Systems Security Certified Practitioner SSCP (SSCP) — Questions 175

504 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQeasy

An organization wants to prevent unauthorized devices from connecting to its wired network. Which security control should be implemented?

A.Port security with sticky MAC
B.MAC address filtering
C.VLAN segmentation
D.IEEE 802.1X port-based authentication
AnswerD

802.1X authenticates devices at the port level before allowing network access.

Why this answer

IEEE 802.1X port-based authentication is the correct control because it authenticates each device at the network edge before granting access to the wired LAN. It uses an authentication server (e.g., RADIUS) to verify credentials or certificates, effectively preventing unauthorized devices from connecting. Unlike MAC-based controls, 802.1X provides dynamic, per-session authentication that cannot be easily spoofed.

Exam trap

ISC2 often tests the misconception that MAC-based controls (port security or MAC filtering) provide strong authentication, when in fact they are easily bypassed by MAC spoofing, whereas 802.1X uses cryptographic credentials or certificates for true device authentication.

How to eliminate wrong answers

Option A is wrong because port security with sticky MAC only learns and limits MAC addresses on a switch port, but it does not authenticate the device; an attacker can spoof a learned MAC address to bypass the control. Option B is wrong because MAC address filtering is a static, easily spoofed control that only checks the source MAC at Layer 2, offering no authentication or encryption. Option C is wrong because VLAN segmentation separates traffic logically but does not prevent unauthorized devices from physically connecting to the network; it only limits their broadcast domain.

2
MCQhard

An organization has implemented a SIEM solution and wants to reduce false positives. Which of the following is the most effective approach?

A.Tune correlation rules to exclude known benign activities
B.Increase the number of log sources feeding the SIEM
C.Raise the threshold for each correlation rule to reduce alerts
D.Assign more analysts to manually review all alerts
AnswerA

Tuning allows the SIEM to ignore patterns that are known to be non-malicious.

Why this answer

Option C is correct because tuning correlation rules based on known false positive patterns reduces noise. Option A is wrong because increasing log sources may introduce more noise. Option B is wrong because lowering thresholds may increase false positives.

Option D is wrong because manually verifying all alerts is inefficient and does not reduce false positives.

3
MCQhard

During a forensic investigation, you find that the attacker used a legitimate Windows tool to exfiltrate data. Which tool is commonly abused for this purpose?

A.Telnet
B.Netcat
C.PowerShell
D.FTP
AnswerC

PowerShell is native to Windows and frequently used for file exfiltration due to its flexibility.

Why this answer

PowerShell is a legitimate Windows administrative tool that attackers commonly abuse for data exfiltration because it provides native access to network protocols (e.g., HTTP, HTTPS, FTP, SMB) and can download/upload files directly from the command line without additional binaries. Its deep integration with the Windows operating system allows scripts to run in memory, bypassing traditional file-based detection mechanisms, making it a favored tool for post-exploitation data theft.

Exam trap

The trap here is that candidates often associate Netcat (a classic hacking tool) with data exfiltration, but the question specifically requires a 'legitimate Windows tool,' and PowerShell is the correct answer because it is built-in and widely abused, whereas Netcat is not native to Windows.

How to eliminate wrong answers

Option A is wrong because Telnet is an unencrypted remote terminal protocol (RFC 854) that lacks native file transfer capabilities; while it can be used to send data manually, it is not commonly abused for automated or stealthy exfiltration due to its lack of encryption and limited scripting support. Option B is wrong because Netcat is a third-party network utility (not a legitimate Windows built-in tool) that can be used for data exfiltration, but the question specifies a 'legitimate Windows tool,' and Netcat is not included by default in Windows. Option D is wrong because FTP is a file transfer protocol that can be used for exfiltration, but the built-in Windows FTP client (ftp.exe) is deprecated and less commonly abused compared to PowerShell, which offers more flexibility and is present on all modern Windows systems.

4
MCQmedium

A security administrator discovers that a web application is vulnerable to SQL injection. Which of the following is the most effective mitigation to implement at the application layer?

A.Implement input validation using a blacklist of SQL keywords.
B.Encrypt the database connection using TLS.
C.Use parameterized queries or prepared statements.
D.Encode all output sent to the browser.
E.Deploy a web application firewall (WAF) in front of the server.
AnswerC

Parameterized queries separate SQL logic from data, preventing injection.

Why this answer

Option B is correct because parameterized queries ensure user input is treated as data, not executable code, preventing SQL injection. Option A (input validation) is important but can be bypassed; C (output encoding) addresses XSS; D (WAF) is network-layer; E (encryption) does not prevent injection.

5
MCQeasy

Which protocol is used to automatically assign IP addresses to devices on a network?

A.ARP
B.DNS
C.ICMP
D.DHCP
AnswerD

DHCP dynamically assigns IP addresses.

Why this answer

DHCP (Dynamic Host Configuration Protocol) is the correct answer because it is specifically designed to automatically assign IP addresses and other network configuration parameters (such as subnet mask, default gateway, and DNS servers) to devices on a network. This eliminates the need for manual IP configuration and reduces the risk of address conflicts.

Exam trap

The trap here is that candidates often confuse ARP's role in network communication (mapping IP to MAC) with IP address assignment, but ARP has no mechanism for leasing or configuring IP addresses.

How to eliminate wrong answers

Option A (ARP) is wrong because ARP (Address Resolution Protocol) is used to map a known IP address to a MAC address on a local network, not to assign IP addresses. Option B (DNS) is wrong because DNS (Domain Name System) translates domain names to IP addresses, not assign them. Option C (ICMP) is wrong because ICMP (Internet Control Message Protocol) is used for error reporting and diagnostic functions (e.g., ping), not for IP address assignment.

6
Matchingmedium

Match each incident response phase to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Train staff and establish policies

Identify potential incidents

Isolate affected systems

Restore normal operations

Why these pairings

These are key phases of the incident response process.

7
MCQeasy

In which access control model does the owner of a resource have full discretion over who can access it and with what permissions?

A.Attribute-Based Access Control (ABAC)
B.Discretionary Access Control (DAC)
C.Role-Based Access Control (RBAC)
D.Mandatory Access Control (MAC)
AnswerB

DAC allows data owners to grant or deny access based on their discretion, making it the correct model.

Why this answer

Discretionary Access Control (DAC) is the model where the resource owner has full authority to grant or deny access to other subjects and to set the permissions (e.g., read, write, execute) on the object. This is typically implemented through Access Control Lists (ACLs) on files or objects, as seen in Windows NTFS or Linux file permissions, where the owner can change permissions using commands like `chmod` or through GUI properties.

Exam trap

The trap here is that candidates often confuse DAC with RBAC because both involve user-based permissions, but the key distinction is that DAC gives the resource owner full discretion, whereas RBAC enforces access based on organizational roles, not individual owner decisions.

How to eliminate wrong answers

Option A (ABAC) is wrong because ABAC evaluates access based on attributes of the subject, object, and environment (e.g., time of day, location) using policy rules, not by owner discretion. Option C (RBAC) is wrong because RBAC assigns permissions based on predefined roles within an organization, and the owner does not have full discretion; access is determined by role membership, not individual owner decisions. Option D (MAC) is wrong because MAC enforces access decisions based on system-wide security labels (e.g., classification levels like Top Secret) and the owner cannot override these; labels are set by the system or security administrator, not the resource owner.

8
Multi-Selecthard

A security analyst is reviewing network device logs and finds multiple failed SSH login attempts from a single external IP. Which three actions should the analyst take to mitigate this brute-force attack? (Choose three.)

Select 3 answers
A.Increase the SSH login timeout.
B.Disable password-based authentication for SSH.
C.Implement an ACL to block the offending IP.
D.Enable SSH public key authentication only.
E.Change the SSH port to a non-standard port.
AnswersB, C, D

Eliminates the credential guessing attack.

Why this answer

Disabling password-based authentication for SSH (Option B) eliminates the primary vector for brute-force attacks, as attackers cannot guess passwords. This forces the use of cryptographic key pairs, which are computationally infeasible to brute-force. Combined with an ACL to block the offending IP (Option C) and enabling only public key authentication (Option D), these three actions directly mitigate the ongoing and future brute-force attempts.

Exam trap

The trap here is that candidates often choose 'Change the SSH port to a non-standard port' (Option E) thinking it provides real security, but the SSCP exam expects you to recognize that security by obscurity is not a valid mitigation for an active brute-force attack.

9
MCQeasy

A user reports that their computer is displaying a fake antivirus warning that demands payment. This is an example of which type of attack?

