Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Risk Identification, Monitoring and Analysis practice sets

SSCP Risk Identification, Monitoring and Analysis • Complete Question Bank

SSCP Risk Identification, Monitoring and Analysis — All Questions With Answers

Complete SSCP Risk Identification, Monitoring and Analysis question bank — all 0 questions with answers and detailed explanations.

78
Questions
Free
No signup
Certifications/SSCP/Practice Test/Risk Identification, Monitoring and Analysis/All Questions
Question 1easymultiple choice
Read the full VPN explanation →

A security analyst notices repeated failed login attempts from a single IP address on the VPN gateway. The analyst adjusts the threshold for account lockout and enables geo-ip blocking. This activity is part of which risk management process?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

During a quarterly risk review, a hospital's security team identifies that legacy medical devices cannot be patched and run outdated operating systems. Which risk treatment strategy is most appropriate for these devices?

Question 3hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A SOC analyst reviews an alert for a user who downloaded a large amount of data from a sensitive database at 3:00 AM. The user's manager confirms the user was not on call. Which type of risk indicator is this activity best described as?

Question 4mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

An organization wants to identify risks related to a new cloud-based customer relationship management (CRM) system. Which approach would best identify threats and vulnerabilities specific to this system?

Question 5easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

After a security incident, the CISO asks for a report detailing which assets were affected, the attack vector, and the financial impact. Which of the following best describes this report?

Question 6hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A financial institution uses a quantitative risk analysis to evaluate a new online payment system. The asset value is $5 million, the exposure factor is 40%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

Question 7mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A security team discovers that an employee's credentials were used to access the HR database from an unrecognized IP address in a foreign country. The employee is currently in the office. Which risk identification technique is most directly responsible for detecting this anomaly?

Question 8easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

During a risk assessment, the team identifies that a critical database server is not included in the backup schedule. Which risk term best describes this condition?

Question 9mediummulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which TWO of the following are primary purposes of a risk register?

Question 10hardmulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which THREE of the following are common techniques for identifying risks?

Question 11easymulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which TWO of the following are examples of key risk indicators (KRIs)?

Question 12mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security analyst reviews these logs from a server. What immediate risk is most indicated by this log pattern?

Exhibit

Refer to the exhibit.

Oct 15 09:23:45 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Oct 15 09:23:46 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Oct 15 09:23:47 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Oct 15 09:23:48 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Oct 15 09:23:49 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Question 13hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. Which risk is most directly introduced by this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::example-bucket",
      "Principal": "*"
    }
  ]
}
Question 14hardmultiple choice
Open the full VLAN trunking answer →

You are the security analyst for a mid-sized e-commerce company that processes credit card payments. The company uses a legacy payment application on a Windows Server 2012 R2 system, which is scheduled for decommission in six months. The server is isolated in a separate VLAN with strict firewall rules allowing only outbound HTTPS to the payment processor and inbound management from a jump box on a different subnet. During a routine vulnerability scan, you discover that the server is missing over 50 critical patches, including one for a remote code execution vulnerability (CVE-2023-XXXX) that is being actively exploited in the wild. The server cannot be patched because the vendor stopped support and patches are not available. The company's risk appetite is low due to PCI DSS requirements. You need to recommend a course of action that balances risk reduction with business continuity. What should you do?

Question 15mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

You are a risk analyst at a healthcare organization. The organization recently deployed a new electronic health records (EHR) system. During the first month of operation, the IT helpdesk received multiple reports from doctors that the system becomes unresponsive for 10-15 seconds several times a day. The EHR vendor attributes this to insufficient database connection pooling, but the organization's system administrator notes that the database server's CPU and memory utilization never exceed 30%. The organization has a risk management policy that requires any system with availability <99.5% to be treated as a high risk. Based on initial data, the system has been unavailable for about 0.1% of the time (excluding planned maintenance). However, doctors report that the brief unresponsiveness is causing frustration and potential misdiagnosis due to interrupted workflows. You need to recommend a risk treatment approach. What should you do?

