Free ISC2 Certified in Cybersecurity CC Practice Questions: Network and Cloud Security
Practice 10 free ISC2 Certified in Cybersecurity (ISC2 Certified in Cybersecurity CC) questions on Network and Cloud Security, with answers, explanations, and the IT Mastery next step.
Try the IT Mastery web app for a richer interactive practice experience with mixed sets, timed mocks, topic drills, explanations, and progress tracking.
Topic snapshot
| Field | Detail |
|---|---|
| Practice target | ISC2 Certified in Cybersecurity CC |
| Topic area | Networking and Cloud Security Concepts |
| Blueprint weight | 21.3% |
| Page purpose | Focused sample questions before returning to mixed practice |
How to use this topic drill
Use this page to isolate Networking and Cloud Security Concepts for ISC2 Certified in Cybersecurity CC. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 21.3% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
Sample questions
These are original IT Mastery practice questions aligned to this topic area. They are not official ISC2 questions, copied live-exam content, or exam dumps. Use them to preview question style and explanation depth before continuing with topic drills, mixed sets, and timed mocks in IT Mastery.
Question 1
Topic: Networking and Cloud Security Concepts
A facilities team installs smart badge readers in an office. During setup, they leave the vendor default administrator password in place and connect the devices directly to the corporate network without security review. Which control best reduces this embedded-device risk?
Options:
A. Add phishing awareness training for facilities staff
B. Increase password complexity for employee laptops
C. Encrypt archived access-control reports
D. Require secure IoT onboarding before network access
Best answer: D
Explanation: Embedded and IoT devices can create risk when they use default credentials or connect to networks without being inventoried, approved, and managed. A secure onboarding control should require steps such as changing default passwords, recording the asset owner, applying baseline configuration, and connecting the device only to an approved or segmented network. This directly targets the weakness in the scenario: unmanaged badge readers with known default access on the corporate network.
Controls aimed at user laptops, archived reports, or general awareness may be useful elsewhere, but they do not directly harden or manage the embedded devices before connection.
- Laptop password rules do not fix default administrator credentials on the badge readers.
- Report encryption protects stored data, but it does not reduce device takeover or unauthorized network access.
- Awareness training is weaker than enforcing a technical or procedural onboarding control for connected devices.
Question 2
Topic: Networking and Cloud Security Concepts
A small manufacturing site uses several embedded sensors that run unsupported firmware. The sensors cannot be centrally managed, and the vendor rarely provides patches. They only need to send readings to one internal collection server. Which safeguard should the security team implement first to reduce risk?
Options:
A. Move the collection server to a public cloud service
B. Place the sensors on a segmented network with only required traffic allowed
C. Require users to complete annual IoT security awareness training
D. Increase password complexity for employee workstations
Best answer: B
Explanation: Embedded, ICS, and IoT devices are often difficult to patch, replace, or manage with standard endpoint tools. A foundational safeguard is to reduce what those devices can reach and what can reach them. Network segmentation, with firewall rules or access controls that permit only the required connection to the collection server, reduces the chance that a vulnerable sensor becomes an easy entry point or lateral movement path. This does not fix the unsupported firmware, but it lowers exposure while supporting the required business function.
Administrative training and unrelated endpoint controls can help overall security, but they do not directly contain the technical risk from unmanaged embedded devices.
- Awareness training is useful for human behavior risks, but it does not restrict vulnerable sensor traffic.
- Public cloud migration changes hosting location, but it does not automatically protect unmanaged devices on the site network.
- Workstation passwords improve a different asset layer and do not address exposure from embedded sensors.
Question 3
Topic: Networking and Cloud Security Concepts
A company issues tablets to warehouse staff for inventory scanning. During a review, security finds that Bluetooth is left enabled and discoverable on all tablets, even though no approved Bluetooth accessories are used. Which control best reduces this short-range connectivity exposure?
Options:
A. Post signs reminding users not to pair devices
B. Require a VPN for all tablet network traffic
C. Disable Bluetooth by device policy when not needed
D. Encrypt the inventory database at rest
Best answer: C
Explanation: Bluetooth and other short-range wireless features can expose devices to unauthorized discovery, pairing attempts, and nearby attacks when left enabled without a business need. The strongest fit is a technical hardening control that disables the unused radio or restricts it through managed device policy. This directly addresses the risky behavior in the stem: tablets are discoverable and do not need Bluetooth for approved work.
