Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSSCPExam Questions

ISC2 · Free Practice Questions · Last reviewed May 2026

SSCP Exam Questions and Answers

42real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

125 exam questions
180 min time limit
Pass: 700/1000 / 1000
7 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Security Operations and Administration2. Risk Identification, Monitoring and Analysis3. Incident Response and Recovery4. Network and Communications Security5. Systems and Application Security6. Access Controls7. Cryptography
1

Domain 1: Security Operations and Administration

All Security Operations and Administration questions
Q1
mediumFull explanation →

A security analyst receives an alert that a user account has been locked out multiple times within 10 minutes. The analyst checks the account and finds it is a service account used for automated backups. What is the most likely cause?

A

The service account's certificate has expired.

B

A brute force attack is targeting the service account.

C

The account password has expired and needs to be reset.

D

The service is using cached credentials that are out of sync with the domain controller.

Service accounts often cache credentials; if the password changes or becomes out of sync, repeated lockouts occur.

Why: Service accounts used for automated backups typically run as services that cache their credentials locally. When the password is changed on the domain controller, the cached credentials in the service's logon session become out of sync. The service repeatedly attempts to authenticate with the stale cached password, causing rapid lockout events within a short window.
Q2
hardFull explanation →

A company implements a new policy requiring all privileged access requests to be approved by a manager. However, after deployment, analysts report that they cannot perform emergency changes outside business hours. What is the best solution?

A

Extend manager on-call hours to cover all times.

B

Implement a break-glass procedure for emergency access.

Break-glass allows temporary privileged access with post-event review, balancing security and availability.

C

Remove the approval requirement for privileged access.

D

Require analysts to call a manager for approval each time.

Why: Option B is correct because a break-glass procedure provides a predefined, auditable method for granting emergency privileged access without requiring real-time manager approval. This balances security with operational continuity, allowing analysts to perform critical changes outside business hours while maintaining accountability through post-event review and logging.
Q3
easyFull explanation →

A security administrator is tasked with ensuring that only authorized software can run on company workstations. Which security control should be implemented?

A

Antivirus software

B

Patch management

C

Host-based firewall

D

Application whitelisting

Whitelisting ensures only approved software can run, directly meeting the requirement.

Why: Application whitelisting is the correct control because it explicitly defines a list of approved software that is allowed to execute on workstations. This prevents unauthorized or malicious software from running, even if it bypasses other defenses, by enforcing a default-deny policy at the operating system level (e.g., via Windows AppLocker or Software Restriction Policies). Unlike antivirus, which relies on signatures to detect known threats, whitelisting blocks unknown or unapproved executables by default.
Q4
mediumFull explanation →

An organization's security policy requires that all data at rest be encrypted. A database administrator objects, stating that encryption will degrade performance. What is the best response?

A

Remove the encryption requirement for databases.

B

Encrypt only the backup files, not the live database.

C

Use column-level encryption on sensitive columns only.

D

Implement transparent data encryption (TDE) to minimize performance impact.

TDE encrypts the entire database transparently with low overhead.

Why: Transparent Data Encryption (TDE) encrypts data at rest at the storage layer, automatically encrypting data before it is written to disk and decrypting it when read into memory. This minimizes performance impact because encryption/decryption occurs outside the application logic and does not require schema changes, making it the best response to the DBA's concern while still meeting the policy requirement.
Q5
hardFull explanation →

During a security audit, it is discovered that several employees have access to shared network drives containing sensitive HR data. The HR manager states that these employees no longer need access. What is the most efficient way to revoke access?

A

Remove the users from the security group that grants access to the drives.

Group-based management allows efficient revocation by modifying group membership.

B

Delete the user accounts of the affected employees.

C

Reconfigure the shared drive to deny access to all users except HR.

D

Manually remove each user's permissions on the shared drive.