Question 16mediumdrag order
Review the full routing breakdown →

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 17mediumdrag order
Read the full Risk Identification, Monitoring and Analysis explanation →

Drag and drop the steps for properly disposing of a hard drive containing sensitive data into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 18mediummatching
Read the full Risk Identification, Monitoring and Analysis explanation →

Match each security control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Firewall

IDS

Backup restoration

Warning signs

Question 19mediummatching
Read the full Risk Identification, Monitoring and Analysis explanation →

Match each security policy type to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines proper use of resources

Requirements for password strength

Categorizes data sensitivity

Procedures for handling breaches

Question 20mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A security analyst notices a sudden increase in failed login attempts from a single IP address across multiple user accounts. Which risk response strategy is most appropriate to implement immediately?

Question 21easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

During a quantitative risk analysis, the asset value is $500,000, the exposure factor is 40%, and the annual rate of occurrence is 0.5. What is the annualized loss expectancy (ALE)?

Question 22hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A company is implementing a risk monitoring program. Which of the following is the best key performance indicator (KPI) to measure the effectiveness of the vulnerability management process?

Question 23mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A system administrator receives an alert from the SIEM indicating a possible brute-force attack on a server. The logs show 100 failed logins in 2 minutes from a single source. Which of the following is the best immediate action to verify and respond?

Question 24easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

In the context of risk assessment, which of the following best describes a vulnerability?

Question 25mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A security team is conducting a qualitative risk assessment for a new cloud application. They want to prioritize risks based on likelihood and impact. Which method should they use to combine these factors?

Question 26hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

An organization has implemented a SIEM solution and wants to reduce false positives. Which of the following is the most effective approach?

Question 27easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

Which of the following is the primary purpose of a risk register?

Question 28hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A company's risk management policy states that all risks with a residual risk score of 8 or higher (on a scale of 1-10) must be treated. A risk is identified with an inherent risk score of 9, and after applying controls, the residual risk score is 7. What is the appropriate action?

Question 29mediummulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which TWO of the following are key components of a Security Information and Event Management (SIEM) system? (Select two.)

Question 30hardmulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select three.)

Question 31easymulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which THREE of the following are common methods for identifying risks? (Select three.)

Question 32mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

Given the exhibit, what is the most likely conclusion?

Exhibit

Refer to the exhibit.

[alert from SIEM]
Alert: High Priority
Rule: Possible Brute Force Attack
Source IP: 192.168.1.50
Target: Server 10.0.0.10
Count: 150 failed logins in 5 minutes
Time: 2024-03-21 14:32:15

[additional log from authentication server]
Log: Successful login from 192.168.1.50 to 10.0.0.10 at 14:34:20 for user 'admin'.
Question 33hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

Based on the exhibit, what is the most appropriate immediate action?

Exhibit

Refer to the exhibit.

[Vulnerability Scan Report Excerpt]
Host: 10.0.0.15
Port: 3389 (RDP)
Vulnerability: CVE-2024-1234 - Critical
CVSS Score: 9.8
Description: Remote Code Execution in RDP
Patch: KB4567890 available from vendor

[Patch Management Database]
Host 10.0.0.15: Last patched 2023-12-01. Patches applied: KB123456, KB789012.
KB4567890 not applied.

[Asset Criticality]
10.0.0.15: Critical, used for financial operations.
Question 34mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A security analyst reviews the exhibit. The internal IP 10.0.0.1 is a web server, and 203.0.113.5 is an external IP. What is the most likely issue?

Exhibit

Refer to the exhibit.

[NetFlow Record]
Time: 2024-03-21 10:00:00 - 10:05:00
Source IP: 10.0.0.1
Destination IP: 203.0.113.5
Port: 443 (HTTPS)
Bytes: 1500
[NetFlow Record]
Time: 2024-03-21 10:05:00 - 10:10:00
Source IP: 10.0.0.1
Destination IP: 203.0.113.5
Port: 443 (HTTPS)
Bytes: 2000
[NetFlow Record]
Time: 2024-03-21 10:10:00 - 10:15:00
Source IP: 10.0.0.1
Destination IP: 203.0.113.5
Port: 443 (HTTPS)
Bytes: 2500
Question 35easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A security analyst notices repeated failed login attempts from a single IP address within a short time window. Which control should be implemented to automatically mitigate this behavior?

