A. Route A, because constant communication enables faster response to threats.
B. Route B, because lower crime statistics indicate lower overall risk.
C. Conduct a real-time threat assessment using open-source intelligence to determine the current risk level for
each route, then decide.
D. Flip a coin, as both routes have acceptable risk profiles based on historical data.
Answer: C
Rationale: Historical crime data is insufficient for dynamic threat environments. A real-time assessment
incorporating current intelligence (e.g., social unrest, road conditions) allows adaptive risk mitigation.
Option A ignores that communication is useless if response cannot arrive in time; Option B relies on
stale data; Option D abdicates professional responsibility.
2. A security operations center (SOC) analyst detects a series of failed login attempts from a
foreign IP address targeting a non-privileged user account. The attempts occur at irregular
intervals over 72 hours. Which of the following is the most appropriate initial response?
A. Immediately block the foreign IP address at the firewall.
B. Escalate to incident response as a potential brute-force attack.
C. Check if the same IP has targeted other accounts; if not, ignore as likely automated scanning.
D. Reset the targeted user's password and enable multi-factor authentication.
Answer: D
Rationale: The irregular pattern suggests a sophisticated attacker, not simple brute-force. Resetting the
password and enabling MFA mitigates credential compromise without disrupting operations. Blocking
the IP (A) may be evaded via proxies; escalating (B) is premature without evidence of success; ignoring
(C) neglects the possibility of credential stuffing via other vectors.
3. In a tabletop exercise simulating a ransomware attack on a hospital's electronic health records
system, the incident commander proposes paying the ransom to restore operations quickly. Which
of the following considerations most strongly argues against this decision?
A. Paying the ransom may incentivize future attacks on the healthcare sector.
B. Law enforcement agencies strongly discourage ransom payments.
Page 1
,C. There is no guarantee that the decryption key will work or that data will not be leaked.
D. The hospital's cyber insurance policy may not cover ransom payments.
Answer: C
Rationale: While all options are valid concerns, the most immediate operational risk is that paying may
not restore data, leaving the hospital without records and having funded criminals. Option A is a
long-term systemic issue; B is advisory; D is contractual. The primary duty is to patient care, and paying
without assurance could worsen the situation.
4. A security professional is evaluating access control for a research facility handling dual-use
biotechnology. Which combination of access control principles best balances security with
operational efficiency?
A. Mandatory Access Control (MAC) with role-based attributes and biometric authentication.
B. Discretionary Access Control (DAC) with user-managed permissions and smart card authentication.
C. Role-Based Access Control (RBAC) with time-of-day restrictions and password authentication.
D. Attribute-Based Access Control (ABAC) with context-aware policies and multi-factor authentication.
Answer: D
Rationale: ABAC allows fine-grained policies based on user attributes, resource sensitivity, and
environmental context (e.g., time, location), enabling dynamic adjustments without manual intervention.
MAC (A) is too rigid for collaborative research; DAC (B) risks insider threats; RBAC (C) lacks context
sensitivity for high-risk materials.
5. During a crisis negotiation, a subject demands that a journalist be present to broadcast their
statement. The security team has a policy against media involvement during active incidents.
Which of the following actions aligns with best practices in crisis communication and negotiation?
A. Refuse the demand outright, citing policy, to maintain control.
B. Agree to the demand to de-escalate, but negotiate conditions (e.g., delayed broadcast).
C. Bring in a trained crisis negotiator to explore alternative ways for the subject to feel heard.
D. Call the journalist and ask them to refuse participation.
Answer: C
Rationale: Skilled negotiators can redirect the subject's need for validation without conceding to
dangerous demands. Option A may escalate tension; B sets a dangerous precedent and risks media
manipulation; D involves an untrained third party and could backfire.
6. A security director is reviewing a physical security plan for a data center. The plan includes
mantraps, biometric entry, and 24/7 guards. Which of the following additional measures most
effectively addresses the risk of tailgating?
A. Install turnstiles that allow only one person per authentication.
B. Use CCTV with analytics to detect multiple entries.
C. Implement a policy requiring all personnel to wear visible ID badges.
D. Conduct random audits of entry logs.
Answer: A
Rationale: Turnstiles physically enforce one-person-per-authentication, directly preventing tailgating.
CCTV (B) is detection, not prevention; badges (C) can be forgotten or shared; audits (D) are
Page 2
,after-the-fact. Turnstiles are a proven physical barrier.
7. A company's threat intelligence team identifies a new Advanced Persistent Threat (APT) group
targeting the energy sector. The group uses custom malware that evades signature-based detection.
Which of the following is the most effective long-term defensive strategy?
