Cybersecurity MCQ 60 Practice Tests With Answers (2026)
PerfectNotes TeamUpdated: May 27, 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Cybersecurity MCQ practice questions are essential for preparing for competitive exams, certifications (CompTIA Security+, CEH), and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions covering cybersecurity fundamentals, threats, and defensive strategies.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering foundational terminology and core definitions), Concepts (covering intermediate protocols, threat mechanics, and architectural trade-offs), and Advanced (covering scenario-based analysis, advanced compliance, and enterprise architectures). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers instantly, or use Exam Mode for timed testing and real-time scoring. The interactive engine tracks your progress and identifies knowledge gaps across topics like CIA Triad, malware, encryption, firewalls, and incident response.
Contents
- 1.Basics (20 Questions)CIA Triad Β· malware types Β· firewalls Β· encryption Β· authentication
- 2.Concepts (20 Questions)Attack types Β· network protocols Β· threat mechanics Β· pen testing
- 3.Advanced (20 Questions)Scenario-based Β· incident response Β· compliance Β· enterprise security
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Introduction to Cybersecurity β Basics
1What is the primary goal of cybersecurity?
CorrectB: To protect systems, networks, and data from digital attacks
Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks that aim to access, change, or destroy sensitive information, extort money, or interrupt normal business operations.
IncorrectB: To protect systems, networks, and data from digital attacks
Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks that aim to access, change, or destroy sensitive information, extort money, or interrupt normal business operations.
2Which of the following is considered malware?
CorrectC: A Trojan horse
A Trojan horse is malware disguised as legitimate software. Firewalls and routers are network security hardware, and OS updates are legitimate software patches.
IncorrectC: A Trojan horse
A Trojan horse is malware disguised as legitimate software. Firewalls and routers are network security hardware, and OS updates are legitimate software patches.
3What does the "C" in the CIA Triad stand for?
CorrectC: Confidentiality
The CIA Triad stands for Confidentiality (only authorized users can access data), Integrity (data stays accurate and unaltered), and Availability (systems are accessible when needed). These are the three core pillars of information security.
IncorrectC: Confidentiality
The CIA Triad stands for Confidentiality (only authorized users can access data), Integrity (data stays accurate and unaltered), and Availability (systems are accessible when needed). These are the three core pillars of information security.
4What is the primary function of a network firewall?
CorrectB: Monitors and controls incoming and outgoing network traffic
A firewall monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and an untrusted external network.
IncorrectB: Monitors and controls incoming and outgoing network traffic
A firewall monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and an untrusted external network.
5What is phishing?
CorrectC: Fraudulent emails or messages that trick users into revealing sensitive information
Phishing is a social engineering attack that uses deceptive emails, messages, or websites impersonating trusted sources to steal credentials, financial data, or install malware. It is the most common form of social engineering attack.
IncorrectC: Fraudulent emails or messages that trick users into revealing sensitive information
Phishing is a social engineering attack that uses deceptive emails, messages, or websites impersonating trusted sources to steal credentials, financial data, or install malware. It is the most common form of social engineering attack.
6What is the "Availability" aspect of the CIA Triad?
CorrectC: Authorized users can access systems and data when needed
Availability ensures that information and systems are accessible and functional when needed by authorized users. Denial of Service (DoS) attacks are one of the primary threats to Availability.
IncorrectC: Authorized users can access systems and data when needed
Availability ensures that information and systems are accessible and functional when needed by authorized users. Denial of Service (DoS) attacks are one of the primary threats to Availability.
7Which of the following is an example of a strong password?
CorrectC: P@55w0rd!Xy7#mN
A strong password is long (12+ characters) and uses a mix of uppercase letters, lowercase letters, numbers, and special characters. It avoids common words, sequences, and personal information.
IncorrectC: P@55w0rd!Xy7#mN
A strong password is long (12+ characters) and uses a mix of uppercase letters, lowercase letters, numbers, and special characters. It avoids common words, sequences, and personal information.
8What does "encryption" mean in cybersecurity?
CorrectB: Converting readable data into an unreadable coded format to prevent unauthorized access
Encryption converts readable plaintext into unreadable ciphertext using an algorithm and key. Only parties with the correct decryption key can reverse the process. It is the primary method of protecting data confidentiality.
IncorrectB: Converting readable data into an unreadable coded format to prevent unauthorized access
Encryption converts readable plaintext into unreadable ciphertext using an algorithm and key. Only parties with the correct decryption key can reverse the process. It is the primary method of protecting data confidentiality.
9What is a computer virus?
CorrectB: A self-replicating program that attaches to other programs and spreads
A computer virus is malware that attaches itself to legitimate programs or files and self-replicates when the infected file is executed. Unlike worms, viruses require a host file and user interaction to spread.
IncorrectB: A self-replicating program that attaches to other programs and spreads
A computer virus is malware that attaches itself to legitimate programs or files and self-replicates when the infected file is executed. Unlike worms, viruses require a host file and user interaction to spread.
10What is Two-Factor Authentication (2FA)?
CorrectB: Requiring two different forms of verification before granting access
2FA requires two independent verification factors: something you know (password/PIN), something you have (phone/hardware token), or something you are (biometric). This reduces account compromise risk by over 99% compared to passwords alone.
