ISC2 · Free Practice Questions · Last reviewed May 2026
42real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A security analyst receives an alert that a user account has been locked out multiple times within 10 minutes. The analyst checks the account and finds it is a service account used for automated backups. What is the most likely cause?
The service account's certificate has expired.
A brute force attack is targeting the service account.
The account password has expired and needs to be reset.
The service is using cached credentials that are out of sync with the domain controller.
Service accounts often cache credentials; if the password changes or becomes out of sync, repeated lockouts occur.
A company implements a new policy requiring all privileged access requests to be approved by a manager. However, after deployment, analysts report that they cannot perform emergency changes outside business hours. What is the best solution?
Extend manager on-call hours to cover all times.
Implement a break-glass procedure for emergency access.
Break-glass allows temporary privileged access with post-event review, balancing security and availability.
Remove the approval requirement for privileged access.
Require analysts to call a manager for approval each time.
A security administrator is tasked with ensuring that only authorized software can run on company workstations. Which security control should be implemented?
Antivirus software
Patch management
Host-based firewall
Application whitelisting
Whitelisting ensures only approved software can run, directly meeting the requirement.
An organization's security policy requires that all data at rest be encrypted. A database administrator objects, stating that encryption will degrade performance. What is the best response?
Remove the encryption requirement for databases.
Encrypt only the backup files, not the live database.
Use column-level encryption on sensitive columns only.
Implement transparent data encryption (TDE) to minimize performance impact.
TDE encrypts the entire database transparently with low overhead.
During a security audit, it is discovered that several employees have access to shared network drives containing sensitive HR data. The HR manager states that these employees no longer need access. What is the most efficient way to revoke access?
Remove the users from the security group that grants access to the drives.
Group-based management allows efficient revocation by modifying group membership.
Delete the user accounts of the affected employees.
Reconfigure the shared drive to deny access to all users except HR.
Manually remove each user's permissions on the shared drive.
A company wants to ensure that employees use strong passwords. Which policy is most effective?
Prohibit password reuse for the last 10 passwords.
Require password changes every 30 days.
Require a minimum password length of 12 characters.
Length is the most important factor for password strength.
Require a mix of uppercase, lowercase, numbers, and symbols.
Want more Security Operations and Administration practice?
Practice this domainA security analyst notices repeated failed login attempts from a single IP address on the VPN gateway. The analyst adjusts the threshold for account lockout and enables geo-ip blocking. This activity is part of which risk management process?
Risk identification
Risk assessment
Risk reporting
Risk monitoring
Adjusting controls based on observed events is a core risk monitoring activity.
During a quarterly risk review, a hospital's security team identifies that legacy medical devices cannot be patched and run outdated operating systems. Which risk treatment strategy is most appropriate for these devices?
Remediate by applying vendor patches
Implement compensating controls such as network segmentation and strict access control
Compensating controls mitigate the risk without changing the device itself.
Retire and replace all devices immediately
Transfer the risk by purchasing cyber insurance
A SOC analyst reviews an alert for a user who downloaded a large amount of data from a sensitive database at 3:00 AM. The user's manager confirms the user was not on call. Which type of risk indicator is this activity best described as?
Technical vulnerability indicator
User behavior risk indicator
The unusual access pattern is a behavioral indicator of potential insider threat or compromise.
Error log indicator
Configuration drift indicator
An organization wants to identify risks related to a new cloud-based customer relationship management (CRM) system. Which approach would best identify threats and vulnerabilities specific to this system?
Run a vulnerability scan on the CRM
Execute a business impact analysis (BIA)
Perform a threat modeling exercise such as STRIDE
Threat modeling is tailored to the system's architecture and identifies relevant threats.
Conduct a qualitative risk assessment using a generic framework
After a security incident, the CISO asks for a report detailing which assets were affected, the attack vector, and the financial impact. Which of the following best describes this report?
Lessons learned report
A lessons learned report captures post-incident details and improvements.
Incident response plan
Risk register
Business impact analysis (BIA)
A financial institution uses a quantitative risk analysis to evaluate a new online payment system. The asset value is $5 million, the exposure factor is 40%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?
$1,000,000
Correct calculation: SLE = $5M × 0.4 = $2M; ALE = $2M × 0.5 = $1M.
$800,000
$2,000,000
$2,500,000
Want more Risk Identification, Monitoring and Analysis practice?
Practice this domainA security analyst detects unusual outbound traffic from a server that normally communicates only with internal systems. The firewall logs show connections to an external IP address on port 443/tcp. Which incident response step should the analyst perform FIRST?
Run a full antivirus scan on the server.
Isolate the server from the network.
Containment stops the threat from causing further damage.
Immediately shut down the server.
Disconnect the entire network segment.