Why: The most efficient way to revoke access is to remove the users from the security group that grants access to the drives. In Windows environments, shared drive permissions are typically assigned to Active Directory security groups rather than individual users. By removing the users from the group, their permissions are revoked immediately across all resources that group has access to, without needing to touch each resource individually.
Q6
easyFull explanation →

A company wants to ensure that employees use strong passwords. Which policy is most effective?

A

Prohibit password reuse for the last 10 passwords.

B

Require password changes every 30 days.

C

Require a minimum password length of 12 characters.

Length is the most important factor for password strength.

D

Require a mix of uppercase, lowercase, numbers, and symbols.

Why: Option C is correct because password length is the single most important factor in resistance to brute-force and rainbow table attacks. NIST SP 800-63B and industry best practices now recommend a minimum of 12–16 characters, as each additional character exponentially increases the keyspace. While complexity adds some entropy, a long passphrase is far more effective against modern GPU-based cracking than a short, complex password.

Want more Security Operations and Administration practice?

Practice this domain
2

Domain 2: Risk Identification, Monitoring and Analysis

All Risk Identification, Monitoring and Analysis questions
Q1
easyFull explanation →

A security analyst notices repeated failed login attempts from a single IP address on the VPN gateway. The analyst adjusts the threshold for account lockout and enables geo-ip blocking. This activity is part of which risk management process?

A

Risk identification

B

Risk assessment

C

Risk reporting

D

Risk monitoring

Adjusting controls based on observed events is a core risk monitoring activity.

Why: Option D is correct because the analyst is actively monitoring the VPN gateway for security events (failed logins) and then adjusting controls (lockout threshold, geo-IP blocking) in response to observed threats. This continuous observation and adjustment is the essence of risk monitoring, which is the ongoing process of tracking identified risks and evaluating the effectiveness of controls. The actions taken are not about identifying new risks, assessing their likelihood/impact, or formally reporting them, but rather about reacting to real-time data to maintain an acceptable risk posture.
Q2
mediumFull explanation →

During a quarterly risk review, a hospital's security team identifies that legacy medical devices cannot be patched and run outdated operating systems. Which risk treatment strategy is most appropriate for these devices?

A

Remediate by applying vendor patches

B

Implement compensating controls such as network segmentation and strict access control

Compensating controls mitigate the risk without changing the device itself.

C

Retire and replace all devices immediately

D

Transfer the risk by purchasing cyber insurance

Why: Since the legacy medical devices cannot be patched due to vendor obsolescence, the most appropriate risk treatment strategy is to implement compensating controls. Network segmentation (e.g., VLANs or firewalls) isolates the devices from the main hospital network, while strict access control (e.g., 802.1X or MAC-based filtering) limits exposure to threats. This reduces the likelihood of exploitation without relying on patching the outdated operating systems.
Q3
hardFull explanation →

A SOC analyst reviews an alert for a user who downloaded a large amount of data from a sensitive database at 3:00 AM. The user's manager confirms the user was not on call. Which type of risk indicator is this activity best described as?

A

Technical vulnerability indicator

B

User behavior risk indicator

The unusual access pattern is a behavioral indicator of potential insider threat or compromise.

C

Error log indicator

D

Configuration drift indicator

Why: The activity describes a user downloading a large volume of sensitive data at an anomalous time (3:00 AM) without authorization, which directly maps to a User Behavior Risk Indicator (UBRI). UBRI focuses on deviations from established baselines of user actions, such as unusual access times, data volumes, or locations, to detect potential insider threats or compromised accounts. This is not a technical vulnerability, error log, or configuration issue, but a behavioral anomaly that requires investigation.
Q4
mediumFull explanation →

An organization wants to identify risks related to a new cloud-based customer relationship management (CRM) system. Which approach would best identify threats and vulnerabilities specific to this system?

A

Run a vulnerability scan on the CRM

B

Execute a business impact analysis (BIA)

C

Perform a threat modeling exercise such as STRIDE

Threat modeling is tailored to the system's architecture and identifies relevant threats.