IncorrectB: Requiring two different forms of verification before granting access
2FA requires two independent verification factors: something you know (password/PIN), something you have (phone/hardware token), or something you are (biometric). This reduces account compromise risk by over 99% compared to passwords alone.
11What is a VPN (Virtual Private Network)?
CorrectA: A secure, encrypted connection established over the public internet
A VPN creates an encrypted tunnel between your device and a remote server over the public internet, masking your IP address and protecting your traffic from interception β especially critical on public Wi-Fi networks.
IncorrectA: A secure, encrypted connection established over the public internet
A VPN creates an encrypted tunnel between your device and a remote server over the public internet, masking your IP address and protecting your traffic from interception β especially critical on public Wi-Fi networks.
12In cybersecurity, what is the "weakest link" in most organizations?
CorrectC: The human users
Humans are consistently identified as the weakest link in cybersecurity. Approximately 82% of data breaches involve a human element β phishing, stolen credentials, or user error. Even the best technical controls can be bypassed through social engineering.
IncorrectC: The human users
Humans are consistently identified as the weakest link in cybersecurity. Approximately 82% of data breaches involve a human element β phishing, stolen credentials, or user error. Even the best technical controls can be bypassed through social engineering.
13What is ransomware?
CorrectB: Malware that locks or encrypts files and demands payment for the decryption key
Ransomware encrypts the victim's files and demands a ransom (typically in cryptocurrency) for the decryption key. Notable examples include WannaCry, LockBit, and REvil. Offline backups are the best defense.
IncorrectB: Malware that locks or encrypts files and demands payment for the decryption key
Ransomware encrypts the victim's files and demands a ransom (typically in cryptocurrency) for the decryption key. Notable examples include WannaCry, LockBit, and REvil. Offline backups are the best defense.
14What does HTTPS provide that HTTP does not?
CorrectB: Data encryption between the browser and the server
HTTPS uses TLS/SSL to encrypt data transmitted between the browser and the web server. This protects against eavesdropping and man-in-the-middle attacks. HTTP transmits data in plaintext.
IncorrectB: Data encryption between the browser and the server
HTTPS uses TLS/SSL to encrypt data transmitted between the browser and the web server. This protects against eavesdropping and man-in-the-middle attacks. HTTP transmits data in plaintext.
15What is the primary purpose of antivirus software?
CorrectB: To detect, quarantine, and remove malicious software
Antivirus software detects, quarantines, and removes malicious software from computer systems. Modern endpoint security tools use signature-based detection, heuristics, and behavioral analysis to catch known and unknown threats.
IncorrectB: To detect, quarantine, and remove malicious software
Antivirus software detects, quarantines, and removes malicious software from computer systems. Modern endpoint security tools use signature-based detection, heuristics, and behavioral analysis to catch known and unknown threats.
16Which attack involves overwhelming a system with traffic so it becomes unavailable to legitimate users?
CorrectB: Denial of Service (DoS)
A Denial of Service (DoS) attack floods a target system or network with traffic to exhaust its resources, making it unavailable to legitimate users. A DDoS attack distributes this flood across multiple compromised systems.
IncorrectB: Denial of Service (DoS)
A Denial of Service (DoS) attack floods a target system or network with traffic to exhaust its resources, making it unavailable to legitimate users. A DDoS attack distributes this flood across multiple compromised systems.
17What is a "white-hat" hacker?
CorrectB: An ethical hacker authorized to find and fix security vulnerabilities
A white-hat hacker (ethical hacker) is a cybersecurity professional authorized by an organization to legally test its systems for vulnerabilities. They report findings to help fix security weaknesses before malicious hackers (black-hats) can exploit them.
IncorrectB: An ethical hacker authorized to find and fix security vulnerabilities
A white-hat hacker (ethical hacker) is a cybersecurity professional authorized by an organization to legally test its systems for vulnerabilities. They report findings to help fix security weaknesses before malicious hackers (black-hats) can exploit them.
18What is a data breach?
CorrectB: An unauthorized access or exposure of sensitive, protected, or confidential data
A data breach is a security incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen without authorization β including customer PII, financial records, health data, and intellectual property.
IncorrectB: An unauthorized access or exposure of sensitive, protected, or confidential data
A data breach is a security incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen without authorization β including customer PII, financial records, health data, and intellectual property.
19Social engineering relies primarily on:
CorrectC: Psychological manipulation and human deception
Social engineering exploits human psychology rather than technical vulnerabilities. Attackers manipulate people through trust, fear, or urgency to trick them into revealing information or taking security-compromising actions. No coding skills required.
IncorrectC: Psychological manipulation and human deception
Social engineering exploits human psychology rather than technical vulnerabilities. Attackers manipulate people through trust, fear, or urgency to trick them into revealing information or taking security-compromising actions. No coding skills required.
20What is the best defense against a ransomware attack?
CorrectC: Maintaining offline, up-to-date backups
Offline, up-to-date backups are the most effective defense against ransomware. If encrypted files can be restored from clean backups, there is no need to pay the ransom. Backups must be offline (air-gapped) since ransomware can encrypt connected network drives.