A.Social engineering
B.Ransomware
C.Phishing
D.Scareware
AnswerD

Scareware presents fake security warnings to coerce payment.

Why this answer

Scareware is a type of malware that uses social engineering to trick users into believing their system is infected, then demands payment for a fake removal tool. The fake antivirus warning is a classic scareware tactic, as it creates urgency and fear to coerce payment, unlike ransomware which encrypts files and demands a ransom for decryption.

Exam trap

The trap here is that candidates confuse scareware with ransomware because both demand payment, but scareware does not encrypt files or lock the system—it only displays a fake warning, which is a key distinction tested on the SSCP exam.

How to eliminate wrong answers

Option A is wrong because social engineering is a broad manipulation technique that can be used in many attacks, but the specific attack described (fake antivirus demanding payment) is a form of scareware, not a standalone social engineering attack. Option B is wrong because ransomware typically encrypts files or locks the system and demands payment for decryption or access, whereas scareware only displays a fake warning without actually encrypting data. Option C is wrong because phishing is a social engineering attack that uses deceptive emails or websites to steal credentials or sensitive information, not to display fake antivirus warnings demanding payment.

10
MCQeasy

A security professional is implementing a solution to verify the authenticity of a digital certificate. Which component of a PKI is responsible for issuing and revoking certificates?

A.Online Certificate Status Protocol (OCSP) responder
B.Certificate Authority (CA)
C.Certificate Revocation List (CRL)
D.Registration Authority (RA)
AnswerB

The CA issues and revokes digital certificates.

Why this answer

The Certificate Authority (CA) is the core component of a Public Key Infrastructure (PKI) responsible for issuing digital certificates and, crucially, for revoking them when they are no longer trusted. While other components support certificate status checking or verification, only the CA has the authority to sign and publish certificates or revocation information.

Exam trap

The trap here is that candidates confuse the OCSP responder or CRL as the entity that performs revocation, when in fact they are merely mechanisms to check or distribute revocation status, while only the CA has the authority to issue or revoke a certificate.

How to eliminate wrong answers

Option A is wrong because an OCSP responder is a service that provides real-time certificate status (valid, revoked, or unknown) by querying the CA's database, but it does not issue or revoke certificates. Option C is wrong because a Certificate Revocation List (CRL) is a published list of revoked certificates maintained by the CA, but it is a data structure, not the entity that performs the revocation action. Option D is wrong because a Registration Authority (RA) is an optional component that verifies the identity of certificate requestors and forwards requests to the CA, but it does not have the authority to issue or revoke certificates itself.

11
MCQhard

A large financial institution has deployed a new web application for customer account management. The application uses role-based access control (RBAC) with roles such as Customer, Teller, Manager, and Admin. Recently, an audit revealed that a Teller was able to view and modify account details belonging to customers outside their assigned branch. The application authenticates users via the corporate Active Directory and uses AD groups for role mapping. The Teller's AD group membership was verified to be correct. The security team suspects a flaw in the authorization logic. Which of the following is the MOST likely root cause?

A.The application's role-to-permission mapping is based on group SID rather than group name.
B.The application does not perform proper session management.
C.The application fails to validate the user's branch attribute after authentication.
D.The application uses a horizontal privilege escalation vulnerability.
AnswerC

The application likely uses the Teller role correctly but does not check the user's branch attribute to restrict access to only customers from the same branch, allowing cross-branch access.

Why this answer

The Teller's AD group membership was verified correct, so the role mapping (RBAC) is functioning. However, the Teller could access accounts outside their assigned branch, indicating the application lacks a post-authentication check of the user's branch attribute. This is a classic failure of attribute-based access control (ABAC) within an RBAC framework, where the application must validate the user's branch (e.g., from an AD attribute like 'physicalDeliveryOfficeName' or a custom attribute) against the account's branch before allowing read/write operations.

Exam trap

The trap here is that candidates confuse the symptom (horizontal privilege escalation) with the root cause (missing attribute validation), or they incorrectly assume that correct AD group membership guarantees proper authorization without considering contextual attributes like branch.

How to eliminate wrong answers

Option A is wrong because group SID and group name are both unique identifiers; using either would not cause a branch-level authorization failure if the group membership is correct. Option B is wrong because session management issues (e.g., session fixation, hijacking) would allow unauthorized access across users, not specifically to accounts in other branches while maintaining the correct role. Option D is wrong because horizontal privilege escalation refers to accessing another user's data at the same privilege level, which is exactly what happened, but it is a symptom, not the root cause; the root cause is the missing branch validation.

12
MCQhard

During a penetration test, an attacker was able to bypass input validation and execute commands on a web server. The server runs a PHP application. Which of the following is the MOST likely root cause?

A.The application uses unsanitized input in SQL queries.
B.The application reflects user input in HTTP responses without escaping.
C.The application passes user input to a shell command via exec() or system() functions.
D.The application uses hidden form fields to store session tokens.
AnswerC

Command injection allows arbitrary command execution on the server.

Why this answer

Option C is correct because the scenario describes command execution on the web server, which is a direct consequence of OS command injection. In PHP, passing unsanitized user input to functions like exec() or system() allows an attacker to execute arbitrary shell commands, bypassing input validation. This is the most likely root cause as it directly enables command execution, unlike other vulnerabilities that lead to different impacts.

Exam trap

The trap here is that candidates may confuse command injection with SQL injection or XSS, but the key differentiator is the ability to execute OS-level commands on the server, which only occurs through shell execution functions like exec() or system().

How to eliminate wrong answers

Option A is wrong because unsanitized input in SQL queries causes SQL injection, which manipulates the database, not executes OS commands on the server. Option B is wrong because reflecting user input in HTTP responses without escaping leads to cross-site scripting (XSS), which executes in the browser, not on the server. Option D is wrong because hidden form fields storing session tokens is a session management weakness, not a mechanism for command execution.

13
MCQmedium

A network administrator notices that wireless users are experiencing intermittent connectivity. The controller shows excessive deauthentication frames. What is the most likely cause?

A.Rogue access point performing a deauthentication attack
B.Channel interference
C.Power save mode
D.DHCP server exhaustion
E.Weak encryption
AnswerA

Rogue APs send deauth frames to disconnect clients.

Why this answer

Excessive deauthentication frames are a hallmark of a deauthentication attack, where a rogue access point sends forged 802.11 management frames to disconnect clients. This causes intermittent connectivity as clients repeatedly lose association and attempt to reconnect. The controller logs these frames as a clear indicator of an active attack.

Exam trap

ISC2 often tests the distinction between deauthentication attacks and other wireless issues like channel interference or DHCP exhaustion, trapping candidates who confuse symptoms of a DoS attack with normal network problems.

How to eliminate wrong answers

Option B is wrong because channel interference typically causes packet loss, retransmissions, and low signal quality, not a flood of deauthentication frames. Option C is wrong because power save mode reduces client power consumption by periodically sleeping, which may cause brief latency but does not generate deauthentication frames. Option D is wrong because DHCP server exhaustion prevents clients from obtaining IP addresses, leading to connectivity failure but not excessive deauthentication frames.

Option E is wrong because weak encryption (e.g., WEP or TKIP) makes the network vulnerable to decryption attacks but does not directly cause a flood of deauthentication frames; deauthentication attacks exploit unprotected management frames regardless of encryption strength.

14
MCQmedium

An analyst runs the netstat command on a web server. Based on the output, which connection is the MOST suspicious?

A.The connection from 203.0.113.5:8080
B.The connection from 192.168.1.10:54321
C.The connection from 10.0.2.50:44350
D.The listening on 0.0.0.0:80
AnswerA

203.0.113.5 is a TEST-NET address (RFC 5737) rarely used in production, and source port 8080 is atypical for a client.

Why this answer

Option B is correct because the external IP 203.0.113.5 from the documentation range is connecting on an unusual source port (8080), which is often used for proxies or tunneling. Option A is wrong because 192.168.1.10 is a private IP with a high ephemeral port, typical. Option C is wrong because 10.0.2.50 is internal.

Option D is wrong because the listening port is expected.

15
Multi-Selecthard

Which THREE types of evidence are MOST important to collect from a compromised Linux server during forensic acquisition?

Select 3 answers
A.List of running processes
B.Full disk image
C.Network packet captures
D.Contents of RAM (memory dump)
E.System log files
AnswersA, D, E

Processes show malicious activity.

Why this answer

A is correct because capturing a list of running processes from a compromised Linux server preserves volatile evidence of active malicious processes, such as reverse shells or cryptominers, that would be lost on shutdown. This aligns with the order of volatility (RFC 3227), which prioritizes capturing volatile data like process lists before acquiring less volatile evidence like disk images.

