Sample questions
Systems Security Certified Practitioner SSCP practice questions
A security administrator needs to choose an encryption algorithm for a high-speed network where data is encrypted at the link layer. Which algorithm is most appropriate?
Trap 1: RSA
RSA is asymmetric and slower, not suitable for high-speed link-layer encryption.
Trap 2: Diffie-Hellman
Diffie-Hellman is a key exchange protocol, not an encryption algorithm.
Trap 3: SHA-256
SHA-256 is a hash function, not an encryption algorithm.
- A
RSA
Why wrong: RSA is asymmetric and slower, not suitable for high-speed link-layer encryption.
- B
Diffie-Hellman
Why wrong: Diffie-Hellman is a key exchange protocol, not an encryption algorithm.
- C
AES
AES is symmetric, fast, and suitable for link-layer encryption.
- D
SHA-256
Why wrong: SHA-256 is a hash function, not an encryption algorithm.
Which THREE of the following are common use cases for public key infrastructure (PKI)? (Select exactly three.)
Trap 1: Password hashing
Password hashing uses hash functions, not PKI.
Trap 2: Symmetric key exchange
Symmetric key exchange is often done via algorithms like Diffie-Hellman, not directly PKI.
- A
Password hashing
Why wrong: Password hashing uses hash functions, not PKI.
- B
Symmetric key exchange
Why wrong: Symmetric key exchange is often done via algorithms like Diffie-Hellman, not directly PKI.
- C
Digital signatures
PKI enables digital signatures using certificates.
- D
Email encryption (S/MIME)
S/MIME uses PKI for email encryption and signing.
- E
SSL/TLS certificate authentication
PKI provides the certificates for SSL/TLS authentication.
When implementing a digital signature, which key is used to create the signature?
Trap 1: Receiver's private key
Receiver's private key is used for decryption, not signing.
Trap 2: Sender's public key
The public key is used for verification, not creation.
Trap 3: Receiver's public key
Receiver's keys are irrelevant for signing.
- A
Receiver's private key
Why wrong: Receiver's private key is used for decryption, not signing.
- B
Sender's private key
The private key is used to sign documents.
- C
Sender's public key
Why wrong: The public key is used for verification, not creation.
- D
Receiver's public key
Why wrong: Receiver's keys are irrelevant for signing.
A security administrator is configuring a wireless network for a branch office. The office has legacy devices that only support WPA2-PSK. The administrator wants to provide the highest level of security while maintaining compatibility. Which configuration should be used?
Trap 1: WPA2-Enterprise with RADIUS
Legacy devices may not support 802.1X authentication.
Trap 2: WPA3-SAE only
Legacy devices do not support WPA3.
Trap 3: WPA2-PSK with TKIP
TKIP is deprecated and less secure than AES.
- A
WPA2-Enterprise with RADIUS
Why wrong: Legacy devices may not support 802.1X authentication.
- B
WPA2-PSK with AES (CCMP)
AES is the strongest encryption available for WPA2 and is supported by most devices.
- C
WPA3-SAE only
Why wrong: Legacy devices do not support WPA3.
- D
WPA2-PSK with TKIP
Why wrong: TKIP is deprecated and less secure than AES.
Which TWO of the following are functions of a network firewall?
Trap 1: Resolving domain names to IP addresses
DNS servers perform name resolution.
Trap 2: Encrypting data at rest
Encryption at rest is typically handled by storage systems, not firewalls.
Trap 3: Assigning IP addresses to hosts
DHCP servers assign IP addresses, not firewalls.
- A
Resolving domain names to IP addresses
Why wrong: DNS servers perform name resolution.
- B
Filtering traffic based on IP addresses and ports
Core function of a firewall.
- C
Performing Network Address Translation (NAT)
Many firewalls include NAT functionality.
- D
Encrypting data at rest
Why wrong: Encryption at rest is typically handled by storage systems, not firewalls.
- E
Assigning IP addresses to hosts
Why wrong: DHCP servers assign IP addresses, not firewalls.
A network engineer is designing a secure WAN link between two offices using IPsec VPN. The company requires encryption of all traffic, authentication of both endpoints, and protection against replay attacks. Which combination of IPsec protocols and modes should be used?