IncorrectC: Maintaining offline, up-to-date backups
Offline, up-to-date backups are the most effective defense against ransomware. If encrypted files can be restored from clean backups, there is no need to pay the ransom. Backups must be offline (air-gapped) since ransomware can encrypt connected network drives.
Introduction to Cybersecurity β Concepts
1How does a Man-in-the-Middle (MitM) attack work?
CorrectB: An attacker secretly intercepts and potentially alters communication between two parties
In a MitM attack, the attacker secretly positions themselves between two communicating parties, intercepting and potentially altering their messages. Both parties believe they are communicating directly with each other. Common on unsecured public Wi-Fi.
IncorrectB: An attacker secretly intercepts and potentially alters communication between two parties
In a MitM attack, the attacker secretly positions themselves between two communicating parties, intercepting and potentially altering their messages. Both parties believe they are communicating directly with each other. Common on unsecured public Wi-Fi.
2What is the difference between symmetric and asymmetric encryption?
CorrectA: Symmetric uses one shared key; asymmetric uses a public and private key pair
Symmetric encryption uses a single shared key for both encryption and decryption (e.g., AES) β fast but has a key distribution problem. Asymmetric encryption uses a public key to encrypt and a paired private key to decrypt (e.g., RSA) β solves key distribution but is slower.
IncorrectA: Symmetric uses one shared key; asymmetric uses a public and private key pair
Symmetric encryption uses a single shared key for both encryption and decryption (e.g., AES) β fast but has a key distribution problem. Asymmetric encryption uses a public key to encrypt and a paired private key to decrypt (e.g., RSA) β solves key distribution but is slower.
3What is a zero-day vulnerability?
CorrectB: A software flaw that is known to attackers but has zero available patches from the vendor
A zero-day vulnerability is a software security flaw unknown to the vendor with no available patch. Attackers who discover it can exploit it freely until a fix is issued. Zero-day exploits are highly valuable because there is no existing defense.
IncorrectB: A software flaw that is known to attackers but has zero available patches from the vendor
A zero-day vulnerability is a software security flaw unknown to the vendor with no available patch. Attackers who discover it can exploit it freely until a fix is issued. Zero-day exploits are highly valuable because there is no existing defense.
4How does a DDoS attack differ from a DoS attack?
CorrectB: DDoS uses multiple compromised systems (a botnet) to flood a target; DoS uses a single source
A DoS (Denial of Service) attack originates from a single source and can often be mitigated by blocking one IP. A DDoS (Distributed DoS) attack uses thousands of compromised machines in a botnet, making it far harder to defend against.
IncorrectB: DDoS uses multiple compromised systems (a botnet) to flood a target; DoS uses a single source
A DoS (Denial of Service) attack originates from a single source and can often be mitigated by blocking one IP. A DDoS (Distributed DoS) attack uses thousands of compromised machines in a botnet, making it far harder to defend against.
5What is the principle of "Defense in Depth"?
CorrectB: Implementing multiple, overlapping layers of security controls throughout a system
Defense in Depth applies multiple overlapping security layers β firewalls, IDS/IPS, endpoint security, access control, encryption, and monitoring β so that if one control fails, others continue to provide protection. No single point of failure.
IncorrectB: Implementing multiple, overlapping layers of security controls throughout a system
Defense in Depth applies multiple overlapping security layers β firewalls, IDS/IPS, endpoint security, access control, encryption, and monitoring β so that if one control fails, others continue to provide protection. No single point of failure.
6How does SQL injection work?
CorrectB: An attacker inserts malicious SQL code into input fields to manipulate the backend database
SQL injection inserts malicious SQL statements into application input fields that are passed directly to the database. This can bypass authentication, read all database contents, or delete data. Prevention: use parameterized queries (prepared statements).
IncorrectB: An attacker inserts malicious SQL code into input fields to manipulate the backend database
SQL injection inserts malicious SQL statements into application input fields that are passed directly to the database. This can bypass authentication, read all database contents, or delete data. Prevention: use parameterized queries (prepared statements).
7What is the primary role of an Intrusion Detection System (IDS)?
CorrectB: To monitor network traffic and alert administrators of suspicious or malicious activity
An IDS passively monitors network traffic and generates alerts when suspicious activity is detected based on signatures or behavioral anomalies. Unlike an IPS, it does not automatically block threats β it only detects and notifies.
IncorrectB: To monitor network traffic and alert administrators of suspicious or malicious activity
An IDS passively monitors network traffic and generates alerts when suspicious activity is detected based on signatures or behavioral anomalies. Unlike an IPS, it does not automatically block threats β it only detects and notifies.
8What is the core difference between hashing and encryption?
CorrectB: Hashing is one-way (not reversible); encryption is two-way (reversible with a key)
Hashing is a one-way function that produces a fixed-size digest (e.g., SHA-256). It cannot be reversed. Encryption is two-way β data is scrambled with a key and can be decrypted. Hashing is used for password storage; encryption is used for data confidentiality.