Exam trap

The trap here is that candidates often prioritize a full disk image (Option B) as the most critical evidence, overlooking that volatile data (processes, memory, logs) must be collected first to preserve evidence that disappears on shutdown, as per the order of volatility.

16
MCQeasy

A small company with 50 employees uses a local file server for sharing documents. Each employee has a username and password for authentication. The company wants to implement an additional layer of security to protect sensitive data without incurring high costs. They are considering using smart cards or biometric scanners. However, the budget is limited, and employees often work remotely. Which of the following is the most cost-effective and practical approach to strengthen authentication?

A.Implement a one-time password (OTP) system via a mobile app.
B.Increase password complexity requirements and enforce periodic changes.
C.Issue USB tokens to all employees.
D.Use Windows Hello facial recognition on company laptops.
AnswerA

OTP via mobile app is a low-cost, easy-to-deploy second factor that works with employees' own smartphones, regardless of location.

Why this answer

One-time password (OTP) via a mobile app is low-cost, does not require additional hardware, and works well for remote employees by providing a second factor without relying on location-specific devices. Smart cards or USB tokens require hardware purchase and distribution. Biometrics like Windows Hello require compatible hardware and may not be available on all remote devices.

Increasing password complexity is not multi-factor authentication and does not add a second factor.

17
Multi-Selecteasy

Which THREE of the following are common types of malware?

Select 3 answers
A.Trojan horse
B.Virus
C.Worm
D.Firewall
E.Patch
AnswersA, B, C

A trojan disguises itself as legitimate software.

Why this answer

Options A, C, and E are correct. Virus, worm, and trojan are classic malware types. Option B (patch) is a security update, not malware.

Option D (firewall) is a security device or software.

18
MCQhard

A BYOD policy allows personal devices to access corporate email. What is the best control to enforce device encryption and remote wipe?

A.Network Access Control (NAC)
B.Mobile Device Management (MDM) profile
C.Containerization app
D.Mandatory VPN connection
AnswerB

MDM can enforce encryption and remote wipe policies.

Why this answer

Mobile Device Management (MDM) can enforce encryption and remote wipe policies. VPN encrypts data in transit but not the device. Containerization isolates corporate data but may not enforce full device encryption.

NAC controls network access, not device settings.

19
MCQmedium

Refer to the exhibit. An administrator implements this firewall rule. What is the intended effect?

A.It blocks all inbound and outbound traffic on port 445.
B.It prevents inbound SMB connections from other domain computers.
C.It prevents this computer from initiating SMB connections to other computers.
D.It applies to all network profiles (Domain, Private, Public).
AnswerC

Outbound block on port 445 stops this machine from connecting to others via SMB.

Why this answer

The firewall rule shown is an outbound rule that blocks TCP port 445, which is used by SMB (Server Message Block). By blocking outbound traffic on this port, the computer is prevented from initiating SMB connections to other computers, while still allowing inbound SMB connections. This is a common security measure to prevent a compromised machine from spreading malware or accessing file shares on other systems.

Exam trap

The trap here is that candidates often confuse outbound and inbound rules, assuming a rule blocking port 445 affects all traffic on that port, when in fact it only blocks traffic in one direction.

How to eliminate wrong answers

Option A is wrong because the rule only blocks outbound traffic on port 445, not inbound traffic; inbound SMB connections are still permitted. Option B is wrong because the rule does not affect inbound SMB connections; it only blocks outbound SMB traffic, so other domain computers can still initiate SMB connections to this computer. Option D is wrong because the rule is explicitly scoped to the Domain profile only, as indicated by the 'Domain' profile selection in the rule; it does not apply to Private or Public profiles.

20
MCQmedium

Refer to the exhibit. A network engineer is configuring an IPsec VPN. Which protocol does this configuration apply to?

A.HTTPS
B.SSH
C.SSL/TLS
D.IKE (Internet Key Exchange)
AnswerD

ISAKMP is the framework for IKE, used in IPsec VPNs.

Why this answer

The configuration shown in the exhibit is for an IPsec VPN, which relies on IKE (Internet Key Exchange) to establish security associations and negotiate cryptographic keys. IKE (RFC 7296) is the mandatory key management protocol for IPsec, handling authentication and key exchange over UDP ports 500 and 4500. Without IKE, IPsec cannot dynamically negotiate the encryption and hashing parameters required for secure tunnel establishment.

Exam trap

The trap here is that candidates often confuse SSL/TLS with IPsec because both are used for VPNs, but SSL/TLS VPNs operate at the transport layer (e.g., OpenVPN) while IPsec VPNs require IKE for key exchange at the network layer.

How to eliminate wrong answers

Option A is wrong because HTTPS is an application-layer protocol (HTTP over TLS) used for secure web browsing, not for negotiating IPsec security associations. Option B is wrong because SSH is a protocol for secure remote login and command execution, operating at the application layer, and does not handle IPsec key management. Option C is wrong because SSL/TLS operates at the transport layer to secure TCP connections (e.g., HTTPS, FTPS) and is not used for IPsec VPN key exchange; IPsec uses IKE for this purpose.

21
MCQeasy

A medium-sized company recently experienced a phishing attack where an employee downloaded a malicious attachment, leading to a data breach. The incident response team has identified the affected user and the malware. However, the team is unsure whether the attacker has established persistence. The security analyst must recommend the next step. The company has a standard incident response plan that includes detection, containment, eradication, recovery, and lessons learned. The malware sample has been isolated for analysis. The user's account has been disabled temporarily. The network team has quarantined the user's workstation. The analyst needs to ensure the attacker cannot regain access after the initial cleanup. What should the analyst recommend next?

A.Check system logs for unauthorized registry modifications, scheduled tasks, or startup entries.
B.Perform a full malware analysis of the file to understand its capabilities.
C.Notify affected customers immediately as required by data breach notification laws.
D.Reimage the user's workstation from a known good backup.
AnswerA

Correct: This directly checks for common persistence mechanisms used by attackers.

Why this answer

Option A is correct because the immediate priority after containment is to identify and remove any persistence mechanisms the attacker may have established. Checking system logs for unauthorized registry modifications (e.g., Run keys), scheduled tasks (e.g., schtasks), and startup entries (e.g., Startup folder or services) directly addresses the uncertainty about persistence. This step ensures the attacker cannot regain access after cleanup, aligning with the eradication phase of the incident response plan.

Exam trap

The trap here is that candidates may jump to reimaging (Option D) as a quick fix, but without first verifying and removing persistence, the attacker could have established footholds on other systems or in the backup itself, making reimaging ineffective.

How to eliminate wrong answers

Option B is wrong because performing a full malware analysis is a secondary step that can occur in parallel or after eradication; it does not directly address the immediate need to check for persistence mechanisms. Option C is wrong because notifying affected customers is part of the lessons learned or legal compliance phase, which occurs after containment, eradication, and recovery, not before ensuring the attacker cannot regain access. Option D is wrong because reimaging the workstation from a known good backup is a recovery step that assumes persistence has been checked and removed; if the backup itself is compromised or persistence exists elsewhere, reimaging alone may not prevent re-infection.

22
Multi-Selecteasy

Which TWO of the following are common indicators of a ransomware attack?

Select 2 answers
A.Files with .encrypted extension appearing in directories.
B.Unusual outbound network traffic to unknown IPs.
C.Decreased network latency.
D.A ransom note text file in each affected folder.
E.System log entries showing failed login attempts.
AnswersA, D

Ransomware often appends a custom extension to encrypted files.

Why this answer

Options B and D are correct. Encrypted files with a new extension and the presence of a ransom note are classic signs of ransomware. Option A is incorrect because unusual outbound traffic may indicate command-and-control communication but is not specific to ransomware.

Option C is incorrect because failed login attempts suggest brute-force, not ransomware. Option E is incorrect because network latency typically increases during an attack, not decreases.

23
MCQhard

A medium-sized company with 200 employees has a single office with a flat network topology. Recently, the IT team noticed that network performance has degraded significantly during peak hours. A network analysis reveals excessive broadcast traffic and a high number of ARP requests. Additionally, the security team is concerned about the lack of segmentation, as a workstation infected with malware was able to spread rapidly to other systems. The company uses a single /24 subnet (192.168.1.0/24) and all devices are connected to a layer 2 switch. The IT manager wants to improve both performance and security without purchasing new hardware. The existing switch is a managed layer 2 switch that supports VLANs, but the router is a basic home-grade device that does not support VLAN routing. The company's internet connection is provided by a cable modem. What is the BEST course of action to address both performance and security concerns?

