VPN CISA Exam Notes, 18 Practice Questions

✔ C (Correct): A VPN authenticates and encrypts the tunnel — it does not inspect content for malware. An infected endpoint therefore has a trusted, encrypted path into the corporate environment, bypassing perimeter controls.

✘ A (Wrong): Encryption protects traffic from external interception; it does not contain malware. The malware travels inside the encrypted tunnel.

✘ B (Wrong): VPN gateways do not typically perform endpoint malware detection, and encrypted traffic may not be inspected without additional SSL decryption infrastructure.

✘ D (Wrong): Standard VPN implementations do not perform application-layer content filtering — that function belongs to NGFWs or inline DLP tools.

✔ C (Correct): Effective audit evidence requires examining operating controls — policy, actual configuration, who has access, encryption standards in use, and whether activity is monitored and reviewed.

✘ A (Wrong): Vendor certification confirms the product’s capability, not the organisation’s implementation. A certified product can still be poorly configured.

✘ B (Wrong): Interviews provide contextual understanding but are not sufficient audit evidence alone — the auditor must independently verify actual configurations.

✘ D (Wrong): Design document compliance confirms intent, not operational reality. Configuration drift, access creep, and monitoring failures are invisible in project documentation.

✔ C (Correct): MFA controls who connects (authentication); it does not control where they go after connecting. Network segmentation and scoped access enforce least privilege post-authentication, addressing the remaining risk.

✘ A (Wrong): Training addresses user behaviour but does not technically restrict network access after authentication.

✘ B (Wrong): Stronger MFA improves identity assurance but does not limit lateral movement across network segments once authenticated.

✘ D (Wrong): Real-time monitoring is a valuable detective control but does not prevent unauthorised lateral access — it only identifies it after the fact.

✔ B (Correct): PPTP’s authentication mechanism (MS-CHAPv2) is cryptographically broken. Its continued use represents a fundamental security weakness regardless of operational convenience — the auditor’s primary concern must be security adequacy.

✘ A (Wrong): Scalability is an operational concern, not a security finding — it does not inform the auditor’s primary risk assessment.

✘ C (Wrong): Firewall compatibility is a technical implementation issue; PPTP can typically be configured to work with firewalls.

✘ D (Wrong): PPTP does generate logs; and even if logging were limited, the cryptographic vulnerability is the primary concern.

✔ C (Correct): Encryption secures the transmission channel but does not address authentication strength, endpoint compromise, excessive access rights, or the ability to detect misuse after connection. A layered control approach is required.

✘ A (Wrong): Meeting NIST standards confirms encryption adequacy — it does not mean encryption is the only control needed. This response partially validates management’s flawed reasoning.

✘ B (Wrong): Compression is a performance feature, not a security control — irrelevant to the concern raised.

✘ D (Wrong): This is dangerous reasoning. Logging is essential for detecting misuse by authorised users; encryption does not eliminate insider threats.

✔ B (Correct): In an extranet VPN shared by multiple suppliers, the greatest governance risk is that one supplier can potentially reach systems or data belonging to the enterprise or another supplier. Scoping each supplier’s access to only what their business function requires, segmenting their network reach, and ensuring each party maintains control over their own environment enforces least privilege, preserves accountability, and limits the blast radius if any single supplier is compromised. This is the CISA-preferred approach because it addresses the structural access risk technically, not just contractually.

✘ A (Wrong): Requiring suppliers to accept the enterprise’s security policy is a necessary contractual step but provides no technical enforcement. A supplier can formally agree to the policy and still retain excessive network access. Policy acceptance addresses legal accountability after a breach — it does not prevent one from occurring. Controls must be built into the architecture, not just documented in agreements.

✘ C (Wrong): Consolidating all supplier accounts under a single administrative profile achieves the opposite of sound governance. It eliminates the ability to distinguish individual supplier activity, makes it impossible to isolate or revoke one supplier’s access without affecting others, and creates a single point of compromise that exposes the entire supplier community simultaneously. Simplifying monitoring at the cost of accountability is never acceptable from a CISA perspective.