IncorrectB: Hashing is one-way (not reversible); encryption is two-way (reversible with a key)
Hashing is a one-way function that produces a fixed-size digest (e.g., SHA-256). It cannot be reversed. Encryption is two-way β data is scrambled with a key and can be decrypted. Hashing is used for password storage; encryption is used for data confidentiality.
9What is a botnet?
CorrectB: A network of compromised computers remotely controlled by an attacker
A botnet is a collection of internet-connected devices infected with malware and controlled remotely by an attacker (the "bot herder"). Botnets are used to conduct DDoS attacks, send spam, steal data, and mine cryptocurrency β often without the device owners knowing.
IncorrectB: A network of compromised computers remotely controlled by an attacker
A botnet is a collection of internet-connected devices infected with malware and controlled remotely by an attacker (the "bot herder"). Botnets are used to conduct DDoS attacks, send spam, steal data, and mine cryptocurrency β often without the device owners knowing.
10What is the purpose of penetration testing?
CorrectB: To simulate real-world cyberattacks to identify vulnerabilities before malicious actors do
Penetration testing (pen testing) is an authorized, simulated cyberattack performed by ethical hackers to evaluate the security of a system. It identifies exploitable vulnerabilities before real attackers find them, providing actionable remediation guidance.
IncorrectB: To simulate real-world cyberattacks to identify vulnerabilities before malicious actors do
Penetration testing (pen testing) is an authorized, simulated cyberattack performed by ethical hackers to evaluate the security of a system. It identifies exploitable vulnerabilities before real attackers find them, providing actionable remediation guidance.
11What is Cross-Site Scripting (XSS)?
CorrectB: Injecting malicious scripts into trusted web pages viewed by other users
XSS is a web application vulnerability where attackers inject malicious client-side scripts into web pages viewed by other users. It can steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim. Prevention: output encoding, Content Security Policy.
IncorrectB: Injecting malicious scripts into trusted web pages viewed by other users
XSS is a web application vulnerability where attackers inject malicious client-side scripts into web pages viewed by other users. It can steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim. Prevention: output encoding, Content Security Policy.
12What is the difference between an IDS and an IPS?
CorrectB: IDS detects and alerts; IPS detects and actively blocks/prevents the threat
An IDS (Intrusion Detection System) monitors traffic and generates alerts β it is passive. An IPS (Intrusion Prevention System) monitors traffic and automatically takes action to block or prevent detected threats β it is inline and active. IPS adds latency; IDS does not.
IncorrectB: IDS detects and alerts; IPS detects and actively blocks/prevents the threat
An IDS (Intrusion Detection System) monitors traffic and generates alerts β it is passive. An IPS (Intrusion Prevention System) monitors traffic and automatically takes action to block or prevent detected threats β it is inline and active. IPS adds latency; IDS does not.
13What is the "Principle of Least Privilege"?
CorrectB: Giving users only the bare minimum access rights needed to perform their job functions
The Principle of Least Privilege (PoLP) limits user and system access rights to the absolute minimum necessary. This minimizes the attack surface β a compromised account with limited privileges can do far less damage than one with full administrative rights.
IncorrectB: Giving users only the bare minimum access rights needed to perform their job functions
The Principle of Least Privilege (PoLP) limits user and system access rights to the absolute minimum necessary. This minimizes the attack surface β a compromised account with limited privileges can do far less damage than one with full administrative rights.
14In risk management, what is a "vulnerability"?
CorrectB: A weakness or flaw in a system that can be exploited by a threat
A vulnerability is a weakness in hardware, software, processes, or people that can be exploited by a threat actor. Examples include unpatched software, misconfigured servers, weak passwords, and untrained users. Risk = Threat Γ Vulnerability Γ Impact.
IncorrectB: A weakness or flaw in a system that can be exploited by a threat
A vulnerability is a weakness in hardware, software, processes, or people that can be exploited by a threat actor. Examples include unpatched software, misconfigured servers, weak passwords, and untrained users. Risk = Threat Γ Vulnerability Γ Impact.
15How is cybersecurity "Risk" generally calculated?
CorrectA: Threat Γ Vulnerability
In cybersecurity risk management, Risk is calculated as Threat Γ Vulnerability (multiplied by Impact in full models). A threat with no vulnerability to exploit poses no risk, and a vulnerability with no threat actor to exploit it poses minimal risk.
IncorrectA: Threat Γ Vulnerability
In cybersecurity risk management, Risk is calculated as Threat Γ Vulnerability (multiplied by Impact in full models). A threat with no vulnerability to exploit poses no risk, and a vulnerability with no threat actor to exploit it poses minimal risk.
16What is IP Spoofing?
CorrectB: Falsifying the source IP address in a packet header to impersonate a trusted system
IP spoofing involves forging the source IP address in packet headers to make traffic appear to come from a trusted or different source. It is used in DDoS amplification attacks, session hijacking, and bypassing IP-based access controls.
IncorrectB: Falsifying the source IP address in a packet header to impersonate a trusted system
IP spoofing involves forging the source IP address in packet headers to make traffic appear to come from a trusted or different source. It is used in DDoS amplification attacks, session hijacking, and bypassing IP-based access controls.
17What is patch management?