During a security incident, the IR team collects memory dumps from an infected workstation. The analysis reveals a process injecting code into 'svchost.exe'. Which technique is most likely being used?
Process hollowing
Reflective DLL injection
Token stealing
DLL injection
DLL injection loads a malicious DLL into a target process.
A company's incident response plan includes a step to preserve evidence. Which action BEST ensures the integrity of forensic evidence?
Turn off the system immediately
Copy files to a network share
Run a checksum on the live system
Create a forensic image with write blocker and hash
Forensic imaging with hashing ensures original data is unchanged.
After a ransomware attack, the recovery team must restore encrypted files from backups. The backups are stored on a separate network segment and were last verified three days ago. What should the team do FIRST?
Disconnect the infected systems from the network.
Verify the integrity and cleanliness of the backup.
Ensuring backup is clean prevents re-infection.
Contact law enforcement.
Restore all files from the most recent backup.
During a security incident, the IR team discovers that an attacker used a valid user account to access sensitive data. The account had multifactor authentication (MFA) enabled. Which attack technique most likely bypassed the MFA?
Session hijacking
MFA fatigue attack
The attacker spams MFA requests until the user approves.
Man-in-the-middle (MITM) attack
Token theft from the endpoint
A security analyst is reviewing logs and finds multiple failed login attempts from an external IP address followed by a successful login. Which type of attack is most likely occurring?
Password spraying
Brute force attack
Multiple attempts from a single source indicate brute force.
Credential stuffing
Social engineering
Want more Incident Response and Recovery practice?
Practice this domainA security analyst notices unusual outbound traffic from a server in the DMZ to an external IP address on port 4444. The server runs a web application. Which action should the analyst take first?
Disconnect the server from the network.
Reboot the server to clear any malware.
Check the server's running processes and established connections.
This provides immediate visibility into potential compromise without destroying evidence.
Block the outbound traffic at the firewall.
A network engineer is designing a secure WAN link between two offices using IPsec VPN. The company requires encryption of all traffic, authentication of both endpoints, and protection against replay attacks. Which combination of IPsec protocols and modes should be used?
AH in tunnel mode
AH in transport mode
ESP in tunnel mode
ESP in tunnel mode encrypts and authenticates the entire packet, suitable for site-to-site VPNs.
ESP in transport mode
An organization wants to prevent unauthorized devices from connecting to its wired network. Which security control should be implemented?
Port security with sticky MAC
MAC address filtering
VLAN segmentation
IEEE 802.1X port-based authentication
802.1X authenticates devices at the port level before allowing network access.
A company's internal network uses a /24 subnet and has a single firewall connecting to the internet. Employees report that they cannot access an external web server at 203.0.113.50. The firewall has a rule that allows outbound HTTP. What is the most likely cause?
The default gateway on the internal hosts is incorrect.
NAT is not configured for outbound traffic.
Internal private IPs must be translated to a public IP for internet access.
DNS resolution is failing for the server name.
An ACL is blocking the destination IP.
A security administrator is configuring a wireless network for a branch office. The office has legacy devices that only support WPA2-PSK. The administrator wants to provide the highest level of security while maintaining compatibility. Which configuration should be used?
WPA2-Enterprise with RADIUS
WPA2-PSK with AES (CCMP)
AES is the strongest encryption available for WPA2 and is supported by most devices.
WPA3-SAE only
WPA2-PSK with TKIP
A network technician needs to ensure that only authorized DHCP servers can assign IP addresses on the network. Which switch feature should be enabled?
DHCP snooping
DHCP snooping blocks unauthorized DHCP server responses.
Dynamic ARP Inspection
Port security
BPDU guard
Want more Network and Communications Security practice?
Practice this domainA security analyst notices that a web application is vulnerable to SQL injection. The application uses parameterized queries for most inputs but concatenates user input directly into a query for a legacy module. Which is the BEST immediate remediation?
Disable the legacy module until a full rewrite is completed.
Rewrite the legacy module to use parameterized queries.
Parameterized queries prevent SQL injection by separating code from data.
Deploy a web application firewall (WAF) to block SQL injection patterns.
Implement input validation to reject special characters.
An organization is implementing a jump server architecture for managing critical servers. Which additional control BEST reduces the risk of lateral movement if the jump server is compromised?
Enable verbose logging on all target servers.
Require multi-factor authentication for all jump server logins.
Implement SSH key-based authentication with agent forwarding restricted to specific target hosts.
Restricts which hosts can be accessed from the jump server, reducing lateral movement.
Use a separate VLAN for management traffic.
A company is deploying a new mobile application that handles sensitive customer data. Which practice BEST ensures data confidentiality on the device?
Require a strong screen lock passcode.
Disable cloud backups for the app.
Encrypt all sensitive data stored on the device using a key derived from the user's passcode.
Encryption at rest ensures data is unreadable without the key.