✘ D (Wrong): Requiring enterprise-issued devices addresses endpoint compliance — ensuring the connecting device meets security standards. However, a fully compliant device with overly broad network access still represents a significant risk. Device compliance and network access governance are separate control dimensions; solving one does not compensate for gaps in the other.

✔ C (Correct): Disabling split tunneling ensures that all traffic generated by a remote employee — whether destined for internal corporate systems or external Internet sites — is routed through the organisation’s security infrastructure. This allows firewalls, web filters, DLP tools, and monitoring systems to inspect everything, eliminating the blind spot created when Internet traffic bypasses corporate controls entirely.

✘ A (Wrong): Enabling split tunneling only for high-risk user groups inverts the control logic — split tunneling should be restricted, not selectively enabled. Additionally, defining and maintaining a “high-risk user” classification is subjective and operationally difficult to enforce consistently. Internet traffic for all other users would still bypass corporate monitoring.

✘ B (Wrong): DNS filtering intercepts domain name resolution requests and can block known malicious or unauthorised domains. However, it does not inspect the full content of Internet traffic, can be bypassed by applications that use hardcoded IP addresses or encrypted DNS, and does not provide the same visibility as routing all traffic through corporate security controls. It is a useful supplementary layer, not a substitute for disabling split tunneling.

✘ D (Wrong): A cloud-based web proxy can inspect and filter Internet-bound traffic for users who need web access, but it is an additional compensating control that works around split tunneling rather than eliminating it. It also introduces dependency on a third-party service and may not cover all traffic types beyond standard web browsing. The more direct and complete solution is to disable split tunneling at the VPN configuration level.

✔ A (Correct): Terminated employees appearing on the VPN access list indicates a broken deprovisioning process, not merely a one-time oversight. The correct response addresses both the immediate risk — disabling the affected accounts — and the root cause — establishing a formal joiner-mover-leaver process triggered automatically by HR events such as termination. Fixing the process prevents recurrence; disabling accounts alone does not.

✘ B (Wrong): Resetting passwords for all active VPN accounts is an overreaction that disrupts legitimate users without solving the actual problem. Terminated employees would still retain active accounts — just with reset passwords they may not yet know. This addresses neither the access risk for terminated users nor the deprovisioning process gap.

✘ C (Wrong): Requiring periodic re-authentication may eventually cause terminated accounts to lapse, but it is entirely passive and unreliable as a control. It depends on the terminated employee failing to authenticate rather than on formal revocation. Accounts could remain active and exploitable for up to 30 days between cycles.

✘ D (Wrong): Enabling MFA strengthens authentication for legitimate users but does not remove or restrict terminated employee accounts. A terminated employee who still has valid credentials and access to their MFA device would pass MFA successfully — the account remains a live risk regardless of authentication strength.

✔ A (Correct): When VPN logs are generated but not reviewed, the organisation loses its ability to detect a broad range of suspicious behaviour — unauthorised logins, unusual access times, abnormal data volumes, or compromised accounts. Log review is the detective control that makes log generation meaningful; without it, the entire monitoring function fails.

✘ B (Wrong): Compliance demonstration is a consequence of poor log management, but it is an indirect and secondary risk. The more immediate and direct risk is that active threats go undetected — compliance failure would only surface during an audit, long after the security gap has existed.

✘ C (Wrong): VPN gateways can block certain unauthorised attempts such as failed authentications, but they cannot detect compromised valid credentials, abnormal session behaviour, or policy violations by authenticated users. Log review remains essential precisely because not all threats trigger automatic blocking.

✘ D (Wrong): Identifying access pattern violations that breach least privilege requires access review processes and entitlement reporting — not log review. VPN connection logs primarily record session activity, timestamps, and source IPs, not granular access-level authorisation decisions.

✔ C (Correct): IKEv2/IPSec supports MOBIKE, allowing VPN sessions to persist and reconnect seamlessly when a device changes networks — ideal for mobile users.

✘ A (Wrong): PPTP has known cryptographic weaknesses and lacks mobility-handling capabilities.

✘ B (Wrong): L2TP without IPSec provides no encryption and is unsuitable for any secure remote access.

✘ D (Wrong): SSL VPN can support mobile users, but TLS 1.0 is deprecated with known vulnerabilities, making it a risky and inferior choice.