D

Conduct a qualitative risk assessment using a generic framework

Why: Threat modeling with STRIDE is the best approach because it systematically identifies threats (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) specific to the CRM's architecture, data flows, and trust boundaries. Unlike generic scans or assessments, STRIDE focuses on the unique attack surface of a cloud-based system, such as API endpoints, multi-tenancy risks, and shared responsibility model gaps.
Q5
easyFull explanation →

After a security incident, the CISO asks for a report detailing which assets were affected, the attack vector, and the financial impact. Which of the following best describes this report?

A

Lessons learned report

A lessons learned report captures post-incident details and improvements.

B

Incident response plan

C

Risk register

D

Business impact analysis (BIA)

Why: A lessons learned report is a post-incident document that captures what happened during a security incident, including affected assets, the attack vector, and financial impact. It is used to improve future incident response processes and is distinct from operational plans or risk assessments.
Q6
hardFull explanation →

A financial institution uses a quantitative risk analysis to evaluate a new online payment system. The asset value is $5 million, the exposure factor is 40%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

A

$1,000,000

Correct calculation: SLE = $5M × 0.4 = $2M; ALE = $2M × 0.5 = $1M.

B

$800,000

C

$2,000,000

D

$2,500,000

Why: The annualized loss expectancy (ALE) is calculated as single loss expectancy (SLE) multiplied by the annualized rate of occurrence (ARO). SLE is asset value ($5,000,000) times exposure factor (40%) = $2,000,000. Then ALE = $2,000,000 × 0.5 = $1,000,000. This quantitative risk analysis formula is standard in financial risk assessments for payment systems.

Want more Risk Identification, Monitoring and Analysis practice?

Practice this domain
3

Domain 3: Incident Response and Recovery

All Incident Response and Recovery questions
Q1
mediumFull explanation →

A security analyst detects unusual outbound traffic from a server that normally communicates only with internal systems. The firewall logs show connections to an external IP address on port 443/tcp. Which incident response step should the analyst perform FIRST?

A

Run a full antivirus scan on the server.

B

Isolate the server from the network.

Containment stops the threat from causing further damage.

C

Immediately shut down the server.

D

Disconnect the entire network segment.

Why: The unusual outbound traffic to an external IP on port 443/tcp from a server that normally only communicates internally indicates a potential compromise, such as a command-and-control (C2) channel. The first priority in incident response is containment to prevent further data exfiltration or lateral movement, and isolating the server from the network achieves this without destroying volatile evidence. Shutting down the server or running an antivirus scan could destroy memory-resident malware or forensic artifacts, violating the order of volatility.
Q2
hardFull explanation →

During a security incident, the IR team collects memory dumps from an infected workstation. The analysis reveals a process injecting code into 'svchost.exe'. Which technique is most likely being used?

A

Process hollowing

B

Reflective DLL injection

C

Token stealing

D

DLL injection

DLL injection loads a malicious DLL into a target process.

Why: DLL injection is the most likely technique because it involves a process loading a malicious DLL into the address space of a legitimate process like svchost.exe. This is typically achieved using Windows API calls such as CreateRemoteThread and LoadLibrary, allowing the attacker to execute code within the trusted svchost.exe context, evading detection by blending in with legitimate system processes.
Q3
easyFull explanation →

A company's incident response plan includes a step to preserve evidence. Which action BEST ensures the integrity of forensic evidence?

A

Turn off the system immediately

B

Copy files to a network share

C

Run a checksum on the live system

D

Create a forensic image with write blocker and hash

Forensic imaging with hashing ensures original data is unchanged.

Why: Option D is correct because creating a forensic image with a write blocker ensures that the original data is not altered during acquisition, and hashing (e.g., SHA-256) provides a cryptographic integrity check that can later verify the image is an exact bit-for-bit copy. This preserves the chain of custody and admissibility of evidence in legal proceedings.
Q4
mediumFull explanation →

After a ransomware attack, the recovery team must restore encrypted files from backups. The backups are stored on a separate network segment and were last verified three days ago. What should the team do FIRST?