A. Increase the frequency of signature updates for antivirus software.
B. Implement network segmentation and application whitelisting.
C. Conduct regular phishing awareness training for employees.
D. Deploy a honeypot to capture the malware for analysis.
Answer: B
Rationale: Network segmentation limits lateral movement, and application whitelisting prevents
unauthorized executables, reducing reliance on signatures. Signature updates (A) are reactive; training
(C) addresses only social engineering; honeypots (D) are for intelligence, not defense.
8. An executive is traveling to a country with known state-sponsored surveillance. Which of the
following communication methods provides the strongest assurance of confidentiality and integrity
against a sophisticated adversary?
A. Use a personal smartphone with a VPN to the corporate network.
B. Use a burner phone with pre-installed encrypted messaging apps.
C. Use a corporate laptop with full-disk encryption and a hardware security module for VPN.
D. Use satellite phone with end-to-end encryption for voice calls only.
Answer: C
Rationale: A corporate laptop with full-disk encryption and a hardware security module (HSM) provides
strong endpoint security and trusted platform module for VPN authentication. VPNs (A) can be blocked
or compromised; burner phones (B) may be infected by zero-days; satellite phones (D) offer limited data
security.
9. A security analyst reviews logs and finds that an employee's credentials were used to access a
sensitive database at 2:00 AM from an IP address in a different city. The employee claims they
were asleep. Which of the following is the most likely explanation?
A. The employee's password was guessed via brute-force.
B. The employee's device was infected with a keylogger.
C. The employee's credentials were stolen via a phishing email and used by an attacker.
D. The employee is lying and accessed the database themselves.
Answer: C
Rationale: Phishing remains the most common vector for credential theft. Brute-force (A) would likely
show multiple attempts; keylogger (B) is possible but less common than targeted phishing; lying (D) is
possible but less likely given the IP location discrepancy.
10. A security manager is tasked with reducing the risk of insider threats in a department handling
trade secrets. Which of the following approaches addresses both malicious and unintentional
insider threats most comprehensively?
Page 3
, A. Implement user behavior analytics (UBA) to detect anomalies.
B. Conduct mandatory annual security awareness training.
C. Enforce least privilege access and monitor data exfiltration attempts.
D. Establish a positive work environment and anonymous reporting hotline.
Answer: C
Rationale: Least privilege limits the damage from both malicious acts and accidental errors, while
monitoring detects exfiltration. UBA (A) is reactive; training (B) addresses only unintentional threats;
positive environment (D) is important but not a direct control.
11. A research team is developing a novel security protocol for a cloud-based healthcare system
that must comply with the latest HIPAA Security Rule. The protocol uses attribute-based
encryption (ABE) with a trusted authority. Which of the following represents the most significant
privacy risk in this design, assuming the trusted authority is honest-but-curious?
A. The trusted authority can decrypt all ciphertexts, enabling it to learn patient data.
B. Attribute revocation requires re-encryption of all data associated with the revoked attribute.
C. The encryption scheme is vulnerable to quantum computing attacks on elliptic curve cryptography.
D. Data owners must be online to generate keys for each user, creating a single point of failure.
Answer: A
Rationale: In ABE with a trusted authority, the authority holds the master secret key and can decrypt any
ciphertext, posing a privacy risk if the authority is compromised or curious. Option B is a scalability
issue, not a privacy risk per se. Option C is a future threat, not specific to the current design. Option D
describes a key distribution problem, not a privacy risk.
12. In the context of the NIST Cybersecurity Framework (CSF) 2.0, which of the following best
describes the relationship between the 'Govern' function and the other five functions (Identify,
Protect, Detect, Respond, Recover)?
A. Govern is a new function that provides overarching risk management guidance and integrates with all other
functions.
B. Govern replaces the Identify function and is the foundation for all subsequent functions.
C. Govern is a subcategory of the Identify function, focusing on governance and policy.
D. Govern is optional and only applies to organizations with regulatory compliance requirements.
Answer: A
Rationale: In CSF 2.0, the Govern function was added to emphasize governance and is intended to be
integrated across all other functions, providing context and guidance. Option B is incorrect because
Identify remains a separate function. Option C is incorrect because Govern is a distinct function, not a
subcategory. Option D is incorrect because Govern is recommended for all organizations.
13. A security analyst is reviewing logs from a network intrusion detection system (NIDS) and
observes the following pattern: a series of TCP SYN packets sent to multiple ports on a single host
from a single source IP, with no subsequent SYN-ACK responses. The packets have randomized
source ports and a constant window size. Which of the following is the most likely explanation?
A. A stealth port scan using SYN packets, where the attacker is attempting to avoid detection by using a
constant window size.
Page 4
prep Exam Questions and Answers Practice Questions
with Solutions Newest | Already Graded A+
1. During a high-risk international relocation of a corporate executive, the security team must
choose between two routes: Route A passes through a region with a history of petty crime but has
reliable cellular coverage, while Route B is a longer, remote route with no cellular service but lower
crime statistics. Which of the following analytical frameworks best supports a decision prioritizing
executive safety?