Use app sandboxing to isolate app data from other apps.
During a penetration test, an attacker was able to bypass input validation and execute commands on a web server. The server runs a PHP application. Which of the following is the MOST likely root cause?
The application uses unsanitized input in SQL queries.
The application reflects user input in HTTP responses without escaping.
The application passes user input to a shell command via exec() or system() functions.
Command injection allows arbitrary command execution on the server.
The application uses hidden form fields to store session tokens.
A system administrator needs to ensure that a Linux server is hardened against common attacks. Which configuration change is MOST effective in preventing privilege escalation via SUID binaries?
Enable auditd to log all SUID executions.
Set the umask to 077 for all users.
Mount the /tmp and /var partitions with the 'nosuid' option.
Prevents execution of SUID binaries on those partitions.
Remove all SUID binaries from the system.
A company is migrating its on-premises applications to a public cloud. Which security control is MOST important to implement to protect data in transit?
Enable server-side encryption for cloud storage.
Implement data classification labels.
Use IPsec VPNs for all cloud connections.
Ensure all data transmissions use TLS 1.2 or higher.
TLS encrypts data in transit and is widely supported.
Want more Systems and Application Security practice?
Practice this domainA system administrator needs to implement a control that ensures users can only access files necessary for their job functions. Which principle is being applied?
Need-to-know
Separation of duties
Job rotation
Least privilege
Least privilege ensures users have only the permissions necessary to perform their job.
An organization wants to implement an access control model where data owners decide who can access resources. Which model should they choose?
Attribute-Based Access Control (ABAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Discretionary Access Control (DAC)
DAC allows data owners to grant access to others at their discretion.
During a security audit, it is discovered that a developer has direct access to production databases. The policy requires that changes be reviewed and deployed by a separate team. Which control is being violated?
Need-to-know
Job rotation
Least privilege
Separation of duties
The developer should not have direct production access; changes should go through a separate deployment team.
An administrator notices that a terminated employee's account is still active. Which access control process was likely skipped?
Authorization
Authentication
Provisioning
Provisioning includes creating and disabling accounts; the termination process should have disabled the account.
Accounting
A company uses an identity management system that requires users to authenticate using a smart card and a PIN. This is an example of:
Single sign-on (SSO)
Biometric authentication
Two-factor authentication
Smart card (possession) and PIN (knowledge) constitute two-factor authentication.
Multi-factor authentication
An organization is implementing an access control system where access decisions are based on the sensitivity of the resource and the clearance of the user. Which model is being used?
Discretionary Access Control (DAC)
Attribute-Based Access Control (ABAC)
Role-Based Access Control (RBAC)
Mandatory Access Control (MAC)
MAC uses security labels to enforce access based on classification and clearance.
Want more Access Controls practice?
Practice this domainA company wants to ensure that data transmitted between its two branch offices remains confidential. Which cryptographic goal is primarily being addressed?
Availability
Non-repudiation
Integrity
Confidentiality
Confidentiality is the goal of keeping data secret, achieved via encryption.
A security administrator needs to choose an encryption algorithm for a high-speed network where data is encrypted at the link layer. Which algorithm is most appropriate?
RSA
Diffie-Hellman
AES
AES is symmetric, fast, and suitable for link-layer encryption.
SHA-256
A system administrator notices that a server's certificate was issued by a CA that is not in the trusted root store of client machines. What is the most likely impact on clients connecting via TLS?
Clients will receive a certificate warning or be unable to connect.
Untrusted CA causes a trust error, resulting in a warning or failure.
The server will automatically obtain a new certificate.
Clients will connect but with reduced cipher strength.
Clients will be able to connect without any warning.
When implementing a digital signature, which key is used to create the signature?
Receiver's private key
Sender's private key
The private key is used to sign documents.
Sender's public key
Receiver's public key
A company's policy requires that all data at rest be encrypted. Which of the following is the most effective method to encrypt files on a laptop?
Encrypt only the user's home folder.
Encrypt individual files using a symmetric key.
Implement full disk encryption (FDE).
FDE provides blanket encryption for the entire drive.
Use a self-extracting encrypted archive.
Which TWO of the following are symmetric encryption algorithms? (Select exactly two.)
DES
DES is a symmetric cipher.
AES
AES is a symmetric cipher.
RSA
ECC
SHA-256
Want more Cryptography practice?
Practice this domainThe SSCP exam has 125 questions and must be completed in 180 minutes. The passing score is 700/1000.
Multiple-choice questions on access controls, security operations, risk, cryptography, network security, and incident response.
The exam covers 7 domains: Security Operations and Administration, Risk Identification, Monitoring and Analysis, Incident Response and Recovery, Network and Communications Security, Systems and Application Security, Access Controls, Cryptography. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official ISC2 SSCP exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.