CorrectB: The systematic process of acquiring, testing, and installing updates to fix software vulnerabilities
Patch management is the ongoing process of identifying, acquiring, testing, and deploying software updates (patches) to fix security vulnerabilities and bugs. Timely patching is one of the most effective defenses against known exploits.
IncorrectB: The systematic process of acquiring, testing, and installing updates to fix software vulnerabilities
Patch management is the ongoing process of identifying, acquiring, testing, and deploying software updates (patches) to fix security vulnerabilities and bugs. Timely patching is one of the most effective defenses against known exploits.
18What is the difference between Authentication and Authorization?
CorrectA: Authentication verifies who you are; Authorization verifies what you are allowed to do
Authentication verifies the identity of a user or system ("Are you who you claim to be?") using passwords, tokens, or biometrics. Authorization determines what an authenticated user is permitted to access or do. Both are required for complete access control.
IncorrectA: Authentication verifies who you are; Authorization verifies what you are allowed to do
Authentication verifies the identity of a user or system ("Are you who you claim to be?") using passwords, tokens, or biometrics. Authorization determines what an authenticated user is permitted to access or do. Both are required for complete access control.
19What is a brute-force attack?
CorrectB: Systematically submitting many passwords or passphrases with the hope of eventually guessing correctly
A brute-force attack systematically tries every possible password or key combination until the correct one is found. It is most effective against short or simple passwords. Countermeasures include account lockouts, CAPTCHA, MFA, and strong password policies.
IncorrectB: Systematically submitting many passwords or passphrases with the hope of eventually guessing correctly
A brute-force attack systematically tries every possible password or key combination until the correct one is found. It is most effective against short or simple passwords. Countermeasures include account lockouts, CAPTCHA, MFA, and strong password policies.
20What does Data Integrity ensure?
CorrectB: That data has not been unauthorizedly altered, modified, or destroyed
Data Integrity (the "I" in the CIA Triad) ensures that data is accurate, complete, and has not been tampered with. It is protected using checksums, hashing, digital signatures, and access controls. Violations include unauthorized modification or corruption.
IncorrectB: That data has not been unauthorizedly altered, modified, or destroyed
Data Integrity (the "I" in the CIA Triad) ensures that data is accurate, complete, and has not been tampered with. It is protected using checksums, hashing, digital signatures, and access controls. Violations include unauthorized modification or corruption.
Introduction to Cybersecurity β Advanced
1A company discovers an employee has been secretly downloading confidential files to a USB drive for six months. What type of threat is this?
CorrectB: Insider Threat
This is a classic Insider Threat β a malicious or negligent actor within the organization with legitimate access. Insider threats bypass perimeter defenses. Mitigation: DLP (Data Loss Prevention), access logging, and least privilege controls.
IncorrectB: Insider Threat
This is a classic Insider Threat β a malicious or negligent actor within the organization with legitimate access. Insider threats bypass perimeter defenses. Mitigation: DLP (Data Loss Prevention), access logging, and least privilege controls.
2During a security audit, you discover a web application stores user passwords in plaintext. What is the immediate recommended fix?
CorrectB: Implement salted hashing (e.g., bcrypt or Argon2) for password storage
Storing passwords in plaintext is critical β if the database is breached, all credentials are immediately compromised. Base64 is encoding, not encryption, and is trivially reversible. The fix is salted hashing using bcrypt or Argon2, which is computationally expensive and resistant to rainbow table attacks.
IncorrectB: Implement salted hashing (e.g., bcrypt or Argon2) for password storage
Storing passwords in plaintext is critical β if the database is breached, all credentials are immediately compromised. Base64 is encoding, not encryption, and is trivially reversible. The fix is salted hashing using bcrypt or Argon2, which is computationally expensive and resistant to rainbow table attacks.
3An organization experiences a ransomware attack. Their backups are 30 days old. What is the standard best-practice incident response strategy?
CorrectB: Isolate infected systems, assess the ransomware strain, attempt decryption with available tools, and restore from backups as a last resort
Standard incident response follows: Containment (isolate infected systems), Identification (analyze the strain β check NoMoreRansom.org for free decryptors), Eradication, Recovery (restore from backups), then Lessons Learned. Paying ransom is a last resort and not recommended by law enforcement.
IncorrectB: Isolate infected systems, assess the ransomware strain, attempt decryption with available tools, and restore from backups as a last resort
Standard incident response follows: Containment (isolate infected systems), Identification (analyze the strain β check NoMoreRansom.org for free decryptors), Eradication, Recovery (restore from backups), then Lessons Learned. Paying ransom is a last resort and not recommended by law enforcement.
4A hospital network needs to comply with HIPAA. Which security measure is MOST critical for compliance?
CorrectB: Encrypting Protected Health Information (PHI) both at rest and in transit
HIPAA's Security Rule mandates technical safeguards to protect ePHI. Encryption of PHI both at rest and in transit is the most critical control β even if data is intercepted or stolen, it remains unreadable without the decryption key.
IncorrectB: Encrypting Protected Health Information (PHI) both at rest and in transit
HIPAA's Security Rule mandates technical safeguards to protect ePHI. Encryption of PHI both at rest and in transit is the most critical control β even if data is intercepted or stolen, it remains unreadable without the decryption key.