A.Divide the network into multiple subnets and connect each to a separate port on the cable modem.
B.Upgrade the router to a business-grade model that supports VLAN routing and keep the network flat.
C.Implement VLANs to separate departments and use a router-on-a-stick configuration with a capable router.
D.Replace the switch with a layer 3 switch to route between VLANs without a router.
AnswerC

VLANs reduce broadcast traffic and contain threats; router-on-a-stick enables inter-VLAN routing.

Why this answer

Option C is correct because implementing VLANs segments the flat network into smaller broadcast domains, reducing ARP and broadcast traffic, which improves performance. A router-on-a-stick configuration using a capable router that supports VLAN routing (802.1Q trunking) allows inter-VLAN communication without requiring a new switch, addressing both performance and security concerns without purchasing new hardware.

Exam trap

ISC2 often tests the misconception that a layer 3 switch is required for inter-VLAN routing, but in this scenario, a router-on-a-stick with a capable router is the correct solution given the constraint of no new hardware purchases.

How to eliminate wrong answers

Option A is wrong because cable modems typically provide only a single WAN IP and do not support multiple subnets or routing between them; connecting separate subnets to different ports on a cable modem would not work as the modem lacks routing capabilities. Option B is wrong because upgrading the router to a business-grade model that supports VLAN routing but keeping the network flat does not address the excessive broadcast traffic or lack of segmentation; VLANs must be implemented to create separate broadcast domains. Option D is wrong because replacing the switch with a layer 3 switch would require purchasing new hardware, which contradicts the requirement to not purchase new hardware; the existing managed layer 2 switch can support VLANs, and a router-on-a-stick with a capable router is the cost-effective solution.

24
MCQhard

A security administrator is implementing change management for a critical financial system. Which of the following is the MOST important control to prevent unauthorized changes?

A.Implement a staging environment to test all changes
B.Enforce a formal approval process via a change advisory board
C.Notify all users before the change window
D.Require a documented backout plan for every change
AnswerB

A CAB provides review and approval, preventing unauthorized changes.

Why this answer

Option D is correct because a formal approval process ensures that changes are reviewed and authorized before implementation. Option A is wrong because testing in a staging environment, while important, does not prevent unauthorized changes. Option B is wrong because backout plans are for recovery, not prevention.

Option C is wrong because notification to users is a communication step, not a preventive control.

25
MCQeasy

A company is developing an incident response plan. Which of the following stakeholders should be included in the initial planning phase?

A.External legal counsel
B.Internal audit
C.Only IT staff
D.Business unit leaders
AnswerD

They provide critical insight into business processes and priorities.

Why this answer

Business unit leaders (Option D) are essential in the initial planning phase because they define the critical assets, operational priorities, and recovery time objectives (RTOs) that shape the incident response strategy. Without their input, the plan may fail to align with business continuity requirements, leading to ineffective resource allocation during an actual incident.

Exam trap

The trap here is that candidates often assume incident response is purely a technical function, leading them to choose 'Only IT staff' (Option C), but the SSCP exam emphasizes that effective planning requires input from business stakeholders to ensure the plan supports organizational resilience, not just technical recovery.

How to eliminate wrong answers

Option A is wrong because external legal counsel is typically consulted during the later stages of plan development or during an actual incident to address regulatory compliance and liability, not during the initial planning phase where internal stakeholders define scope and priorities. Option B is wrong because internal audit provides oversight and compliance validation after the plan is drafted, not during initial planning; their role is to test controls, not to define incident response strategy. Option C is wrong because limiting planning to only IT staff ignores the cross-functional impact of incidents—business units, legal, HR, and PR must be involved to ensure the plan addresses communication, data classification, and operational continuity beyond technical remediation.

26
Multi-Selecthard

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select three.)

Select 3 answers
A.Risk retention
B.Risk elimination
C.Risk duplication
D.Risk reduction
E.Risk transfer
AnswersA, D, E

Formal acceptance of residual risk.

Why this answer

Risk retention (A) is a valid risk treatment option under ISO 31000 because it involves accepting the current level of risk, often when the cost of mitigation exceeds the potential impact or when the risk is within the organization's risk appetite. This is a deliberate decision to bear the risk, typically documented in a risk register and monitored for changes.

Exam trap

ISC2 often tests the distinction between ISO 31000's formal terminology and common business jargon, so candidates mistakenly select 'risk elimination' instead of 'risk avoidance' or confuse 'risk duplication' with 'risk transfer' or 'redundancy' as a control measure.

27
MCQeasy

If the web server is compromised, which of the following is a likely immediate risk?

A.Direct compromise of the database server
B.Loss of web application data
C.Denial of service to the web server
D.Compromise of user credentials
AnswerA

The lack of internal firewall allows the attacker to pivot to the database.

Why this answer

When a web server is compromised, the immediate risk is direct compromise of the database server because the web server typically holds the database credentials (e.g., in a configuration file like wp-config.php or appsettings.json) and has a trusted network path to the database. An attacker can pivot from the web server to the database server using those credentials, often over port 3306 (MySQL) or 1433 (MSSQL), without needing to bypass additional authentication.

Exam trap

ISC2 often tests the concept that a compromised web server is a pivot point to the database, and the trap here is that candidates mistakenly think 'loss of web application data' or 'compromise of user credentials' is immediate, when in fact those require additional steps after the initial foothold.

How to eliminate wrong answers

Option B is wrong because loss of web application data is a consequence, not an immediate risk; the attacker must first access the database or file system to delete or corrupt data, which is a later step after compromise. Option C is wrong because denial of service to the web server is an attack vector, not a risk that follows from the web server already being compromised; once compromised, the attacker controls the server and can maintain availability for their own purposes. Option D is wrong because compromise of user credentials is a potential outcome, but it is not immediate; the attacker must first extract credentials from the web server's memory, logs, or database, which requires additional steps like dumping process memory or querying the database.

28
MCQmedium

A security analyst detects unusual outbound traffic from a server that normally communicates only with internal systems. The firewall logs show connections to an external IP address on port 443/tcp. Which incident response step should the analyst perform FIRST?

A.Run a full antivirus scan on the server.
B.Isolate the server from the network.
C.Immediately shut down the server.
D.Disconnect the entire network segment.
AnswerB

Containment stops the threat from causing further damage.

Why this answer

The unusual outbound traffic to an external IP on port 443/tcp from a server that normally only communicates internally indicates a potential compromise, such as a command-and-control (C2) channel. The first priority in incident response is containment to prevent further data exfiltration or lateral movement, and isolating the server from the network achieves this without destroying volatile evidence. Shutting down the server or running an antivirus scan could destroy memory-resident malware or forensic artifacts, violating the order of volatility.

Exam trap

ISC2 often tests the misconception that immediate shutdown or antivirus scanning is the correct first step, but the trap here is that containment (isolation) must precede any destructive or investigative actions to preserve evidence and limit damage.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan on the server may alter volatile data (e.g., running processes, network connections) and could trigger the malware to wipe evidence or escalate its behavior, violating the principle of preserving forensic integrity. Option C is wrong because immediately shutting down the server destroys volatile evidence in memory (e.g., active C2 sessions, encryption keys) and may cause the malware to activate a kill switch, whereas isolation preserves the system state for analysis. Option D is wrong because disconnecting the entire network segment is overly disruptive and may impact critical business operations unnecessarily; the correct containment step is to isolate only the compromised server to minimize collateral damage.

29
MCQmedium

An organization uses a central syslog server to collect logs from firewalls, servers, and network devices. Recently, the security team noticed that some critical events from the firewall are missing from the syslog server. The firewall configuration sends syslog messages using UDP to the syslog server. The syslog server administrator reports that the server is receiving a high volume of logs and occasionally drops packets due to buffer overflow. The team needs to ensure reliable delivery of all syslog messages without losing any. Which solution should the team implement?

A.Switch to TCP-based syslog with TLS.
B.Increase the UDP buffer size on the syslog server.
C.Implement log aggregation at each network segment.
D.Use a load balancer for syslog receivers.
AnswerA

TCP ensures all messages are received and acknowledged, eliminating drops.

Why this answer

Option B is correct because switching to TCP-based syslog with TLS provides reliable, connection-oriented delivery with encryption. Option A is incorrect because increasing the UDP buffer may reduce drops but does not guarantee reliability. Option C is incorrect because log aggregation at each segment does not address the transport reliability issue.

Option D is incorrect because a load balancer would distribute load but not prevent UDP packet loss.

30
Multi-Selecthard

During forensic analysis, which THREE pieces of evidence should be preserved in original form?