A. Route A, because constant communication enables faster response to threats.
B. Route B, because lower crime statistics indicate lower overall risk.
C. Conduct a real-time threat assessment using open-source intelligence to determine the current risk level for
each route, then decide.
D. Flip a coin, as both routes have acceptable risk profiles based on historical data.
Answer: C
Rationale: Historical crime data is insufficient for dynamic threat environments. A real-time assessment
incorporating current intelligence (e.g., social unrest, road conditions) allows adaptive risk mitigation.
Option A ignores that communication is useless if response cannot arrive in time; Option B relies on
stale data; Option D abdicates professional responsibility.
2. A security operations center (SOC) analyst detects a series of failed login attempts from a
foreign IP address targeting a non-privileged user account. The attempts occur at irregular
intervals over 72 hours. Which of the following is the most appropriate initial response?
A. Immediately block the foreign IP address at the firewall.
B. Escalate to incident response as a potential brute-force attack.
C. Check if the same IP has targeted other accounts; if not, ignore as likely automated scanning.
D. Reset the targeted user's password and enable multi-factor authentication.
Answer: D
Rationale: The irregular pattern suggests a sophisticated attacker, not simple brute-force. Resetting the
password and enabling MFA mitigates credential compromise without disrupting operations. Blocking
the IP (A) may be evaded via proxies; escalating (B) is premature without evidence of success; ignoring
(C) neglects the possibility of credential stuffing via other vectors.
3. In a tabletop exercise simulating a ransomware attack on a hospital's electronic health records
system, the incident commander proposes paying the ransom to restore operations quickly. Which
of the following considerations most strongly argues against this decision?
A. Paying the ransom may incentivize future attacks on the healthcare sector.
B. Law enforcement agencies strongly discourage ransom payments.
Page 1
,C. There is no guarantee that the decryption key will work or that data will not be leaked.
D. The hospital's cyber insurance policy may not cover ransom payments.
Answer: C
Rationale: While all options are valid concerns, the most immediate operational risk is that paying may
not restore data, leaving the hospital without records and having funded criminals. Option A is a
long-term systemic issue; B is advisory; D is contractual. The primary duty is to patient care, and paying
without assurance could worsen the situation.
4. A security professional is evaluating access control for a research facility handling dual-use
biotechnology. Which combination of access control principles best balances security with
operational efficiency?
A. Mandatory Access Control (MAC) with role-based attributes and biometric authentication.
B. Discretionary Access Control (DAC) with user-managed permissions and smart card authentication.
C. Role-Based Access Control (RBAC) with time-of-day restrictions and password authentication.
D. Attribute-Based Access Control (ABAC) with context-aware policies and multi-factor authentication.
Answer: D
Rationale: ABAC allows fine-grained policies based on user attributes, resource sensitivity, and
environmental context (e.g., time, location), enabling dynamic adjustments without manual intervention.
MAC (A) is too rigid for collaborative research; DAC (B) risks insider threats; RBAC (C) lacks context
sensitivity for high-risk materials.
5. During a crisis negotiation, a subject demands that a journalist be present to broadcast their
statement. The security team has a policy against media involvement during active incidents.
Which of the following actions aligns with best practices in crisis communication and negotiation?
A. Refuse the demand outright, citing policy, to maintain control.
B. Agree to the demand to de-escalate, but negotiate conditions (e.g., delayed broadcast).
C. Bring in a trained crisis negotiator to explore alternative ways for the subject to feel heard.
D. Call the journalist and ask them to refuse participation.
Answer: C
Rationale: Skilled negotiators can redirect the subject's need for validation without conceding to
dangerous demands. Option A may escalate tension; B sets a dangerous precedent and risks media
manipulation; D involves an untrained third party and could backfire.
6. A security director is reviewing a physical security plan for a data center. The plan includes
mantraps, biometric entry, and 24/7 guards. Which of the following additional measures most
effectively addresses the risk of tailgating?
A. Install turnstiles that allow only one person per authentication.
B. Use CCTV with analytics to detect multiple entries.
C. Implement a policy requiring all personnel to wear visible ID badges.
D. Conduct random audits of entry logs.
Answer: A
Rationale: Turnstiles physically enforce one-person-per-authentication, directly preventing tailgating.
CCTV (B) is detection, not prevention; badges (C) can be forgotten or shared; audits (D) are
Page 2
,after-the-fact. Turnstiles are a proven physical barrier.
7. A company's threat intelligence team identifies a new Advanced Persistent Threat (APT) group
targeting the energy sector. The group uses custom malware that evades signature-based detection.