5Your company's SIEM detects 5,000 failed login attempts from 5,000 different IP addresses targeting the CEO's account within 10 minutes. What attack is this?
CorrectB: Distributed Brute Force / Credential Stuffing
This pattern β many failed logins from many different IPs β is characteristic of Distributed Brute Force or Credential Stuffing (trying leaked username/password pairs at scale). Distributed attacks bypass simple IP-rate-limiting. Mitigation: MFA, account lockout, CAPTCHA, and anomaly-based detection.
IncorrectB: Distributed Brute Force / Credential Stuffing
This pattern β many failed logins from many different IPs β is characteristic of Distributed Brute Force or Credential Stuffing (trying leaked username/password pairs at scale). Distributed attacks bypass simple IP-rate-limiting. Mitigation: MFA, account lockout, CAPTCHA, and anomaly-based detection.
6What is the primary enterprise security concern with employees using public Wi-Fi for business operations?
CorrectB: The high risk of Man-in-the-Middle attacks intercepting unencrypted traffic and session cookies
Public Wi-Fi is inherently untrusted. Attackers on the same network can execute MitM attacks, intercept unencrypted HTTP traffic, steal session cookies, and run evil-twin AP attacks. Policy fix: require VPN on all untrusted networks; always use HTTPS.
IncorrectB: The high risk of Man-in-the-Middle attacks intercepting unencrypted traffic and session cookies
Public Wi-Fi is inherently untrusted. Attackers on the same network can execute MitM attacks, intercept unencrypted HTTP traffic, steal session cookies, and run evil-twin AP attacks. Policy fix: require VPN on all untrusted networks; always use HTTPS.
7An organization wants to implement a Zero Trust Architecture. What is the fundamental principle they must adopt?
CorrectB: "Never trust, always verify" β authenticate and authorize every single access request regardless of the user's location
Zero Trust Architecture (ZTA), defined in NIST SP 800-207, eliminates implicit trust based on network location. Every access request β whether from inside or outside the network β must be authenticated, authorized, and continuously validated. It assumes breach has already occurred.
IncorrectB: "Never trust, always verify" β authenticate and authorize every single access request regardless of the user's location
Zero Trust Architecture (ZTA), defined in NIST SP 800-207, eliminates implicit trust based on network location. Every access request β whether from inside or outside the network β must be authenticated, authorized, and continuously validated. It assumes breach has already occurred.
8A developer accidentally pushes a production AWS API key to a public GitHub repository. What should be done IMMEDIATELY?
CorrectB: Revoke and rotate the API key immediately in AWS, and scan the cloud environment for unauthorized usage
Once a secret is publicly exposed β even for seconds β it must be treated as fully compromised. Automated bots continuously scan GitHub for exposed credentials. Immediately revoke and rotate in AWS, audit CloudTrail logs for unauthorized API calls. Making the repo private does not undo the exposure.
IncorrectB: Revoke and rotate the API key immediately in AWS, and scan the cloud environment for unauthorized usage
Once a secret is publicly exposed β even for seconds β it must be treated as fully compromised. Automated bots continuously scan GitHub for exposed credentials. Immediately revoke and rotate in AWS, audit CloudTrail logs for unauthorized API calls. Making the repo private does not undo the exposure.
9An employee clicks a phishing link that bypassed email filters and reports it to IT within 2 minutes. What is the correct initial response?
CorrectB: Isolate the employee's device from the network, reset their credentials, and analyze the phishing URL
Malware can execute within milliseconds of a link click. 2 minutes is more than enough time for a dropper to install. Immediate response: network-isolate the device (stop lateral movement), reset credentials, analyze the phishing URL for IOCs, and perform endpoint forensics.
IncorrectB: Isolate the employee's device from the network, reset their credentials, and analyze the phishing URL
Malware can execute within milliseconds of a link click. 2 minutes is more than enough time for a dropper to install. Immediate response: network-isolate the device (stop lateral movement), reset credentials, analyze the phishing URL for IOCs, and perform endpoint forensics.
10What is the most effective defense strategy against Advanced Persistent Threats (APTs)?
CorrectB: A combination of network segmentation, behavioral analysis, proactive threat hunting, and continuous monitoring
APTs are sophisticated, long-term targeted campaigns by well-resourced actors (often nation-states). Defense requires: network segmentation (limit lateral movement), behavioral analytics (detect anomalies), proactive threat hunting, 24/7 SOC monitoring, and rapid incident response. No single tool stops them.
IncorrectB: A combination of network segmentation, behavioral analysis, proactive threat hunting, and continuous monitoring
APTs are sophisticated, long-term targeted campaigns by well-resourced actors (often nation-states). Defense requires: network segmentation (limit lateral movement), behavioral analytics (detect anomalies), proactive threat hunting, 24/7 SOC monitoring, and rapid incident response. No single tool stops them.
11During a vulnerability scan, you find an internal server running an unpatched version of Apache from 2010. What is the risk level and appropriate action?
CorrectB: Critical risk; isolate the server and update immediately after testing in a staging environment, as unpatched legacy servers have known exploitable CVEs
An unpatched Apache server from 2010 has over a decade of publicly known CVEs with published exploits. Internal network location provides no meaningful protection β lateral movement from any internal compromise can reach it immediately. Critical risk; patch after staging validation.