A

Disconnect the infected systems from the network.

B

Verify the integrity and cleanliness of the backup.

Ensuring backup is clean prevents re-infection.

C

Contact law enforcement.

D

Restore all files from the most recent backup.

Why: Before restoring, ensure the backup system is not compromised. Option B is correct. Option A may restore malware; Option C is premature; Option D is not a first step.
Q5
hardFull explanation →

During a security incident, the IR team discovers that an attacker used a valid user account to access sensitive data. The account had multifactor authentication (MFA) enabled. Which attack technique most likely bypassed the MFA?

A

Session hijacking

B

MFA fatigue attack

The attacker spams MFA requests until the user approves.

C

Man-in-the-middle (MITM) attack

D

Token theft from the endpoint

Why: MFA fatigue attacks exploit user behavior by bombarding the victim with repeated push notifications until they inadvertently approve an authentication request. Since the attacker already has the valid credentials, they trigger the MFA prompt repeatedly, and the user eventually accepts, granting the attacker access without needing to compromise the MFA mechanism itself.
Q6
easyFull explanation →

A security analyst is reviewing logs and finds multiple failed login attempts from an external IP address followed by a successful login. Which type of attack is most likely occurring?

A

Password spraying

B

Brute force attack

Multiple attempts from a single source indicate brute force.

C

Credential stuffing

D

Social engineering

Why: A brute force attack involves systematically trying all possible password combinations until the correct one is found. The log pattern of multiple failed attempts from a single external IP followed by a success is the classic signature of a brute force attack, as the attacker iterates through a password list or character space against the same username.

Want more Incident Response and Recovery practice?

Practice this domain
4

Domain 4: Network and Communications Security

All Network and Communications Security questions
Q1
mediumFull explanation →

A security analyst notices unusual outbound traffic from a server in the DMZ to an external IP address on port 4444. The server runs a web application. Which action should the analyst take first?

A

Disconnect the server from the network.

B

Reboot the server to clear any malware.

C

Check the server's running processes and established connections.

This provides immediate visibility into potential compromise without destroying evidence.

D

Block the outbound traffic at the firewall.

Why: Option C is correct because the first step in incident response is to gather forensic evidence and understand the scope of the compromise. Checking running processes and established connections allows the analyst to identify the malicious process, its parent, and the active command-and-control (C2) channel on port 4444, which is commonly associated with reverse shells or backdoor traffic. This data is volatile and must be captured before any disruptive action like disconnection or reboot, which would destroy evidence.
Q2
hardFull explanation →

A network engineer is designing a secure WAN link between two offices using IPsec VPN. The company requires encryption of all traffic, authentication of both endpoints, and protection against replay attacks. Which combination of IPsec protocols and modes should be used?

A

AH in tunnel mode

B

AH in transport mode

C

ESP in tunnel mode

ESP in tunnel mode encrypts and authenticates the entire packet, suitable for site-to-site VPNs.

D

ESP in transport mode

Why: ESP in tunnel mode encrypts and authenticates the entire original IP packet, providing confidentiality, integrity, and authentication for the entire payload. It also includes sequence numbers to protect against replay attacks, making it the correct choice for a secure WAN link between two offices.
Q3
easyFull explanation →

An organization wants to prevent unauthorized devices from connecting to its wired network. Which security control should be implemented?

A

Port security with sticky MAC

B

MAC address filtering

C

VLAN segmentation

D

IEEE 802.1X port-based authentication

802.1X authenticates devices at the port level before allowing network access.

Why: IEEE 802.1X port-based authentication is the correct control because it authenticates each device at the network edge before granting access to the wired LAN. It uses an authentication server (e.g., RADIUS) to verify credentials or certificates, effectively preventing unauthorized devices from connecting. Unlike MAC-based controls, 802.1X provides dynamic, per-session authentication that cannot be easily spoofed.
Q4
mediumFull explanation →

A company's internal network uses a /24 subnet and has a single firewall connecting to the internet. Employees report that they cannot access an external web server at 203.0.113.50. The firewall has a rule that allows outbound HTTP. What is the most likely cause?