Select 3 answers
A.Network traffic capture
B.Screenshots of malware dialogs
C.System event logs exported to CSV
D.RAM dump
E.Hard drive image
AnswersA, D, E

PCAP files preserve network evidence.

Why this answer

Network traffic captures (e.g., PCAP files) are raw, bit-for-bit recordings of network packets. They preserve the original timing, headers, and payloads without any transformation, which is critical for accurate forensic reconstruction and chain of custody. Any conversion or export (like CSV) would strip metadata and alter the original evidence.

Exam trap

ISC2 often tests the distinction between original/volatile evidence and derivative/converted evidence, trapping candidates who think exported logs or screenshots are acceptable substitutes for the raw, unaltered source.

31
Matchingmedium

Match each security control to its type (administrative, technical, physical).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Administrative

Technical

Physical

Technical

Why these pairings

Security controls are categorized into three types.

32
Multi-Selecteasy

Which TWO of the following are key components of a data classification policy? (Select the two best answers.)

Select 2 answers
A.Encryption algorithm selection
B.Firewall rules
C.Classification labels
D.Data custodian responsibilities
E.Backup schedules
AnswersC, D

Labels define the sensitivity levels.

33
MCQhard

An organization implements a hybrid encryption scheme to secure sensitive emails. The email body is encrypted with AES-256, and the AES key is encrypted with RSA-2048. What is the primary advantage of this approach?

A.Ensures forward secrecy
B.Simplifies key management by using a single key
C.Combines performance of symmetric with secure key distribution of asymmetric
D.Provides non-repudiation for the email
AnswerC

AES is fast for large data; RSA securely encrypts the key.

Why this answer

Hybrid encryption combines the speed of symmetric encryption (AES-256) for bulk data with the secure key distribution of asymmetric encryption (RSA-2048). The symmetric key encrypts the email body efficiently, while the asymmetric key encrypts only the symmetric key, solving the key distribution problem without sacrificing performance.

Exam trap

The trap here is that candidates confuse hybrid encryption with forward secrecy or non-repudiation, but hybrid encryption specifically addresses the performance vs. key distribution trade-off, not security properties like forward secrecy or authentication.

How to eliminate wrong answers

Option A is wrong because forward secrecy requires ephemeral key exchange (e.g., Diffie-Hellman) where compromise of a long-term key does not expose past sessions; RSA-2048 alone does not provide forward secrecy. Option B is wrong because hybrid encryption actually increases key management complexity by requiring both a symmetric key and an asymmetric key pair, not simplifying to a single key. Option D is wrong because non-repudiation is provided by digital signatures (e.g., using RSA or DSA), not by encryption; encrypting the AES key with RSA does not prove the sender's identity.

34
MCQeasy

A security administrator needs to set file permissions on a shared folder so that only members of the 'Finance' group can read and write to it. All existing permissions should be removed. Which command should the administrator use?

A.cacls shared_folder /E /P Finance:RW
B.icacls shared_folder /grant Finance:(F) /inheritance:r
C.icacls shared_folder /grant Finance:(M) /inheritance:r
D.icacls shared_folder /grant Finance:(RW)
AnswerC

Modify includes read and write, and /inheritance:r removes inherited permissions.

Why this answer

Option A is correct because 'icacls shared_folder /grant Finance:(M) /inheritance:r' grants Modify (read+write) and removes inheritance. Option B is wrong because 'cacls' is deprecated and the syntax is incorrect. Option C is wrong because Full Control (F) grants more than read/write.

Option D is wrong because (RW) is not a valid icacls permission mask.

35
Multi-Selecteasy

A security operations team is developing an incident response plan. Which TWO steps are part of the 'containment, eradication, and recovery' phase? (Choose two.)

Select 2 answers
A.Conducting a lessons learned meeting
B.Restoring systems from known good backups
C.Identifying the root cause of the incident
D.Preserving forensic evidence
E.Isolating affected systems from the network
AnswersB, E

This is part of recovery after eradication.

Why this answer

Options A and B are correct because isolation is containment and restoration is recovery. Option C is post-incident. Option D is part of identification/analysis.

Option E is part of preparation and identification.

36
MCQhard

A multinational corporation is migrating its on-premises applications to a cloud provider. The identity management infrastructure must support single sign-on (SSO) across multiple cloud services and maintain on-premises Active Directory as the authoritative identity source. The security team is concerned about credential stuffing attacks and password spray attacks. They want to implement a risk-based access policy that requires additional verification when logins originate from unusual locations or devices. Additionally, they need to ensure that user accounts are provisioned and deprovisioned in the cloud in near real-time based on AD changes. Which of the following solutions BEST meets these requirements?

A.Deploy a VPN that requires smart card authentication for all cloud access.
B.Implement a SAML-based federation with AD FS and integrate with Azure AD Conditional Access policies.
C.Use OAuth 2.0 with client credentials grant for all applications.
D.Set up a separate cloud identity store and synchronize passwords using a directory sync tool.
AnswerB

AD FS federates on-premises AD with Azure AD, enabling SSO. Azure AD Conditional Access provides risk-based policies. Azure AD Connect synchronizes directory changes near real-time.

Why this answer

SAML-based federation with AD FS and Azure AD Conditional Access provides SSO, risk-based policies (Conditional Access uses real-time signals like location and device), and near-real-time provisioning via Azure AD Connect. VPN with smart cards does not provide SSO or risk-based policies. OAuth 2.0 with client credentials is not for user authentication.

A separate cloud identity store with password sync introduces delays and does not support risk-based access.

37
MCQhard

During a security assessment, a penetration tester discovers that a web application allows users to upload files without proper validation. The tester successfully uploads a PHP web shell. Which control would have MOST effectively prevented this exploitation?

A.Disable PHP execution in the upload directory.
B.Implement a WAF rule to block common webshell patterns.
C.Enable audit logging for file uploads.
D.Validate file extension and content type on the server side.
AnswerD

Proper validation blocks malicious files at upload.

Why this answer

Option D is correct because server-side validation of both file extension and content type (e.g., MIME type magic bytes) is the most effective control to prevent uploading executable files like a PHP web shell. Without this validation, an attacker can bypass client-side checks and upload a malicious script that the server will execute. Disabling PHP execution in the upload directory (Option A) is a compensating control but does not prevent the upload itself, and a WAF rule (Option B) can be evaded with obfuscation or encoding.

Exam trap

The trap here is that candidates often choose Option A (disabling PHP execution) because it seems like a direct fix, but the SSCP exam tests the principle that preventing the upload of malicious files (input validation) is more fundamental than mitigating execution after the fact.

How to eliminate wrong answers

Option A is wrong because disabling PHP execution in the upload directory only prevents the uploaded shell from running, but the file is still stored on the server and could be exploited via other means (e.g., include attacks or bypassing execution restrictions). Option B is wrong because a WAF rule that blocks common webshell patterns relies on signature-based detection, which can be evaded with obfuscation, encoding, or polymorphic code, and does not address the root cause of missing input validation. Option C is wrong because audit logging only records the upload event after it occurs; it does not prevent the exploitation and is a detective, not a preventive, control.

38
MCQhard

In RSA, the public exponent e is often chosen as 65537. What is the primary reason for this choice?

A.It ensures that the private key d is small
B.It prevents side-channel attacks
C.It provides the highest security level
D.It offers a balance between security and performance due to low Hamming weight
AnswerD

Few 1 bits speed up modular exponentiation.

Why this answer

Option D is correct because 65537 (0x10001) has a low Hamming weight of only 2 bits set, which makes modular exponentiation significantly faster than using a random large exponent, while still providing strong security. This choice balances computational efficiency with cryptographic strength, as a larger exponent would slow down encryption without proportional security gains.

Exam trap

ISC2 often tests the misconception that a larger exponent always means higher security, when in fact the exponent's size has negligible impact on security compared to the modulus length, and the real benefit of 65537 is performance due to its low Hamming weight.

How to eliminate wrong answers

Option A is wrong because a small public exponent e does not ensure a small private key d; in fact, d is typically large and unpredictable due to the modular inverse calculation. Option B is wrong because 65537 does not inherently prevent side-channel attacks; those require specific countermeasures like blinding or constant-time algorithms. Option C is wrong because 65537 does not provide the highest security level; security in RSA depends on key size (e.g., 2048-bit modulus), not on the exponent value, and larger exponents do not increase security.

39
MCQmedium

A user reports that they cannot access a network share. The administrator checks the share permissions and NTFS permissions. The share permission allows Everyone: Read, and the NTFS permission allows the user: Full Control. What is the user's effective access?