VPNs and data encryption are useful controls, but they protect different layers. Awareness reminders help users make better choices, but they are weaker than centrally preventing an unnecessary connection method.
- VPN mismatch protects traffic over networks but does not stop nearby Bluetooth discovery or pairing attempts.
- Data encryption mismatch protects stored data if accessed, but it does not remove the exposed short-range interface.
- Awareness-only control is weaker because users may ignore signs or forget to disable Bluetooth.
Question 4
Topic: Networking and Cloud Security Concepts
A company has several application servers in the same data center network. Security wants each server to communicate only with the specific services it needs, even when the servers are on the same traditional network segment. Which concept best matches this requirement?
Options:
A. Firewall zone
B. VLAN
C. Micro-segmentation
D. Wireless isolation
Best answer: C
Explanation: Micro-segmentation is the best fit when the goal is very granular control between individual workloads, servers, or application components. A firewall zone usually groups systems by trust level, such as internal, external, or DMZ. A VLAN separates traffic at Layer 2 into logical broadcast domains, which is useful for broader network separation. Micro-segmentation goes finer than those broad groupings by limiting which workloads can talk to each other based on specific allowed flows. The key distinction is the level of granularity: zones and VLANs group networks, while micro-segmentation controls workload-to-workload communication.
- Firewall zone is broader than the requirement because it groups systems by trust level rather than controlling each server-to-service flow.
- VLAN separates devices into logical network segments but does not by itself provide workload-level policy.
- Wireless isolation applies to limiting wireless client communication, not server-to-server controls in a data center.
Question 5
Topic: Networking and Cloud Security Concepts
A company wants to make sure that if a guest Wi-Fi account is misused, the unauthorized user cannot directly reach employee workstations or payment systems. The network team places guest devices, employee devices, and payment systems in separate zones with rules controlling traffic between them. Which concept is being applied?
Options:
A. Data masking
B. Load balancing
C. Network segmentation
D. Hashing
Best answer: C
Explanation: Network segmentation divides a network into separate zones, such as guest, employee, and payment environments, and controls traffic between those zones. This reduces the reach of unauthorized access because a compromise in one segment does not automatically provide access to other sensitive areas. VLANs, firewall rules, and micro-segmentation are common ways to enforce these boundaries.
The key idea is containment: segmentation limits lateral movement and reduces the impact of a single compromised account or device.
- Load balancing distributes traffic across systems for availability or performance, not to isolate unauthorized access.
- Data masking hides sensitive data values but does not separate network areas.
- Hashing verifies data integrity or stores one-way representations, but it does not restrict network reach.
Question 6
Topic: Networking and Cloud Security Concepts
A manufacturing plant uses PLCs to control a mixing process. An unexpected controller reboot could create a safety hazard and stop production. Operators currently use the same network segment for email browsing and for engineering workstations that manage the PLCs. Which control best addresses this OT risk?
Options:
A. Deploy screen-lock policies on engineering workstations
B. Require longer passwords on operator email accounts
C. Segment the ICS network and restrict approved access
D. Enable automatic reboots after every security update
Best answer: C
Explanation: Operational technology such as PLCs and ICS environments often has safety and availability priorities that differ from ordinary workstations. A control that reduces exposure without causing unplanned outages is preferred. Network segmentation separates email and general workstation activity from systems that control physical processes, and access restrictions help ensure only approved systems and users can reach the ICS environment. This lowers the chance that malware or misuse from the business network affects equipment operations. Controls that force reboots or focus only on user workstation behavior may help in normal IT environments, but they do not directly protect the OT process and could create unsafe downtime.
- Automatic reboots are risky in OT because unplanned controller restarts can affect safety and production availability.
- Longer email passwords help account security but do not separate risky workstation activity from PLC management paths.
- Screen-lock policies reduce local misuse but do not address network exposure between business use and ICS control systems.
Question 7
Topic: Networking and Cloud Security Concepts
A small clinic discovers that a receptionist’s workstation is infected with malware. The workstation can directly reach file servers, medical devices, and guest Wi-Fi systems because all devices are on one flat network. The clinic wants to reduce the impact if one device is compromised again. What is the best action?