A

The default gateway on the internal hosts is incorrect.

B

NAT is not configured for outbound traffic.

Internal private IPs must be translated to a public IP for internet access.

C

DNS resolution is failing for the server name.

D

An ACL is blocking the destination IP.

Why: The firewall rule allows outbound HTTP, but without NAT configured, the internal hosts' private IP addresses (e.g., 192.168.1.x) are used as source addresses in packets sent to the external web server. The web server at 203.0.113.50 will see these private addresses as the source and attempt to reply to them, but private addresses are not routable on the public internet, so the return traffic never reaches the internal hosts. NAT (specifically source NAT or PAT) translates the private source IP to the firewall's public IP, enabling two-way communication.
Q5
hardFull explanation →

A security administrator is configuring a wireless network for a branch office. The office has legacy devices that only support WPA2-PSK. The administrator wants to provide the highest level of security while maintaining compatibility. Which configuration should be used?

A

WPA2-Enterprise with RADIUS

B

WPA2-PSK with AES (CCMP)

AES is the strongest encryption available for WPA2 and is supported by most devices.

C

WPA3-SAE only

D

WPA2-PSK with TKIP

Why: WPA2-PSK with AES (CCMP) is correct because it provides the highest security level compatible with legacy devices that only support WPA2-PSK. AES-CCMP is the mandatory encryption protocol for WPA2, offering strong data confidentiality and integrity, whereas TKIP is deprecated due to known vulnerabilities. This configuration avoids the need for a RADIUS server (required by WPA2-Enterprise) and does not force an upgrade to WPA3, which legacy devices cannot support.
Q6
easyFull explanation →

A network technician needs to ensure that only authorized DHCP servers can assign IP addresses on the network. Which switch feature should be enabled?

A

DHCP snooping

DHCP snooping blocks unauthorized DHCP server responses.

B

Dynamic ARP Inspection

C

Port security

D

BPDU guard

Why: DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding database by monitoring DHCP traffic on untrusted ports. By enabling DHCP snooping on the switch, only DHCP servers connected to trusted ports can assign IP addresses, preventing rogue DHCP server attacks.

Want more Network and Communications Security practice?

Practice this domain
5

Domain 5: Systems and Application Security

All Systems and Application Security questions
Q1
mediumFull explanation →

A security analyst notices that a web application is vulnerable to SQL injection. The application uses parameterized queries for most inputs but concatenates user input directly into a query for a legacy module. Which is the BEST immediate remediation?

A

Disable the legacy module until a full rewrite is completed.

B

Rewrite the legacy module to use parameterized queries.

Parameterized queries prevent SQL injection by separating code from data.

C

Deploy a web application firewall (WAF) to block SQL injection patterns.

D

Implement input validation to reject special characters.

Why: Option B is correct because parameterized queries (prepared statements) are the definitive defense against SQL injection, as they separate SQL logic from user data by design. Rewriting the legacy module to use parameterized queries eliminates the root cause of the vulnerability at the code level, ensuring that user input is never concatenated into the SQL statement. This is the most secure and permanent fix, as it directly addresses the injection point in the application layer.
Q2
hardFull explanation →

An organization is implementing a jump server architecture for managing critical servers. Which additional control BEST reduces the risk of lateral movement if the jump server is compromised?

A

Enable verbose logging on all target servers.

B

Require multi-factor authentication for all jump server logins.

C

Implement SSH key-based authentication with agent forwarding restricted to specific target hosts.

Restricts which hosts can be accessed from the jump server, reducing lateral movement.

D

Use a separate VLAN for management traffic.