A.Read
B.Full Control
C.No access
D.Modify
AnswerA

The effective permission is the most restrictive: share Read vs NTFS Full Control, so Read.

Why this answer

When accessing a network share, the effective permissions are the most restrictive of the share permissions and the NTFS permissions. Here, the share permission is Read and the NTFS permission is Full Control. The most restrictive permission is Read, so the user's effective access is Read.

Exam trap

The trap here is that candidates often assume the user gets the higher of the two permissions (Full Control) rather than the most restrictive, leading them to incorrectly select Full Control.

How to eliminate wrong answers

Option B is wrong because Full Control is not the effective access; the share permission restricts it to Read, as the effective permission is the most restrictive of the two sets. Option C is wrong because the user does have access—specifically Read access—since neither permission denies access outright. Option D is wrong because Modify is a higher permission than Read and is not granted; the share permission explicitly limits access to Read only.

40
MCQmedium

During a quarterly risk review, a hospital's security team identifies that legacy medical devices cannot be patched and run outdated operating systems. Which risk treatment strategy is most appropriate for these devices?

A.Remediate by applying vendor patches
B.Implement compensating controls such as network segmentation and strict access control
C.Retire and replace all devices immediately
D.Transfer the risk by purchasing cyber insurance
AnswerB

Compensating controls mitigate the risk without changing the device itself.

Why this answer

Since the legacy medical devices cannot be patched due to vendor obsolescence, the most appropriate risk treatment strategy is to implement compensating controls. Network segmentation (e.g., VLANs or firewalls) isolates the devices from the main hospital network, while strict access control (e.g., 802.1X or MAC-based filtering) limits exposure to threats. This reduces the likelihood of exploitation without relying on patching the outdated operating systems.

Exam trap

ISC2 often tests the misconception that 'remediate' always means patching, but for legacy systems where patching is impossible, compensating controls are the correct risk treatment strategy, not immediate replacement or insurance.

How to eliminate wrong answers

Option A is wrong because applying vendor patches is not feasible for legacy devices that are no longer supported or have no available patches, making remediation impossible. Option C is wrong because retiring and replacing all devices immediately is often impractical due to cost, downtime, and regulatory approval processes, and is not the most appropriate first step in risk treatment. Option D is wrong because transferring risk via cyber insurance does not reduce the actual vulnerability or likelihood of exploitation; it only provides financial compensation after an incident, which is insufficient for protecting patient safety and data.

41
MCQmedium

An organization wants to identify risks related to a new cloud-based customer relationship management (CRM) system. Which approach would best identify threats and vulnerabilities specific to this system?

A.Run a vulnerability scan on the CRM
B.Execute a business impact analysis (BIA)
C.Perform a threat modeling exercise such as STRIDE
D.Conduct a qualitative risk assessment using a generic framework
AnswerC

Threat modeling is tailored to the system's architecture and identifies relevant threats.

Why this answer

Threat modeling with STRIDE is the best approach because it systematically identifies threats (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) specific to the CRM's architecture, data flows, and trust boundaries. Unlike generic scans or assessments, STRIDE focuses on the unique attack surface of a cloud-based system, such as API endpoints, multi-tenancy risks, and shared responsibility model gaps.

Exam trap

The trap here is that candidates confuse vulnerability scanning (Option A) with threat modeling, assuming that scanning for known flaws is sufficient, when in fact threat modeling is required to identify design-level and cloud-specific threats that scanners cannot detect.

How to eliminate wrong answers

Option A is wrong because a vulnerability scan only identifies known software flaws (e.g., CVEs) but does not uncover design-level threats, business logic flaws, or cloud-specific risks like misconfigured IAM roles or insecure API endpoints. Option B is wrong because a business impact analysis (BIA) prioritizes criticality and recovery objectives (RTO/RPO) but does not identify threats or vulnerabilities; it assumes risks are already known. Option D is wrong because a qualitative risk assessment using a generic framework lacks the structured, system-specific decomposition needed to uncover threats unique to the CRM's cloud architecture, such as tenant isolation failures or data leakage via shared storage.

42
MCQhard

Refer to the exhibit. A security analyst reviews these iptables rules and expects SSH access to be blocked, but it is still allowed. What is the MOST likely reason?

A.The DROP rule does not apply to SSH.
B.The DROP rule is misconfigured with wrong source.
C.The ACCEPT rule matches before the DROP rule.
D.The default policy allows traffic, overriding the DROP rule.
AnswerC

iptables processes rules in order; the first match wins.

Why this answer

C is correct because iptables processes rules in sequential order, and the first matching rule determines the packet's fate. In this scenario, the ACCEPT rule for SSH (typically matching on port 22) appears before the DROP rule in the chain, so incoming SSH packets match the ACCEPT rule first and are permitted, never reaching the subsequent DROP rule. This is a classic ordering issue where a more specific allow rule precedes a general deny rule.

Exam trap

The trap here is that candidates often assume iptables evaluates all rules and applies the most restrictive one, but in reality, iptables uses first-match logic, so rule order is critical.

How to eliminate wrong answers

Option A is wrong because the DROP rule likely does apply to SSH if it matches on the SSH port (22) or protocol (TCP), but the rule order prevents it from being evaluated. Option B is wrong because the DROP rule's source address is irrelevant if the rule is never reached due to a preceding ACCEPT rule; a misconfigured source would cause a different behavior (e.g., blocking wrong traffic), not allow SSH when it should be blocked. Option D is wrong because the default policy (typically ACCEPT or DROP) only applies to packets that do not match any explicit rule; here, an explicit ACCEPT rule matches SSH, so the default policy is never consulted.

43
MCQeasy

Refer to the exhibit. A web server at 10.0.0.50 received the payload shown. What is the MOST likely impact if the web application is vulnerable?

A.Directory traversal to read sensitive files.
B.Remote code execution on the web server.
C.Authentication bypass via SQL injection.
D.Cross-site scripting (XSS) attack leading to session theft.
AnswerC

The payload modifies SQL query to always return true.

Why this answer

The payload shown is a classic SQL injection attempt, specifically targeting authentication logic by injecting a tautology (e.g., ' OR '1'='1) into a login field. If the web application is vulnerable, this bypasses authentication by making the SQL query always return true, granting unauthorized access without valid credentials.

Exam trap

ISC2 often tests the distinction between injection types by embedding payload syntax that mimics SQL (e.g., single quotes and OR clauses) to mislead candidates into choosing XSS or directory traversal, which use different characters and contexts.

How to eliminate wrong answers

Option A is wrong because directory traversal exploits path manipulation (e.g., ../) to read files outside the web root, not SQL injection syntax. Option B is wrong because remote code execution requires command injection or deserialization flaws, not SQL tautology injection. Option D is wrong because cross-site scripting (XSS) injects client-side scripts (e.g., JavaScript) into web pages, not SQL statements that alter database queries.

44
Multi-Selecthard

A security administrator is tasked with managing user access. Which THREE of the following are principles of least privilege? (Choose three.)

Select 3 answers
A.Implement mandatory access control.
B.Require manager approval for privilege escalation.
C.Grant users the minimum rights needed to perform their job.
D.Use separate accounts for administrative tasks.
E.Remove access when no longer required.
AnswersC, D, E

This is the core of least privilege.

Why this answer

Option C is correct because the principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. This minimizes the attack surface and limits potential damage from accidental or malicious actions. It is a foundational access control concept enforced through role-based access control (RBAC) or attribute-based access control (ABAC) policies.

Exam trap

The trap here is that candidates confuse security principles (like least privilege) with security mechanisms (like MAC) or administrative processes (like approval workflows), leading them to select options that are related but not direct statements of the principle itself.

45
MCQeasy

An organization requires that all laptops used by employees be encrypted. Which type of encryption should be used to protect the entire hard drive?

A.File-level encryption
B.Full disk encryption (FDE)
C.Transport encryption (TLS)
D.Application-level encryption
E.Folder-level encryption
AnswerB

FDE encrypts the entire drive, ensuring all data is protected at rest.

Why this answer

Option A is correct because full disk encryption (FDE) encrypts the entire drive, including the OS and all files, protecting data if the laptop is lost or stolen. Option B (file-level) only encrypts individual files; C (folder-level) encrypts folders; D (transport) encrypts data in transit; E (application-level) encrypts data within an app.

46
MCQhard

An organization detects that an attacker is performing a MAC flooding attack on a switch. What is the primary goal of this attack?

A.To change the MAC address of the switch
B.To cause a denial of service on the network
C.To force the switch to act like a hub and allow packet sniffing
D.To bypass 802.1X authentication
AnswerC

Filling the CAM table causes the switch to flood frames out all ports.