Question 36mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A company has deployed an intrusion detection system (IDS) that generates numerous false positives. Which approach would best reduce false positives while maintaining detection capability?

Question 37hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

During a risk assessment, a team identifies that the annualized loss expectancy (ALE) for a critical asset is $50,000. A proposed control costs $15,000 per year and will reduce the annualized rate of occurrence (ARO) from 5 to 1. The single loss expectancy (SLE) is unchanged at $10,000. What is the net benefit of implementing the control?

Question 38easymultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing vulnerability scan results and finds a critical vulnerability on a web server. The patch is available but requires a reboot. What should the analyst do first?

Question 39mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A company's log management solution is overwhelmed by high-volume logs from network devices, causing storage and analysis delays. Which strategy would best improve the efficiency of the log management process?

Question 40hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

An organization uses a SIEM to correlate events. The SIEM receives Windows Security Event ID 4625 (failed login) and 4776 (credential validation). An analyst wants to detect a brute-force attack against a service account. Which correlation rule is most effective?

Question 41easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A risk manager is calculating the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $5,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?

Question 42mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A security team is implementing a risk treatment plan for a high-risk vulnerability. The cost to fix the vulnerability is $100,000, but the expected loss if exploited is $1,000,000. The annual likelihood of exploitation is 2%. Which risk treatment strategy is most appropriate?

Question 43hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

An analyst detects outbound traffic from a workstation to a known malicious IP address. The workstation is a developer machine with local admin rights. Which containment action should be taken first?

Question 44easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

Which metric is used to measure the potential loss from a single occurrence of a risk?

Question 45mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

Refer to the exhibit. The analyst sees this IDS alert. What is the most likely outcome if the target web application is vulnerable?

Exhibit

Refer to the exhibit.
[IDS Alert]
Timestamp: 2025-02-18 14:23:45
Source IP: 10.10.10.5 -> Destination IP: 192.168.1.100
Signature: ET WEB_SPECIFIC SQL Injection Attempt
Payload: ' OR '1'='1' --
Question 46hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

Refer to the exhibit. An analyst reviews the sshd log. What should be the immediate response?

Exhibit

Refer to the exhibit.
[Linux auth.log]
Feb 18 10:15:22 server sshd[1234]: Failed password for root from 203.0.113.5 port 22 ssh2
Feb 18 10:15:23 server sshd[1234]: Failed password for root from 203.0.113.5 port 22 ssh2
... (50 more identical lines)
Feb 18 10:15:25 server sshd[1234]: Accepted password for root from 203.0.113.5 port 22 ssh2
Question 47mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

Refer to the exhibit. During a security review, an analyst finds these firewall rules. Which recommendation should be made to reduce risk?

Exhibit

Refer to the exhibit.
[Firewall Rule - Policy]
Rule ID: 10
Source: Any
Destination: 10.10.10.0/24
Port: 1433
Action: Allow
Logging: Enabled
Rule ID: 15
Source: 10.10.10.0/24
Destination: Any
Port: 445
Action: Allow
Logging: Disabled
Question 48easymulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which TWO of the following are key components of a risk assessment process?

Question 49mediummulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which THREE of the following are examples of detective controls?

Question 50hardmulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which THREE of the following are key elements of a security incident response plan?

Question 51easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A security analyst notices an increase in failed login attempts from a single IP address. What is the best immediate action?

Question 52mediummultiple choice
Read the full NAT/PAT explanation →

During a vulnerability scan, a critical vulnerability is found on a publicly accessible web server. The server hosts a legacy application that cannot be patched immediately. What should the risk manager do first?

Question 53hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A company uses a SIEM to monitor security events. Recently, they are experiencing false positives from a new IDS rule. Which approach would best reduce false positives while maintaining detection?

Question 54easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

An organization wants to perform a risk analysis for a new cloud application. Which quantitative metric is most commonly used to calculate risk?

Question 55mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A security team is conducting a penetration test. In which phase would they attempt to exploit vulnerabilities found during scanning?