IncorrectB: Critical risk; isolate the server and update immediately after testing in a staging environment, as unpatched legacy servers have known exploitable CVEs
An unpatched Apache server from 2010 has over a decade of publicly known CVEs with published exploits. Internal network location provides no meaningful protection β lateral movement from any internal compromise can reach it immediately. Critical risk; patch after staging validation.
12What does Perfect Forward Secrecy (PFS) achieve in cryptographic communications?
CorrectB: It ensures that if a long-term private key is compromised in the future, past recorded session keys cannot be decrypted
PFS uses ephemeral session keys (via Diffie-Hellman key exchange) that are discarded after each session. Even if an attacker later compromises the server's long-term private key, they cannot decrypt previously recorded encrypted sessions. TLS 1.3 mandates PFS.
IncorrectB: It ensures that if a long-term private key is compromised in the future, past recorded session keys cannot be decrypted
PFS uses ephemeral session keys (via Diffie-Hellman key exchange) that are discarded after each session. Even if an attacker later compromises the server's long-term private key, they cannot decrypt previously recorded encrypted sessions. TLS 1.3 mandates PFS.
13What is a "Logic Bomb"?
CorrectB: Malicious code intentionally inserted into software that executes only when specific conditions or dates are met
A Logic Bomb is malicious code hidden within legitimate software that remains dormant until a specific trigger β such as a date, user login, or file deletion β is met. Often planted by disgruntled insiders. Detection requires code review and integrity monitoring.
IncorrectB: Malicious code intentionally inserted into software that executes only when specific conditions or dates are met
A Logic Bomb is malicious code hidden within legitimate software that remains dormant until a specific trigger β such as a date, user login, or file deletion β is met. Often planted by disgruntled insiders. Detection requires code review and integrity monitoring.
14What is the primary function of a Web Application Firewall (WAF)?
CorrectB: To inspect and filter Layer 7 (Application) traffic, protecting web apps from exploits like XSS and SQL injection
A WAF operates at OSI Layer 7 (Application layer) to inspect HTTP/HTTPS traffic and block malicious requests targeting web applications β including SQL injection, XSS, CSRF, and OWASP Top 10 vulnerabilities. Unlike network firewalls, it understands application-layer context.
IncorrectB: To inspect and filter Layer 7 (Application) traffic, protecting web apps from exploits like XSS and SQL injection
A WAF operates at OSI Layer 7 (Application layer) to inspect HTTP/HTTPS traffic and block malicious requests targeting web applications β including SQL injection, XSS, CSRF, and OWASP Top 10 vulnerabilities. Unlike network firewalls, it understands application-layer context.
15What is Steganography?
CorrectB: The practice of hiding a secret message, file, or payload within an ordinary, non-secret file or image
Steganography conceals the existence of a message by embedding it within an innocuous carrier file (image, audio, video, or text). Unlike encryption (which makes data unreadable), steganography hides the fact that a secret message exists at all β used in covert communication and malware C2 channels.
IncorrectB: The practice of hiding a secret message, file, or payload within an ordinary, non-secret file or image
Steganography conceals the existence of a message by embedding it within an innocuous carrier file (image, audio, video, or text). Unlike encryption (which makes data unreadable), steganography hides the fact that a secret message exists at all β used in covert communication and malware C2 channels.
16In the context of an Intrusion Detection System (IDS), what is a "False Positive"?
CorrectC: The IDS alerts on normal, benign network traffic, mistaking it for an attack
A False Positive occurs when an IDS generates an alert for legitimate, benign activity that it incorrectly identifies as malicious. High false positive rates cause "alert fatigue," leading analysts to ignore alerts and miss real threats. Tuning IDS rules to reduce false positives is a critical SOC task.
IncorrectC: The IDS alerts on normal, benign network traffic, mistaking it for an attack
A False Positive occurs when an IDS generates an alert for legitimate, benign activity that it incorrectly identifies as malicious. High false positive rates cause "alert fatigue," leading analysts to ignore alerts and miss real threats. Tuning IDS rules to reduce false positives is a critical SOC task.
17What is the purpose of network micro-segmentation?
CorrectB: To strictly limit "east-west" lateral movement within a network, ensuring a breach in one segment cannot spread to others
Micro-segmentation divides a network into small, isolated zones with fine-grained security policies controlling traffic between them. It limits an attacker's ability to move laterally ("east-west") after breaching one system. It is a core component of Zero Trust Architecture.
IncorrectB: To strictly limit "east-west" lateral movement within a network, ensuring a breach in one segment cannot spread to others
Micro-segmentation divides a network into small, isolated zones with fine-grained security policies controlling traffic between them. It limits an attacker's ability to move laterally ("east-west") after breaching one system. It is a core component of Zero Trust Architecture.
18BGP Route Origin Validation (ROV) is primarily implemented to protect the internet against which threat?