Why this answer

MAC flooding attacks exploit the limited size of a switch's Content Addressable Memory (CAM) table. By sending thousands of fake source MAC addresses, the attacker fills the CAM table, causing the switch to fail open and flood all incoming frames out all ports, effectively behaving like a hub. This allows the attacker to sniff traffic that would normally be isolated to specific switch ports.

Exam trap

The trap here is that candidates often confuse the primary goal of MAC flooding (sniffing traffic) with a denial of service, but Cisco tests that the attacker's intent is to bypass port-level isolation to eavesdrop, not simply to crash the switch.

How to eliminate wrong answers

Option A is wrong because MAC flooding does not change the MAC address of the switch itself; it floods the switch's CAM table with fake MAC addresses, not the switch's own burned-in MAC address. Option B is wrong because while a MAC flooding attack can cause network degradation, its primary goal is not denial of service but rather to enable packet sniffing by forcing the switch into hub-like behavior; a true DoS attack would aim to disrupt all traffic, whereas MAC flooding aims to capture it. Option D is wrong because MAC flooding targets Layer 2 switching behavior and does not directly interact with 802.1X authentication, which operates at the port level using EAPoL (Extensible Authentication Protocol over LAN) to control access.

47
MCQmedium

Refer to the exhibit. A security analyst reviews these logs from a server. What immediate risk is most indicated by this log pattern?

A.Insider threat from user root
B.Active brute-force attack against the SSH service
C.Malware infection on the server
D.Misconfigured SSH settings allowing root login
AnswerB

Multiple failed attempts in quick succession indicate a brute-force attempt.

Why this answer

The log pattern shows repeated failed SSH authentication attempts from multiple IP addresses in rapid succession, followed by a successful login from one of those IPs. This is the classic signature of a brute-force attack where an attacker tries many passwords until one works, indicating an active compromise of the SSH service.

Exam trap

ISC2 often tests the distinction between a vulnerability (e.g., misconfigured SSH allowing root login) and an active threat (the brute-force attack succeeding), where candidates mistakenly choose the root cause instead of the immediate risk.

How to eliminate wrong answers

Option A is wrong because the logs show external IP addresses (not internal) performing the attacks, and the successful login is from an external source, not a trusted insider using the root account. Option C is wrong because the logs only show authentication events (SSH login attempts) with no indicators of malware such as unusual process execution, file modifications, or outbound connections to known malicious domains. Option D is wrong because while root login is allowed, the immediate risk is the active brute-force attack succeeding, not a misconfiguration; the misconfiguration (if any) is a contributing factor, not the immediate risk.

48
MCQhard

You are the security analyst for a mid-sized e-commerce company that processes credit card payments. The company uses a legacy payment application on a Windows Server 2012 R2 system, which is scheduled for decommission in six months. The server is isolated in a separate VLAN with strict firewall rules allowing only outbound HTTPS to the payment processor and inbound management from a jump box on a different subnet. During a routine vulnerability scan, you discover that the server is missing over 50 critical patches, including one for a remote code execution vulnerability (CVE-2023-XXXX) that is being actively exploited in the wild. The server cannot be patched because the vendor stopped support and patches are not available. The company's risk appetite is low due to PCI DSS requirements. You need to recommend a course of action that balances risk reduction with business continuity. What should you do?

A.Implement additional compensating controls such as an application-layer firewall, disable all unnecessary services, restrict outbound traffic to only the payment processor IP, enable detailed logging, and accelerate the migration
B.Immediately decommission the server and migrate to the new payment system, accepting a temporary outage
C.Apply the vendor's hotfix from an unofficial source to patch the vulnerability
D.Accept the risk and purchase additional cyber insurance to cover potential losses
AnswerA

Compensating controls reduce risk while allowing continued operation until decommission.

Why this answer

Option A is correct because it implements compensating controls to reduce the risk of the unpatched remote code execution vulnerability while maintaining business continuity. By deploying an application-layer firewall (e.g., a WAF or host-based IPS), disabling unnecessary services, restricting outbound traffic to only the payment processor's IP via strict egress ACLs, enabling detailed logging for monitoring, and accelerating the migration to a supported system, you align with PCI DSS Requirement 6.2 (timely patching) and Requirement 11.5 (change detection) without causing an outage. This layered defense mitigates the active exploit risk until the legacy server can be decommissioned in six months.

Exam trap

The trap here is that candidates may choose Option B (immediate decommission) thinking it eliminates risk, but they overlook the business continuity requirement and the fact that PCI DSS allows compensating controls for legacy systems with a documented migration plan.

How to eliminate wrong answers

Option B is wrong because immediately decommissioning the server would cause a business outage, which is unacceptable for a mid-sized e-commerce company processing credit card payments; PCI DSS requires maintaining business continuity, and a temporary outage could lead to revenue loss and compliance issues. Option C is wrong because applying a vendor hotfix from an unofficial source introduces significant risk of malware, system instability, or violation of PCI DSS Requirement 6.1 (use only vendor-supplied patches), and it could void any remaining support or insurance. Option D is wrong because accepting the risk and purchasing cyber insurance does not address the active exploitation of CVE-2023-XXXX; PCI DSS requires compensating controls or patching, and insurance only covers financial loss after a breach, not the immediate security risk to cardholder data.

49
MCQeasy

An organization experiences a ransomware attack that encrypts critical data. The incident response team isolates affected systems. What is the NEXT step?

A.Reimage systems
B.Notify law enforcement
C.Identify the root cause
D.Restore from backup
AnswerC

After containment, the team must analyze to determine the cause before proceeding to eradication.

Why this answer

After isolating affected systems to contain the ransomware, the next step is to identify the root cause (e.g., how the ransomware entered, which vulnerability was exploited, or which user account was compromised). This aligns with the NIST SP 800-61 incident response lifecycle, where identification and analysis precede eradication and recovery. Without determining the root cause, reimaging or restoring from backup risks reinfection or missing a persistent backdoor.

Exam trap

The trap here is that candidates often jump to 'Restore from backup' (Option D) as the immediate next step, but the SSCP exam emphasizes that containment and root cause analysis must precede recovery to prevent reinfection and ensure the backup is clean.

How to eliminate wrong answers

Option A is wrong because reimaging systems before identifying the root cause may destroy forensic evidence and fail to address the initial infection vector, potentially allowing the attack to recur. Option B is wrong because notifying law enforcement is a legal or compliance step that typically occurs after containment and root cause analysis, and it is not a technical incident response step. Option D is wrong because restoring from backup before understanding the root cause could restore encrypted or compromised data, and the backup itself might be infected or the same vulnerability could be exploited again.

50
MCQhard

You are the security administrator for a mid-sized financial company that processes credit card transactions. The company has a mix of on-premises servers and cloud-based services. Recently, the company experienced a data breach where an attacker exfiltrated customer data from a database server. The investigation reveals that the attacker used compromised credentials of a database administrator (DBA) account. The DBA account had been used by multiple administrators without proper auditing. The company wants to implement a solution to prevent such incidents in the future. The solution must: 1) ensure that each administrator has a unique account for database access, 2) require approval for privileged actions, 3) provide a full audit trail of all privileged activities, and 4) be cost-effective. Which of the following is the best course of action?

A.Enforce the use of a shared DBA account with a complex password that is changed monthly.
B.Implement a privileged access management (PAM) solution that provides just-in-time access and session recording.
C.Require multi-factor authentication for all database access without any additional controls.
D.Install a database activity monitoring (DAM) solution that logs all SQL queries.
AnswerB

PAM addresses all requirements: unique accounts (via vault), approval workflows, and full audit trails.

Why this answer

A privileged access management (PAM) solution provides just-in-time access, approval workflows, and session recording, meeting all requirements. Shared accounts violate uniqueness; MFA alone doesn't provide approval or audit; database auditing software logs activities but does not enforce approval.

51
MCQhard

A company's risk management policy states that all risks with a residual risk score of 8 or higher (on a scale of 1-10) must be treated. A risk is identified with an inherent risk score of 9, and after applying controls, the residual risk score is 7. What is the appropriate action?

A.Formally accept the residual risk
B.Apply additional controls to reduce the risk further
C.Purchase cyber insurance to transfer the risk
D.Reassess the inherent risk score
AnswerA

Since residual risk is 7 (<8), it can be accepted.

Why this answer

Option B is correct because the residual risk is below the threshold, so it can be accepted after formal acceptance. Option A is wrong because the residual risk is already below the threshold. Option C is wrong because residual risk already accounts for controls.