✔ C (Correct): Granting full internal network access to external suppliers violates least privilege. Extranet VPN access must be scoped to only what the business function requires.

✘ A (Wrong): Encryption strength is a valid concern but excessive access scope is the more fundamental structural audit finding.

✘ B (Wrong): Credential sharing is a real risk but is operational/policy — the structural problem is that even authorised suppliers have too much access.

✘ D (Wrong): Monitoring is important but is detective. The greater concern is the preventive gap: access should not extend this broadly in the first place.

✔ B (Correct): MFA directly addresses single-factor authentication weakness by requiring a second verification factor even if credentials are stolen or guessed.

✘ A (Wrong): Certificate-based device authentication addresses device identity, not the user authentication weakness identified in the scenario.

✘ C (Wrong): Shorter session timeouts reduce idle session risk but do not prevent unauthorized login with stolen credentials.

✘ D (Wrong): Restricting to corporate devices reduces endpoint risk but does not strengthen the authentication mechanism itself.

✔ C (Correct): PPTP uses MS-CHAPv2 authentication, which is cryptographically broken and has well-documented security weaknesses.

✘ A (Wrong): IPSec with IKEv2 is robust and widely recommended for enterprise and mobile VPN.

✘ B (Wrong): OpenVPN uses TLS-based encryption and is considered strong when properly configured.

✘ D (Wrong): L2TP without IPSec is insecure, but L2TP/IPSec is considered acceptably secure — the pairing matters.

✔ B (Correct): Unmanaged devices may be unpatched or infected. The VPN creates a trusted, encrypted tunnel — if the endpoint is compromised, malware can travel directly into the corporate network.

✘ A (Wrong): Local data storage is a valid concern but secondary to active network compromise via VPN.

✘ C (Wrong): Password compliance is an access risk, but an unmanaged device bypasses all endpoint policy enforcement entirely.

✘ D (Wrong): Split tunneling is a real concern but is a configuration consequence, not the greatest inherent risk of the unmanaged device.

✔ B (Correct): An extranet VPN is specifically designed to provide limited, controlled access between business partners while maintaining access boundaries.

✘ A (Wrong): Intranet VPN connects internal organisational sites — no external parties involved.

✘ C (Wrong): Remote access VPN serves individual users such as remote employees.

✘ D (Wrong): Full-routing site-to-site VPN grants broad internal access, violating least privilege for partner connections.

✔ C (Correct): An intranet (site-to-site) VPN connects multiple locations within the same organisation — exactly the scenario described.

✘ A (Wrong): Remote access VPN connects individual users, not entire office sites.

✘ B (Wrong): Extranet VPN connects the organisation to external business partners.

✘ D (Wrong): SSL VPN is typically used for individual user remote access, not fixed site-to-site connectivity.

✔ C (Correct): VPNs protect data by encrypting traffic and encapsulating it within a tunnel — these are the two core mechanisms of VPN operation.

✘ A (Wrong): Hashing and digital identification are cryptographic techniques used for data integrity and identity verification, not for creating or securing a communication tunnel.

✘ B (Wrong): Digital identification alone addresses who is communicating, but does not protect the data in transit — it describes identity, not the transmission security mechanism.

✘ D (Wrong): ACLs and segmentation are network access controls that restrict traffic flow, but they do not describe how a VPN tunnel is constructed or how data is protected within it.

✔ A (Correct): A VPN provides secure communication over a public network through encryption and tunneling — this is its core, defining purpose.

✘ B (Wrong): Preventing unauthorised users from accessing the LAN perimeter is the function of a firewall, not a VPN. A VPN secures the communication channel; it does not act as a perimeter access control mechanism.

✘ C (Wrong): Enforcing access control policies for internal users is the responsibility of IAM systems and network access controls. A VPN establishes a secure tunnel but does not define or enforce what resources users are permitted to access.

✘ D (Wrong): Monitoring and logging network traffic for compliance is the function of SIEM tools, network monitoring solutions, or logging infrastructure. A VPN encrypts traffic in transit — it does not provide visibility or audit trail generation as its primary purpose.