CorrectB: BGP Hijacking (maliciously rerouting internet traffic)
BGP Hijacking occurs when a malicious actor announces ownership of IP prefixes they do not control, rerouting internet traffic through their infrastructure. BGP Route Origin Validation using RPKI (Resource Public Key Infrastructure) cryptographically verifies that BGP route announcements are authorized by the legitimate IP address holder.
IncorrectB: BGP Hijacking (maliciously rerouting internet traffic)
BGP Hijacking occurs when a malicious actor announces ownership of IP prefixes they do not control, rerouting internet traffic through their infrastructure. BGP Route Origin Validation using RPKI (Resource Public Key Infrastructure) cryptographically verifies that BGP route announcements are authorized by the legitimate IP address holder.
19What is the primary benefit of incorporating SOAR (Security Orchestration, Automation, and Response) into a SOC?
CorrectB: It automates repetitive triage tasks and response workflows, reducing "alert fatigue" and speeding up incident mitigation
SOAR platforms automate repetitive security tasks (log enrichment, threat correlation, ticket creation) and coordinate response playbooks across multiple security tools. This reduces Mean Time to Respond (MTTR), cuts alert fatigue, and allows human analysts to focus on complex threats requiring judgment.
IncorrectB: It automates repetitive triage tasks and response workflows, reducing "alert fatigue" and speeding up incident mitigation
SOAR platforms automate repetitive security tasks (log enrichment, threat correlation, ticket creation) and coordinate response playbooks across multiple security tools. This reduces Mean Time to Respond (MTTR), cuts alert fatigue, and allows human analysts to focus on complex threats requiring judgment.
20What is "Crypto-shredding"?
CorrectB: The act of deliberately deleting the cryptographic keys used to encrypt a dataset, rendering the data permanently unrecoverable
Crypto-shredding (cryptographic erasure) makes data permanently inaccessible by deleting its encryption keys rather than overwriting every data block. It is widely used in cloud environments and for GDPR/CCPA compliance when full data deletion is technically impractical (e.g., SSDs, cloud storage).
IncorrectB: The act of deliberately deleting the cryptographic keys used to encrypt a dataset, rendering the data permanently unrecoverable
Crypto-shredding (cryptographic erasure) makes data permanently inaccessible by deleting its encryption keys rather than overwriting every data block. It is widely used in cloud environments and for GDPR/CCPA compliance when full data deletion is technically impractical (e.g., SSDs, cloud storage).
Conclusion: Master Cybersecurity MCQs
These 60 MCQs provide comprehensive practice across cybersecurity fundamentals, threat identification, vulnerability assessment, and incident response. By completing these questions, you'll strengthen your understanding of the CIA Triad, malware types, cryptography, network security, and enterprise defense strategies.
The best way to ensure retention is combining MCQ practice + theory review + interview preparation. Use these questions in Study Mode to learn concepts immediately, then test yourself in Exam Mode for certification and interview readiness.
After completing this MCQ set, explore our 50 cybersecurity interview questions for deeper technical discussions, and review the full theory notes for detailed explanations of each concept covered here.
Key Takeaways β Introduction to Cybersecurity
- The CIA Triad (Confidentiality, Integrity, Availability) forms the foundation of all security principles.
- 82% of data breaches involve human error β security awareness training is not optional.
- Defense in Depth uses multiple layers of security controls; no single layer is enough.
- Zero-day vulnerabilities are unknown to vendors and have no patch β making proactive detection essential.
- Zero Trust Architecture operates on "never trust, always verify" β verify every access request.
- Incident response follows: Containment β Identification β Eradication β Recovery β Lessons Learned.
- Post-quantum cryptography is becoming critical as quantum computers threaten current encryption methods.
- Compliance frameworks like GDPR and HIPAA mandate specific security controls for data protection.
Quick Review & Summary
Use this summary table to consolidate key concepts before or after attempting the questions above.
| Concept | What It Means | Real-World Example |
|---|---|---|
| Confidentiality | Only authorised users can read the data | Encrypted patient records in a hospital |
| Integrity | Data remains accurate and unaltered | Checksums on software downloads |
| Availability | Systems are accessible when needed | 99.99% SLA for a banking API |
| Phishing | Social engineering via fake messages | Email pretending to be your bank |
| Ransomware | Malware that encrypts files for payment | WannaCry (2017) NHS attack |
| Zero-Day | Unpatched vulnerability unknown to vendor | Stuxnet exploiting Windows zero-days |
| MFA | Two or more authentication factors required | Password + OTP on Gmail |
| Defense in Depth | Multiple layered security controls | Firewall + IDS + endpoint antivirus |
| Zero Trust | Never trust, always verify every request | Google BeyondCorp β no VPN needed |
| Supply Chain Attack | Compromising a trusted third party | SolarWinds Orion breach (2020) |
Frequently Asked Questions
Q. How many cybersecurity MCQs are available on this page?
Q. What topics do these cybersecurity MCQs cover?
Q. Are these MCQs suitable for cybersecurity certification exams?
Q. What is the difference between Study Mode and Exam Mode?
Q. What are the types of cyber attacks covered in these MCQs?
Q. What is the CIA Triad in cybersecurity?
Q. Can I practice these MCQs on my mobile phone?
Struggling with some questions? Re-read the full Theory Guide: Introduction to Cybersecurity