Which of the following is the most effective long-term defensive strategy?
A. Increase the frequency of signature updates for antivirus software.
B. Implement network segmentation and application whitelisting.
C. Conduct regular phishing awareness training for employees.
D. Deploy a honeypot to capture the malware for analysis.
Answer: B
Rationale: Network segmentation limits lateral movement, and application whitelisting prevents
unauthorized executables, reducing reliance on signatures. Signature updates (A) are reactive; training
(C) addresses only social engineering; honeypots (D) are for intelligence, not defense.
8. An executive is traveling to a country with known state-sponsored surveillance. Which of the
following communication methods provides the strongest assurance of confidentiality and integrity
against a sophisticated adversary?
A. Use a personal smartphone with a VPN to the corporate network.
B. Use a burner phone with pre-installed encrypted messaging apps.
C. Use a corporate laptop with full-disk encryption and a hardware security module for VPN.
D. Use satellite phone with end-to-end encryption for voice calls only.
Answer: C
Rationale: A corporate laptop with full-disk encryption and a hardware security module (HSM) provides
strong endpoint security and trusted platform module for VPN authentication. VPNs (A) can be blocked
or compromised; burner phones (B) may be infected by zero-days; satellite phones (D) offer limited data
security.
9. A security analyst reviews logs and finds that an employee's credentials were used to access a
sensitive database at 2:00 AM from an IP address in a different city. The employee claims they
were asleep. Which of the following is the most likely explanation?
A. The employee's password was guessed via brute-force.
B. The employee's device was infected with a keylogger.
C. The employee's credentials were stolen via a phishing email and used by an attacker.
D. The employee is lying and accessed the database themselves.
Answer: C
Rationale: Phishing remains the most common vector for credential theft. Brute-force (A) would likely
show multiple attempts; keylogger (B) is possible but less common than targeted phishing; lying (D) is
possible but less likely given the IP location discrepancy.
10. A security manager is tasked with reducing the risk of insider threats in a department handling
trade secrets. Which of the following approaches addresses both malicious and unintentional
insider threats most comprehensively?
Page 3
, A. Implement user behavior analytics (UBA) to detect anomalies.
B. Conduct mandatory annual security awareness training.
C. Enforce least privilege access and monitor data exfiltration attempts.
D. Establish a positive work environment and anonymous reporting hotline.
Answer: C
Rationale: Least privilege limits the damage from both malicious acts and accidental errors, while
monitoring detects exfiltration. UBA (A) is reactive; training (B) addresses only unintentional threats;
positive environment (D) is important but not a direct control.
11. A research team is developing a novel security protocol for a cloud-based healthcare system
that must comply with the latest HIPAA Security Rule. The protocol uses attribute-based
encryption (ABE) with a trusted authority. Which of the following represents the most significant
privacy risk in this design, assuming the trusted authority is honest-but-curious?
A. The trusted authority can decrypt all ciphertexts, enabling it to learn patient data.
B. Attribute revocation requires re-encryption of all data associated with the revoked attribute.
C. The encryption scheme is vulnerable to quantum computing attacks on elliptic curve cryptography.
D. Data owners must be online to generate keys for each user, creating a single point of failure.
Answer: A
Rationale: In ABE with a trusted authority, the authority holds the master secret key and can decrypt any
ciphertext, posing a privacy risk if the authority is compromised or curious. Option B is a scalability
issue, not a privacy risk per se. Option C is a future threat, not specific to the current design. Option D
describes a key distribution problem, not a privacy risk.
12. In the context of the NIST Cybersecurity Framework (CSF) 2.0, which of the following best
describes the relationship between the 'Govern' function and the other five functions (Identify,
Protect, Detect, Respond, Recover)?
A. Govern is a new function that provides overarching risk management guidance and integrates with all other
functions.
B. Govern replaces the Identify function and is the foundation for all subsequent functions.
C. Govern is a subcategory of the Identify function, focusing on governance and policy.
D. Govern is optional and only applies to organizations with regulatory compliance requirements.
Answer: A
Rationale: In CSF 2.0, the Govern function was added to emphasize governance and is intended to be
integrated across all other functions, providing context and guidance. Option B is incorrect because
Identify remains a separate function. Option C is incorrect because Govern is a distinct function, not a
subcategory. Option D is incorrect because Govern is recommended for all organizations.
13. A security analyst is reviewing logs from a network intrusion detection system (NIDS) and
observes the following pattern: a series of TCP SYN packets sent to multiple ports on a single host
from a single source IP, with no subsequent SYN-ACK responses. The packets have randomized
source ports and a constant window size. Which of the following is the most likely explanation?
A. A stealth port scan using SYN packets, where the attacker is attempting to avoid detection by using a
constant window size.
Page 4