Trap 1: AH in tunnel mode
AH provides authentication but no encryption, failing the encryption requirement.
Trap 2: AH in transport mode
AH lacks encryption and transport mode is inappropriate for site-to-site.
Trap 3: ESP in transport mode
Transport mode is for end-to-end communication, not for gateway-to-gateway VPNs.
- A
AH in tunnel mode
Why wrong: AH provides authentication but no encryption, failing the encryption requirement.
- B
AH in transport mode
Why wrong: AH lacks encryption and transport mode is inappropriate for site-to-site.
- C
ESP in tunnel mode
ESP in tunnel mode encrypts and authenticates the entire packet, suitable for site-to-site VPNs.
- D
ESP in transport mode
Why wrong: Transport mode is for end-to-end communication, not for gateway-to-gateway VPNs.
A company's internal network uses a /24 subnet and has a single firewall connecting to the internet. Employees report that they cannot access an external web server at 203.0.113.50. The firewall has a rule that allows outbound HTTP. What is the most likely cause?
Trap 1: The default gateway on the internal hosts is incorrect.
If hosts can reach other internal resources, the gateway is likely correct.
Trap 2: DNS resolution is failing for the server name.
The user is accessing by IP, so DNS is not involved.
Trap 3: An ACL is blocking the destination IP.
The rule allows HTTP, so an ACL block is unlikely unless specifically configured.
- A
The default gateway on the internal hosts is incorrect.
Why wrong: If hosts can reach other internal resources, the gateway is likely correct.
- B
NAT is not configured for outbound traffic.
Internal private IPs must be translated to a public IP for internet access.
- C
DNS resolution is failing for the server name.
Why wrong: The user is accessing by IP, so DNS is not involved.
- D
An ACL is blocking the destination IP.
Why wrong: The rule allows HTTP, so an ACL block is unlikely unless specifically configured.
A security analyst notices unusual outbound traffic from a server in the DMZ to an external IP address on port 4444. The server runs a web application. Which action should the analyst take first?
Trap 1: Disconnect the server from the network.
Disconnecting may be necessary later, but first gather information to understand the threat.
Trap 2: Reboot the server to clear any malware.
Rebooting may destroy volatile evidence needed for forensic analysis.
Trap 3: Block the outbound traffic at the firewall.
Blocking without investigation may hide evidence and disrupt monitoring.
- A
Disconnect the server from the network.
Why wrong: Disconnecting may be necessary later, but first gather information to understand the threat.
- B
Reboot the server to clear any malware.
Why wrong: Rebooting may destroy volatile evidence needed for forensic analysis.
- C
Check the server's running processes and established connections.
This provides immediate visibility into potential compromise without destroying evidence.
- D
Block the outbound traffic at the firewall.
Why wrong: Blocking without investigation may hide evidence and disrupt monitoring.
Which TWO of the following are best practices for securing a wireless network?
Trap 1: Enabling MAC address filtering
MAC filtering is easily bypassed by spoofing.
Trap 2: Using WEP encryption
WEP is easily broken and should not be used.
Trap 3: Leaving the default administrator password
Default passwords are a security risk.
- A
Enabling MAC address filtering
Why wrong: MAC filtering is easily bypassed by spoofing.
- B
Using WEP encryption
Why wrong: WEP is easily broken and should not be used.
- C
Leaving the default administrator password
Why wrong: Default passwords are a security risk.
- D
Using WPA2-Enterprise with 802.1X
Provides strong authentication and encryption.
- E
Disabling SSID broadcast
Hides the network name from casual scans.
An organization wants to implement an access control model where data owners decide who can access resources. Which model should they choose?
Trap 1: Attribute-Based Access Control (ABAC)
ABAC uses policies that evaluate attributes, not owner discretion.
Trap 2: Mandatory Access Control (MAC)
MAC is centrally controlled by security labels, not by data owners.
Trap 3: Role-Based Access Control (RBAC)
RBAC assigns permissions based on roles, not individual owner decisions.
- A
Attribute-Based Access Control (ABAC)
Why wrong: ABAC uses policies that evaluate attributes, not owner discretion.
- B
Mandatory Access Control (MAC)
Why wrong: MAC is centrally controlled by security labels, not by data owners.