Question 56hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

An organization's risk register shows a high risk for phishing attacks. Which controls are considered detective controls for this risk?

Question 57easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A small business wants to identify vulnerabilities in its network. Which type of scan should they perform first to get an overview?

Question 58mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

After a security incident, the CSIRT is conducting lessons learned. Which output is most directly used to update the risk management process?

Question 59hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing logs and sees an alert for a known malware signature on an endpoint. Upon investigation, the file is identified as a false positive. What should the analyst do next?

Question 60mediummulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which TWO of the following are key components of a Business Impact Analysis (BIA)?

Question 61hardmulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which TWO of the following are examples of preventive controls for data leakage?

Question 62easymulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which THREE of the following are common methods to identify risks in an organization?

Question 63mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

Based on the exhibit, which conclusion is most likely?

Exhibit

Refer to the exhibit.
2019-05-22 10:15:30 192.168.1.10 TCP_MISS/200 1256 GET http://malware.com/evil.exe - DIRECT/203.0.113.5 text/html
2019-05-22 10:15:31 192.168.1.20 TCP_MISS/200 1042 GET http://malware.com/evil.exe - DIRECT/203.0.113.5 application/x-msdownload
2019-05-22 10:15:34 192.168.1.10 TCP_MISS/200 1256 GET http://malware.com/evil.exe - DIRECT/203.0.113.5 text/html
2019-05-22 10:15:35 192.168.1.20 TCP_MISS/200 1042 GET http://malware.com/evil.exe - DIRECT/203.0.113.5 application/x-msdownload
Question 64hardmultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

Based on the exhibit, what is the most critical observation?

Exhibit

Refer to the exhibit.
{
  "eventVersion": "1.05",
  "userIdentity": {
    "type": "Root",
    "arn": "arn:aws:iam::123456789012:root",
    "accountId": "123456789012"
  },
  "eventTime": "2020-03-15T14:30:00Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "AuthorizeSecurityGroupIngress",
  "sourceIPAddress": "10.0.0.5",
  "requestParameters": {
    "groupId": "sg-12345678",
    "ipPermissions": {
      "items": [
        {
          "ipProtocol": "tcp",
          "fromPort": 3389,
          "toPort": 3389,
          "ipRanges": [
            {
              "cidrIp": "0.0.0.0/0"
            }
          ]
        }
      ]
    }
  }
}
Question 65easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

Based on the exhibit, which type of attack is most likely occurring?

Exhibit

Refer to the exhibit.
Oct 12 14:23:45 server sshd[1234]: Failed password for root from 192.168.1.200 port 22 ssh2
Oct 12 14:23:47 server sshd[1234]: Failed password for root from 192.168.1.200 port 22 ssh2
Oct 12 14:23:49 server sshd[1234]: Failed password for root from 192.168.1.200 port 22 ssh2
Oct 12 14:23:51 server sshd[1234]: Failed password for root from 192.168.1.200 port 22 ssh2
Question 66mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A security team uses a risk matrix with likelihood (Low, Medium, High) and impact (Low, Medium, High). A vulnerability scan finds a buffer overflow in a customer-facing web application. The application is not critical but has high availability requirements. The likelihood of exploitation is considered Medium due to internal network segmentation. What is the risk level?

Question 67easymulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which TWO of the following are key components of the risk identification process?

Question 68mediummulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which TWO of the following are effective methods for monitoring risk in real-time?

Question 69hardmulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which THREE of the following are key steps in performing a business impact analysis (BIA)?

Question 70easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

You are the security analyst at a mid-sized retail company with 500 employees. The company recently experienced a ransomware attack that encrypted files on a file server. The infection was traced to a phishing email opened by an employee in accounting. The company has antivirus software, a firewall, and daily backups. After the incident, management wants to improve risk identification to prevent future attacks. Which of the following is the MOST effective first step to improve risk identification?