Why: Option C is correct because restricting SSH agent forwarding to specific target hosts prevents an attacker who compromises the jump server from using forwarded credentials to authenticate to arbitrary internal systems. This containment limits lateral movement by ensuring that even if the jump server is breached, the attacker cannot reuse SSH keys to pivot to non-approved targets.
Q3
easyFull explanation →

A company is deploying a new mobile application that handles sensitive customer data. Which practice BEST ensures data confidentiality on the device?

A

Require a strong screen lock passcode.

B

Disable cloud backups for the app.

C

Encrypt all sensitive data stored on the device using a key derived from the user's passcode.

Encryption at rest ensures data is unreadable without the key.

D

Use app sandboxing to isolate app data from other apps.

Why: Option C is correct because encrypting sensitive data with a key derived from the user's passcode ensures that even if the device is lost or stolen, the data remains unreadable without the passcode. This approach leverages the user's secret to protect confidentiality at rest, which is a fundamental principle of mobile data protection. Technologies like iOS Data Protection and Android File-Based Encryption use similar key derivation from the lock screen credential to encrypt app-specific data.
Q4
hardFull explanation →

During a penetration test, an attacker was able to bypass input validation and execute commands on a web server. The server runs a PHP application. Which of the following is the MOST likely root cause?

A

The application uses unsanitized input in SQL queries.

B

The application reflects user input in HTTP responses without escaping.

C

The application passes user input to a shell command via exec() or system() functions.

Command injection allows arbitrary command execution on the server.

D

The application uses hidden form fields to store session tokens.

Why: Option C is correct because the scenario describes command execution on the web server, which is a direct consequence of OS command injection. In PHP, passing unsanitized user input to functions like exec() or system() allows an attacker to execute arbitrary shell commands, bypassing input validation. This is the most likely root cause as it directly enables command execution, unlike other vulnerabilities that lead to different impacts.
Q5
mediumFull explanation →

A system administrator needs to ensure that a Linux server is hardened against common attacks. Which configuration change is MOST effective in preventing privilege escalation via SUID binaries?

A

Enable auditd to log all SUID executions.

B

Set the umask to 077 for all users.

C

Mount the /tmp and /var partitions with the 'nosuid' option.

Prevents execution of SUID binaries on those partitions.

D

Remove all SUID binaries from the system.

Why: Mounting partitions like /tmp and /var with the 'nosuid' option prevents SUID and SGID bits from taking effect on files stored there. Since attackers often place malicious SUID binaries in world-writable directories to escalate privileges, this configuration blocks the execution of such binaries regardless of their permissions. This is more effective than logging or removing all SUID binaries, as it proactively neutralizes a common attack vector without breaking system functionality.
Q6
easyFull explanation →

A company is migrating its on-premises applications to a public cloud. Which security control is MOST important to implement to protect data in transit?

A

Enable server-side encryption for cloud storage.

B

Implement data classification labels.

C

Use IPsec VPNs for all cloud connections.

D

Ensure all data transmissions use TLS 1.2 or higher.

TLS encrypts data in transit and is widely supported.

Why: TLS 1.2 or higher is the standard protocol for encrypting data in transit over public networks, ensuring confidentiality and integrity between client and server. It is the most critical control because it directly protects data as it moves across the internet to the cloud, which is the primary risk in a migration scenario.

Want more Systems and Application Security practice?

Practice this domain
6

Domain 6: Access Controls

All Access Controls questions
Q1
easyFull explanation →

A system administrator needs to implement a control that ensures users can only access files necessary for their job functions. Which principle is being applied?

A

Need-to-know

B

Separation of duties

C

Job rotation

D

Least privilege

Least privilege ensures users have only the permissions necessary to perform their job.

Why: The principle of least privilege ensures that users are granted only the permissions necessary to perform their job functions, minimizing the attack surface and potential damage from accidental or malicious actions. In this scenario, restricting file access to only what is needed for job duties directly implements least privilege, as it limits access rights to the minimum required. This is distinct from need-to-know, which focuses on information disclosure rather than access permissions.
Q2
mediumFull explanation →

An organization wants to implement an access control model where data owners decide who can access resources. Which model should they choose?