- C
Role-Based Access Control (RBAC)
Why wrong: RBAC assigns permissions based on roles, not individual owner decisions.
- D
Discretionary Access Control (DAC)
DAC allows data owners to grant access to others at their discretion.
Which TWO of the following are valid reasons for implementing a separation of duties policy? (Choose two.)
Trap 1: To reduce the workload on individual employees.
Separation of duties often increases workload due to additional checks.
Trap 2: To simplify training requirements.
Separation of duties may complicate training as more people need to be trained.
Trap 3: To comply with regulatory requirements.
While compliance may drive it, the core reasons are fraud prevention and error detection.
- A
To reduce the workload on individual employees.
Why wrong: Separation of duties often increases workload due to additional checks.
- B
To detect errors through independent verification.
Having different people perform related tasks allows for error detection.
- C
To simplify training requirements.
Why wrong: Separation of duties may complicate training as more people need to be trained.
- D
To comply with regulatory requirements.
Why wrong: While compliance may drive it, the core reasons are fraud prevention and error detection.
- E
To prevent fraud by requiring collusion.
Separation of duties makes fraud more difficult as it requires multiple people to collude.
Which TWO are components of the AAA framework? (Choose two.)
Trap 1: Auditing
Auditing is related but not a core AAA component; the term is Accounting.
Trap 2: Accounting
Accounting is part of AAA, but only two are correct; we chose Authentication and Authorization.
Trap 3: Administration
Administration is not part of AAA.
- A
Authorization
Authorization determines access rights.
- B
Auditing
Why wrong: Auditing is related but not a core AAA component; the term is Accounting.
- C
Accounting
Why wrong: Accounting is part of AAA, but only two are correct; we chose Authentication and Authorization.
- D
Administration
Why wrong: Administration is not part of AAA.
- E
Authentication
Authentication verifies identity.
A financial institution uses a quantitative risk analysis to evaluate a new online payment system. The asset value is $5 million, the exposure factor is 40%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?
Trap 1: $800,000
This might result from miscalculating SLE as AV × ARO.
Trap 2: $2,000,000
This is the SLE, not the ALE.
Trap 3: $2,500,000
This might be AV × ARO.
- A
$1,000,000
Correct calculation: SLE = $5M × 0.4 = $2M; ALE = $2M × 0.5 = $1M.
- B
$800,000
Why wrong: This might result from miscalculating SLE as AV × ARO.
- C
$2,000,000
Why wrong: This is the SLE, not the ALE.
- D
$2,500,000
Why wrong: This might be AV × ARO.
Which TWO of the following are examples of key risk indicators (KRIs)?
Trap 1: Total number of employees
Employee count alone is not a risk indicator.
Trap 2: Average user satisfaction score
User satisfaction is not a direct security risk indicator.
Trap 3: Number of security incidents this quarter
This is a lagging indicator, not a leading KRI.
- A
Number of unpatched critical vulnerabilities
A high number indicates higher risk of exploitation.
- B
Total number of employees
Why wrong: Employee count alone is not a risk indicator.
- C
Percentage of systems with antivirus disabled
High percentage indicates increased malware risk.
- D
Average user satisfaction score
Why wrong: User satisfaction is not a direct security risk indicator.
- E
Number of security incidents this quarter
Why wrong: This is a lagging indicator, not a leading KRI.
During a quarterly risk review, a hospital's security team identifies that legacy medical devices cannot be patched and run outdated operating systems. Which risk treatment strategy is most appropriate for these devices?
Trap 1: Remediate by applying vendor patches
Legacy devices often have no patches available; this is not feasible.
Trap 2: Retire and replace all devices immediately
Replacing all devices may be too costly or disruptive; a risk-based approach is more practical.
Trap 3: Transfer the risk by purchasing cyber insurance
Insurance transfers financial impact but does not reduce the likelihood of a breach.
- A
Remediate by applying vendor patches
Why wrong: Legacy devices often have no patches available; this is not feasible.
- B
Implement compensating controls such as network segmentation and strict access control
Compensating controls mitigate the risk without changing the device itself.
- C
Retire and replace all devices immediately
Why wrong: Replacing all devices may be too costly or disruptive; a risk-based approach is more practical.