Options:
A. Move all devices to the same faster switch
B. Segment the network into separate zones or VLANs
C. Increase password length for all user accounts
D. Install antivirus only on the receptionist workstation
Best answer: B
Explanation: A flat network places many different systems in the same reachable space, so one compromised device can more easily communicate with servers, medical devices, and guest systems. Network segmentation uses zones, VLANs, or similar controls to separate groups of systems based on trust level or business purpose. This reduces the blast radius of malware and supports defense in depth by making lateral movement harder. Strong passwords and endpoint tools still matter, but they do not directly fix the network design problem described in the scenario.
- Password focus improves authentication but does not reduce direct network reachability between unrelated systems.
- Single endpoint protection may help one workstation but leaves the same flat network exposure in place.
- Faster switching improves connectivity or performance, not containment after compromise.
Question 8
Topic: Networking and Cloud Security Concepts
A company stores customer records in a cloud database. Access is currently restricted by one perimeter firewall rule that allows connections from the corporate office. A review finds that a stolen employee account or a mistaken firewall change could still expose the data. Which control approach best reflects defense in depth?
Options:
A. Tighten the existing firewall rule only
B. Layer segmentation, MFA, and database activity logging
C. Require annual security awareness training only
D. Move the database to a private cloud only
Best answer: B
Explanation: Defense in depth uses multiple, complementary controls so that failure or bypass of one control does not leave the asset unprotected. In this scenario, the database is protected mainly by a perimeter firewall rule. Adding segmentation limits network paths, MFA reduces the value of stolen credentials, and activity logging improves detection and response. These controls operate at different layers and address different failure modes. A stronger single firewall rule may help, but it still leaves the organization dependent on one barrier.
- Firewall-only thinking fails because it improves the same perimeter layer rather than adding independent layers of protection.
- Private cloud placement may change the hosting model, but it does not by itself add layered controls around access and monitoring.
- Awareness only is useful administratively, but it does not provide technical protection if credentials or firewall rules fail.
Question 9
Topic: Networking and Cloud Security Concepts
A help desk analyst is triaging a user report for an internal web application. The user is connected to the corporate VPN, the application login page loads, and the user can sign in successfully. After sign-in, the application displays: Access denied: insufficient permissions.
What is the best action for the analyst to take first?
Options:
A. Review the user’s role or group membership
B. Open a firewall rule to the application
C. Reset the user’s password
D. Troubleshoot the user’s VPN connection
Best answer: A
Explanation: Network connectivity means the device can reach the service, while authentication verifies identity and authorization determines what an authenticated user may access. In this scenario, the VPN is connected and the login page loads, so basic connectivity is present. The user can also sign in successfully, so authentication is not the primary failure. The message about insufficient permissions points to authorization, such as missing role assignment, group membership, or application entitlement.
The key takeaway is to match the troubleshooting step to the evidence: reachability problems suggest connectivity, failed sign-in suggests authentication, and denied permissions after sign-in suggest authorization.
- VPN troubleshooting does not fit because the user can already reach the application through the VPN.
- Password reset does not fit because the user signs in successfully.
- Firewall change does not fit because the application login page is reachable, so the path is not blocked at that point.
Question 10
Topic: Networking and Cloud Security Concepts
A company moves an internal support portal to a cloud-hosted web service so remote staff can reach it from any internet connection. The portal contains customer contact details, and policy says only the support team may use it. What is the BEST action before enabling access?
Options:
A. Restrict access with authentication, MFA, and least privilege
B. Rely on the cloud provider to control all user access
C. Make the portal public but encrypt the stored data
D. Delay logging until after users report issues
Best answer: A
Explanation: Broad network access is a cloud characteristic that lets services be reached over standard networks from many locations and device types. That improves availability and flexibility, but it also changes exposure because the service is no longer limited to an internal network path. For a portal containing customer contact details and limited to one team, the organization should enforce identity-based controls such as strong authentication, MFA, authorization, and least privilege before allowing access. Encryption helps protect data, but it does not decide who may use the portal. The key takeaway is that broader reach requires stronger access control expectations.
- Provider-only control fails because the organization still controls who is authorized to access its users and data.
- Public plus encryption fails because encryption does not satisfy the policy limiting use to the support team.
- Delayed logging fails because monitoring should support secure operation from the start, not only after complaints.
Continue in the web app
Use IT Mastery for interactive ISC2 Certified in Cybersecurity CC practice with mixed sets, timed mocks, topic drills, explanations, and progress tracking.
Try ISC2 Certified in Cybersecurity CC on Web