A

Attribute-Based Access Control (ABAC)

B

Mandatory Access Control (MAC)

C

Role-Based Access Control (RBAC)

D

Discretionary Access Control (DAC)

DAC allows data owners to grant access to others at their discretion.

Why: Discretionary Access Control (DAC) is the correct model because it allows data owners (the users who create or own the resource) to decide who can access their resources. In DAC, the owner sets permissions (e.g., read, write, execute) on objects like files or directories, typically using Access Control Lists (ACLs). This directly matches the requirement where data owners control access decisions.
Q3
hardFull explanation →

During a security audit, it is discovered that a developer has direct access to production databases. The policy requires that changes be reviewed and deployed by a separate team. Which control is being violated?

A

Need-to-know

B

Job rotation

C

Least privilege

D

Separation of duties

The developer should not have direct production access; changes should go through a separate deployment team.

Why: The scenario describes a direct violation of separation of duties (SoD), a core access control principle that requires critical tasks to be divided among multiple individuals to prevent fraud or error. In this case, the developer both writes code and has direct access to production databases, bypassing the required review and deployment by a separate team. SoD ensures no single person has end-to-end control over a sensitive process, which is essential for maintaining integrity and accountability in production environments.
Q4
easyFull explanation →

An administrator notices that a terminated employee's account is still active. Which access control process was likely skipped?

A

Authorization

B

Authentication

C

Provisioning

Provisioning includes creating and disabling accounts; the termination process should have disabled the account.

D

Accounting

Why: Provisioning is the access control process that includes creating, modifying, and disabling user accounts and their associated privileges. When a terminated employee's account remains active, the de-provisioning step—specifically account revocation—was likely skipped, leaving the account enabled and accessible.
Q5
mediumFull explanation →

A company uses an identity management system that requires users to authenticate using a smart card and a PIN. This is an example of:

A

Single sign-on (SSO)

B

Biometric authentication

C

Two-factor authentication

Smart card (possession) and PIN (knowledge) constitute two-factor authentication.

D

Multi-factor authentication

Why: Two-factor authentication (2FA) requires two distinct factors from different categories: something you have (the smart card) and something you know (the PIN). This combination provides stronger assurance than a single factor because an attacker would need both physical possession of the card and knowledge of the PIN to authenticate.
Q6
hardFull explanation →

An organization is implementing an access control system where access decisions are based on the sensitivity of the resource and the clearance of the user. Which model is being used?

A

Discretionary Access Control (DAC)

B

Attribute-Based Access Control (ABAC)

C

Role-Based Access Control (RBAC)

D

Mandatory Access Control (MAC)

MAC uses security labels to enforce access based on classification and clearance.

Why: Mandatory Access Control (MAC) enforces access decisions based on comparing the sensitivity label (e.g., classification level) of the resource with the clearance level of the user. This model is non-discretionary, meaning users cannot override or delegate permissions; the system centrally controls all access according to a security policy, such as Bell-LaPadula or Biba.

Want more Access Controls practice?

Practice this domain
7

Domain 7: Cryptography

All Cryptography questions
Q1
easyFull explanation →

A company wants to ensure that data transmitted between its two branch offices remains confidential. Which cryptographic goal is primarily being addressed?

A

Availability

B

Non-repudiation

C

Integrity

D

Confidentiality

Confidentiality is the goal of keeping data secret, achieved via encryption.

Why: Confidentiality ensures that data is accessible only to authorized parties, typically achieved through encryption. In this scenario, the company wants to prevent unauthorized interception of data between branch offices, which is the core goal of confidentiality. Technologies such as IPsec VPNs or TLS are used to encrypt the data in transit, directly addressing this requirement.
Q2
mediumFull explanation →

A security administrator needs to choose an encryption algorithm for a high-speed network where data is encrypted at the link layer. Which algorithm is most appropriate?