- D
Transfer the risk by purchasing cyber insurance
Why wrong: Insurance transfers financial impact but does not reduce the likelihood of a breach.
After a security incident, the CISO asks for a report detailing which assets were affected, the attack vector, and the financial impact. Which of the following best describes this report?
Trap 1: Incident response plan
An incident response plan outlines procedures, not a report of a specific incident.
Trap 2: Risk register
A risk register is a list of identified risks, not a post-incident analysis.
Trap 3: Business impact analysis (BIA)
BIA is conducted before an incident to determine criticality.
- A
Lessons learned report
A lessons learned report captures post-incident details and improvements.
- B
Incident response plan
Why wrong: An incident response plan outlines procedures, not a report of a specific incident.
- C
Risk register
Why wrong: A risk register is a list of identified risks, not a post-incident analysis.
- D
Business impact analysis (BIA)
Why wrong: BIA is conducted before an incident to determine criticality.
During a risk assessment, the team identifies that a critical database server is not included in the backup schedule. Which risk term best describes this condition?
Trap 1: Threat
A threat is a potential cause of harm (e.g., a hacker), not a weakness.
Trap 2: Risk
Risk is the combination of likelihood and impact; this condition is a vulnerability.
Trap 3: Exploit
An exploit is a specific attack that takes advantage of a vulnerability.
- A
Threat
Why wrong: A threat is a potential cause of harm (e.g., a hacker), not a weakness.
- B
Risk
Why wrong: Risk is the combination of likelihood and impact; this condition is a vulnerability.
- C
Exploit
Why wrong: An exploit is a specific attack that takes advantage of a vulnerability.
- D
Vulnerability
The missing backup is a weakness that could lead to data loss.
Refer to the exhibit. A security analyst reviews these logs from a server. What immediate risk is most indicated by this log pattern?
Exhibit
Refer to the exhibit. Oct 15 09:23:45 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2 Oct 15 09:23:46 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2 Oct 15 09:23:47 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2 Oct 15 09:23:48 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2 Oct 15 09:23:49 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Trap 1: Insider threat from user root
The source IP is likely external; internal root would not need to brute-force.
Trap 2: Malware infection on the server
No evidence of malware in these logs.
Trap 3: Misconfigured SSH settings allowing root login
While root login may be misconfigured, the immediate risk is the ongoing attack.
- A
Insider threat from user root
Why wrong: The source IP is likely external; internal root would not need to brute-force.
- B
Active brute-force attack against the SSH service
Multiple failed attempts in quick succession indicate a brute-force attempt.
- C
Malware infection on the server
Why wrong: No evidence of malware in these logs.
- D
Misconfigured SSH settings allowing root login
Why wrong: While root login may be misconfigured, the immediate risk is the ongoing attack.
Which THREE of the following are common techniques for identifying risks?
Trap 1: Penetration testing
Penetration testing identifies vulnerabilities, not risks in a broad sense; it's a later step.
Trap 2: Quantitative risk analysis
Quantitative analysis assesses already identified risks; it's not an identification technique.
- A
Stakeholder interviews
Interviews with knowledgeable individuals are a key identification technique.
- B
Penetration testing
Why wrong: Penetration testing identifies vulnerabilities, not risks in a broad sense; it's a later step.
- C
SWOT analysis
SWOT (Strengths, Weaknesses, Opportunities, Threats) helps identify risks.
- D
Quantitative risk analysis
Why wrong: Quantitative analysis assesses already identified risks; it's not an identification technique.
- E
Brainstorming sessions
Brainstorming with stakeholders is a classic risk identification technique.
A SOC analyst reviews an alert for a user who downloaded a large amount of data from a sensitive database at 3:00 AM. The user's manager confirms the user was not on call. Which type of risk indicator is this activity best described as?
Trap 1: Technical vulnerability indicator
A technical vulnerability would be a weakness in software or hardware, not user activity.
Trap 2: Error log indicator
Error logs record system errors; this is a user activity log.
Trap 3: Configuration drift indicator
Configuration drift refers to changes in system settings, not user actions.
- A
Technical vulnerability indicator
Why wrong: A technical vulnerability would be a weakness in software or hardware, not user activity.
- B
User behavior risk indicator
The unusual access pattern is a behavioral indicator of potential insider threat or compromise.