Question 71mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

You work for a financial services firm that must comply with GDPR and PCI DSS. The company uses a cloud-based CRM to store customer data. The security team recently discovered that the CRM vendor had a data breach that exposed the company's customer records. An investigation shows that the breach occurred because the vendor did not have multi-factor authentication (MFA) enabled for administrative accounts. The contract with the vendor states that the vendor is responsible for security of their platform. However, your company had not conducted a risk assessment of the vendor before signing the contract. Management wants to improve risk identification for third-party relationships. Which of the following is the BEST long-term solution?

Question 72hardmultiple choice
Read the full wireless explanation →

You are a security consultant for a hospital that is deploying a new IoT medical device system. The devices wirelessly transmit patient vital signs to a central server. The hospital is subject to HIPAA. The devices were developed by a startup and are not widely field-tested. The IT department wants to connect the devices to the existing network for real-time monitoring. The risk management team has identified potential threats including data interception, device tampering, and denial of service. They have no prior experience with IoT security. Which of the following risk treatment strategies is MOST appropriate given the high uncertainty?

Question 73mediummultiple choice
Read the full NAT/PAT explanation →

A government agency requires all employees to use smart cards for network access. The security team notices a pattern of failed authentication attempts from a specific building after hours. The attempts occur every night at 2:00 AM for about 10 minutes. The building has a badge reader at the entrance. The team suspects an attacker is trying to brute-force smart card PINs. However, the building's door logs show no entry at that time. Which of the following should the security team do FIRST to identify the risk?

Question 74easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A small company uses a single firewall at the network perimeter. The security team receives alerts from an IDS but cannot correlate them with firewall logs because logs are stored on separate servers with different timestamps. The CEO wants to reduce false positives and improve incident response. What should the security team do first?

Question 75mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A financial institution uses a risk management framework based on ISO 31000. During a quarterly risk review, the risk manager identifies that the residual risk for a critical trading application remains high despite multiple controls. The application's risk score has not decreased after implementing two-factor authentication and encryption. The risk appetite statement says 'no high residual risk for systems processing transactions over $10M.' What should the risk manager do next?

Question 76hardmulti select
Read the full Risk Identification, Monitoring and Analysis explanation →

Which TWO of the following are key indicators of a potential data exfiltration attempt?

Question 77mediummultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

Based on the exhibit, which type of attack is most likely being attempted?

Network Topology
"request": "GET /search?q=test%22%3B%20DROP%20TABLE%20users%3BHTTP/1.1",Refer to the exhibit."timestamp": "2024-06-15T14:23:10Z","source_ip": "10.0.0.5","dest_ip": "10.0.0.100","user_agent": "Mozilla/5.0","status": 500
Question 78easymultiple choice
Read the full Risk Identification, Monitoring and Analysis explanation →

A small financial services company has deployed a SIEM solution collecting logs from their firewall, web server, and domain controller. They also have an IDS monitoring the network perimeter. The security analyst receives an alert from the IDS indicating a potential exploit attempt against the web server from an external IP. The analyst checks the SIEM and sees that the firewall log shows the connection was allowed, but the web server log does not show any corresponding request. The domain controller logs show no abnormal activity. The company has a policy to immediately contain any confirmed threats. What should the analyst do first based on this information?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SSCP Practice Test 1 — 10 Questions→SSCP Practice Test 2 — 10 Questions→SSCP Practice Test 3 — 10 Questions→SSCP Practice Test 4 — 10 Questions→SSCP Practice Test 5 — 10 Questions→SSCP Practice Exam 1 — 20 Questions→SSCP Practice Exam 2 — 20 Questions→SSCP Practice Exam 3 — 20 Questions→SSCP Practice Exam 4 — 20 Questions→Free SSCP Practice Test 1 — 30 Questions→Free SSCP Practice Test 2 — 30 Questions→Free SSCP Practice Test 3 — 30 Questions→SSCP Practice Questions 1 — 50 Questions→SSCP Practice Questions 2 — 50 Questions→SSCP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Risk Identification, Monitoring and AnalysisNetwork and Communications SecuritySystems and Application SecuritySecurity Operations and AdministrationIncident Response and RecoveryAccess ControlsCryptography

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Risk Identification, Monitoring and Analysis setsAll Risk Identification, Monitoring and Analysis questionsSSCP Practice Hub