A

RSA

B

Diffie-Hellman

C

AES

AES is symmetric, fast, and suitable for link-layer encryption.

D

SHA-256

Why: AES (Advanced Encryption Standard) is the most appropriate choice for link-layer encryption in high-speed networks because it is a symmetric block cipher designed for efficient hardware and software implementation, offering high throughput with low latency. Unlike asymmetric algorithms, AES operates with a single shared key, making it ideal for encrypting bulk data at the data link layer where speed and minimal overhead are critical.
Q3
hardFull explanation →

A system administrator notices that a server's certificate was issued by a CA that is not in the trusted root store of client machines. What is the most likely impact on clients connecting via TLS?

A

Clients will receive a certificate warning or be unable to connect.

Untrusted CA causes a trust error, resulting in a warning or failure.

B

The server will automatically obtain a new certificate.

C

Clients will connect but with reduced cipher strength.

D

Clients will be able to connect without any warning.

Why: When a server presents a certificate issued by a Certificate Authority (CA) that is not in the client's trusted root store, the TLS handshake fails the trust chain validation. The client's TLS library (e.g., OpenSSL, Schannel) will either display a certificate warning to the user or terminate the connection with an error such as 'SEC_ERROR_UNKNOWN_ISSUER' in Firefox or 'ERR_CERT_AUTHORITY_INVALID' in Chrome, depending on the client's security policy.
Q4
easyFull explanation →

When implementing a digital signature, which key is used to create the signature?

A

Receiver's private key

B

Sender's private key

The private key is used to sign documents.

C

Sender's public key

D

Receiver's public key

Why: In a digital signature scheme, the sender uses their own private key to create the signature. This ensures non-repudiation because only the sender possesses that private key, and the corresponding public key can verify the signature. The process involves encrypting a hash of the message with the sender's private key, as specified in standards like PKCS#1 and RFC 8017.
Q5
mediumFull explanation →

A company's policy requires that all data at rest be encrypted. Which of the following is the most effective method to encrypt files on a laptop?

A

Encrypt only the user's home folder.

B

Encrypt individual files using a symmetric key.

C

Implement full disk encryption (FDE).

FDE provides blanket encryption for the entire drive.

D

Use a self-extracting encrypted archive.

Why: Full disk encryption (FDE) encrypts the entire storage volume, including the operating system, swap files, temporary files, and all user data. This ensures that if the laptop is lost or stolen, all data at rest is protected without relying on the user to selectively encrypt files or folders, which can leave sensitive data exposed in unencrypted system areas.
Q6
mediumFull explanation →

Which TWO of the following are symmetric encryption algorithms? (Select exactly two.)

A

DES

DES is a symmetric cipher.

B

AES

AES is a symmetric cipher.

C

RSA

D

ECC

E

SHA-256

Why: DES (Data Encryption Standard) is a symmetric encryption algorithm that uses a single key for both encryption and decryption. It operates on 64-bit blocks with a 56-bit key, and while now considered insecure due to its small key size, it remains a foundational symmetric cipher. AES (Advanced Encryption Standard) is also symmetric, using block sizes of 128 bits and key sizes of 128, 192, or 256 bits, and is the current standard for symmetric encryption.

Want more Cryptography practice?

Practice this domain

Frequently asked questions

How many questions are on the SSCP exam?

The SSCP exam has 125 questions and must be completed in 180 minutes. The passing score is 700/1000.

What types of questions appear on the SSCP exam?

Multiple-choice questions on access controls, security operations, risk, cryptography, network security, and incident response.

How are SSCP questions organised by domain?

The exam covers 7 domains: Security Operations and Administration, Risk Identification, Monitoring and Analysis, Incident Response and Recovery, Network and Communications Security, Systems and Application Security, Access Controls, Cryptography. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual SSCP exam questions?

No. These are original exam-style practice questions written against the official ISC2 SSCP exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 125 SSCP questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all SSCP questionsTake a timed practice test