- C
Error log indicator
Why wrong: Error logs record system errors; this is a user activity log.
- D
Configuration drift indicator
Why wrong: Configuration drift refers to changes in system settings, not user actions.
A security analyst reviews the firewall log exhibit. Which type of activity is indicated?
Exhibit
Refer to the exhibit. Exhibit: Firewall log snippet ``` 2024-03-15 10:23:45 ALLOW TCP 192.168.1.100:34567 -> 10.0.0.50:3389 2024-03-15 10:23:46 ALLOW TCP 192.168.1.100:34568 -> 10.0.0.50:3389 2024-03-15 10:23:47 ALLOW TCP 192.168.1.100:34569 -> 10.0.0.50:3389 2024-03-15 10:23:48 ALLOW TCP 192.168.1.100:34570 -> 10.0.0.50:3389 2024-03-15 10:23:49 ALLOW TCP 192.168.1.100:34571 -> 10.0.0.50:3389 ```
Trap 1: Port scan of the internal network
Port scan would show connections to multiple ports, not same port.
Trap 2: Data exfiltration to an external server
Data exfiltration typically involves outbound traffic to external IPs.
Trap 3: Normal administrative remote access
Normal access would not generate rapid connections.
- A
Brute force attack against RDP service
Repeated connections to RDP port suggest password guessing.
- B
Port scan of the internal network
Why wrong: Port scan would show connections to multiple ports, not same port.
- C
Data exfiltration to an external server
Why wrong: Data exfiltration typically involves outbound traffic to external IPs.
- D
Normal administrative remote access
Why wrong: Normal access would not generate rapid connections.
Which TWO components are essential for an effective disaster recovery plan (DRP)?
Trap 1: Automated failover system
Failover is a technical implementation, not a required component of the plan.
Trap 2: Business Impact Analysis (BIA)
BIA is input to DRP but not a component of the plan itself.
Trap 3: Redundant array of independent disks (RAID)
RAID provides fault tolerance but is not a DRP component.
- A
Automated failover system
Why wrong: Failover is a technical implementation, not a required component of the plan.
- B
Recovery Point Objective (RPO)
RPO defines maximum acceptable data loss.
- C
Business Impact Analysis (BIA)
Why wrong: BIA is input to DRP but not a component of the plan itself.
- D
Redundant array of independent disks (RAID)
Why wrong: RAID provides fault tolerance but is not a DRP component.
- E
Recovery Time Objective (RTO)
RTO defines maximum acceptable downtime.
An organization detects that an attacker is performing a MAC flooding attack on a switch. What is the primary goal of this attack?
Trap 1: To change the MAC address of the switch
The attack does not change switch MAC addresses.
Trap 2: To cause a denial of service on the network
While flooding may cause performance issues, the primary goal is traffic interception.
Trap 3: To bypass 802.1X authentication
MAC flooding does not bypass authentication mechanisms.
- A
To change the MAC address of the switch
Why wrong: The attack does not change switch MAC addresses.
- B
To cause a denial of service on the network
Why wrong: While flooding may cause performance issues, the primary goal is traffic interception.
- C
To force the switch to act like a hub and allow packet sniffing
Filling the CAM table causes the switch to flood frames out all ports.
- D
To bypass 802.1X authentication
Why wrong: MAC flooding does not bypass authentication mechanisms.
During a security incident, the IR team discovers that an attacker used a valid user account to access sensitive data. The account had multifactor authentication (MFA) enabled. Which attack technique most likely bypassed the MFA?
Trap 1: Session hijacking
Session hijacking assumes an authenticated session, not bypassing MFA.
Trap 2: Man-in-the-middle (MITM) attack
MITM can intercept credentials but MFA typically requires a second factor.
Trap 3: Token theft from the endpoint
Token theft may allow reuse but does not bypass MFA challenge.
- A
Session hijacking
Why wrong: Session hijacking assumes an authenticated session, not bypassing MFA.
- B
MFA fatigue attack
The attacker spams MFA requests until the user approves.
- C
Man-in-the-middle (MITM) attack
Why wrong: MITM can intercept credentials but MFA typically requires a second factor.
- D
Token theft from the endpoint
Why wrong: Token theft may allow reuse but does not bypass MFA challenge.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.