Option D is wrong because insurance transfers risk but is not required if the risk is acceptable.

52
MCQmedium

An organization's help desk receives multiple reports of employees unable to access a critical internal application. The IT team confirms the application server is running. What is the FIRST step in the incident response process?

A.Verify the reports and confirm the scope of the issue
B.Restore the application from the latest backup
C.Remove any malicious software from the server
D.Isolate the affected systems from the network
AnswerA

The incident response process begins with identification and verification.

Why this answer

Option A is correct because the initial step in incident response is to identify and verify the incident. Option B is wrong because containment comes after identification. Option C is wrong because eradication follows containment.

Option D is wrong because recovery is performed after eradication.

53
MCQmedium

An organization's incident response plan is tested annually. After a real incident, the team finds that the plan did not address cloud-based assets. What is the BEST action?

A.Migrate all cloud assets back on-premises
B.Retrain the IR team on cloud incident response
C.Create a separate cloud incident response plan
D.Update the incident response plan to include cloud scenarios
AnswerD

The plan must be revised based on lessons learned.

Why this answer

The plan should be updated to include cloud assets. Option D is correct. Option A only addresses the symptom; Option B may be unnecessary; Option C adds complexity.

54
Multi-Selecteasy

Which TWO are components of the AAA framework? (Choose two.)

Select 2 answers
A.Authorization
B.Auditing
C.Accounting
D.Administration
E.Authentication
AnswersA, E

Authorization determines access rights.

Why this answer

Authorization (A) and Authentication (E) are two of the three core components of the AAA framework, as defined by Cisco and the IETF in RFC 2903 and RFC 2904. Authentication verifies the identity of a user or device (e.g., using RADIUS or TACACS+), while Authorization determines what resources or actions that authenticated entity is permitted to access. Together with Accounting, these three form the AAA triad used in network access control and security policy enforcement.

Exam trap

ISC2 often tests the AAA framework by including 'Auditing' as a distractor, leading candidates to confuse it with 'Accounting' because both involve logging, but Accounting is the correct term for tracking resource consumption in AAA.

55
Matchingmedium

Match each disaster recovery site type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fully operational, real-time replication

Partially configured, ready in hours

Empty facility, setup required

Portable unit with equipment

Why these pairings

These are common disaster recovery site options.

56
MCQhard

A financial firm is implementing a new access control system for its critical trading application. The application currently uses local accounts and password authentication. The security team wants to enforce multi-factor authentication (MFA) and centralized user management. The firm has an existing Active Directory (AD) infrastructure and a certificate authority (CA). However, the trading application only supports smart card authentication via PKI and does not support integration with AD directly. The IT team must design a solution that meets security requirements while minimizing changes to the application. Which approach should the team take?

A.Modify the application code to support SAML-based federation
B.Continue using local accounts but require a strong password policy and regular changes
C.Deploy a RADIUS server that forwards authentication to AD and use smart card emulation for the application
D.Set up a separate LDAP directory for the application and sync with AD
AnswerC

RADIUS can translate AD credentials to smart card authentication the app expects, without modifying the app.

Why this answer

Using AD to manage user accounts and deploying a RADIUS server that authenticates against AD and issues smart card credentials to the application provides centralized management and MFA. Option A is not MFA; B would require app changes; D leaves local accounts.

57
Multi-Selecteasy

Which TWO of the following are effective measures to prevent buffer overflow attacks in a custom-developed application?

Select 2 answers
A.Input validation
B.Using unpatched third-party libraries
C.Running the application with least privilege
D.Disabling ASLR
E.Stack canaries
AnswersA, E

Validating input length and content can prevent buffer overflows by rejecting oversized or malformed data.

Why this answer

Input validation helps ensure data fits within buffer limits, and stack canaries detect and prevent stack-based buffer overflows. Using unpatched libraries increases vulnerability; disabling ASLR makes exploitation easier; running with least privilege limits damage but does not prevent the overflow itself.

58
MCQhard

Refer to the exhibit. An administrator runs an OpenSSL s_client command and receives the output shown. What is the most likely cause of the 'unable to get local issuer certificate' error?

A.The server's private key is missing.
B.The client does not trust the issuing CA.
C.The server certificate is self-signed.
D.The server certificate has expired.
AnswerB

The 'unable to get local issuer certificate' error means the CA is not trusted.

Why this answer

The 'unable to get local issuer certificate' error from OpenSSL s_client indicates that the client (the machine running the command) does not have the issuing Certificate Authority (CA) certificate in its trust store. This means the client cannot verify the server certificate's chain of trust. Option B is correct because the error specifically points to a missing or untrusted CA certificate on the client side, not a problem with the server's private key, self-signing, or expiration.

Exam trap

The trap here is that candidates confuse 'unable to get local issuer certificate' with a server-side certificate issue (like expiration or self-signing), when it actually points to a client-side trust store problem.

How to eliminate wrong answers

Option A is wrong because a missing server private key would cause a different error, such as 'unable to load private key' or a TLS handshake failure, not an issuer certificate validation error. Option C is wrong because a self-signed certificate would produce an 'unable to verify the first certificate' or 'self-signed certificate in chain' error, not specifically 'unable to get local issuer certificate' (which implies a missing CA in the trust store, not a self-signed root). Option D is wrong because an expired server certificate would generate an 'certificate has expired' error during validation, not an issuer certificate lookup failure.

59
MCQmedium

A multinational company has a headquarters (HQ) and several branch offices connected via site-to-site IPsec VPN tunnels. The branch offices use a single internet connection and a VPN concentrator at HQ. Recently, users in the Asia branch report intermittent connectivity to the HQ file server, with high latency and occasional packet loss. The network team runs a traceroute from Asia branch to the HQ server; it shows the path goes through multiple hops with high latency at the second hop, which is the ISP router. The VPN tunnel status shows 'up' but with increasing rekey failures. The team has verified that the local internet link is stable and there are no bandwidth saturation issues. Which action should the team take first?

A.Upgrade the internet bandwidth at the Asia branch.
B.Change the tunnel to use a different encryption algorithm like AES-256.
C.Review and adjust the IPsec tunnel lifetime and rekeying thresholds.
D.Contact the ISP to check for routing issues.
AnswerC

Rekey failures indicate mismatch or too short lifetimes.

Why this answer

The symptoms—intermittent connectivity, high latency at the ISP router, and increasing rekey failures with the tunnel status 'up'—point to IPsec tunnel rekeying issues. Adjusting the IPsec tunnel lifetime and rekeying thresholds (Option C) directly addresses the root cause: the tunnel is attempting to renegotiate security associations (SAs) but failing, likely due to mismatched lifetimes or network delays during rekey. This is the first logical step before escalating to the ISP or changing encryption algorithms.

Exam trap

The trap here is that candidates see high latency at the ISP router and immediately blame the ISP (Option D) or bandwidth (Option A), overlooking the IPsec rekey failure logs and the fact that the tunnel is 'up' but failing to rekey, which is a classic IPsec misconfiguration symptom.

How to eliminate wrong answers

Option A is wrong because the local internet link is verified as stable with no bandwidth saturation, so upgrading bandwidth would not fix rekey failures or high latency at the ISP hop. Option B is wrong because changing the encryption algorithm (e.g., to AES-256) does not resolve rekey failures; it only changes the cipher used for data encryption, not the SA lifetime or rekeying process. Option D is wrong because the traceroute shows high latency at the ISP router, but the VPN tunnel is up and the issue is specific to rekey failures; contacting the ISP prematurely ignores the clear IPsec configuration problem.

60
Multi-Selectmedium

Which TWO of the following are best practices for securing a wireless network?

Select 2 answers
A.Enabling MAC address filtering
B.Using WEP encryption
C.Leaving the default administrator password
D.Using WPA2-Enterprise with 802.1X
E.Disabling SSID broadcast
AnswersD, E

Provides strong authentication and encryption.

Why this answer

WPA2-Enterprise with 802.1X is a best practice because it provides strong encryption (AES-CCMP) and per-user authentication via a RADIUS server, eliminating the vulnerabilities of pre-shared keys. The 802.1X framework ensures that each user must authenticate individually, preventing unauthorized access even if a single credential is compromised. This is the gold standard for enterprise wireless security.

Exam trap

The trap here is that candidates often confuse 'disabling SSID broadcast' (option E) as a security measure, but it is a best practice for reducing network visibility in low-risk environments, even though it is not a strong security control; the SSCP exam expects you to recognize it as a valid defense-in-depth practice, not a primary security mechanism.

61
MCQmedium

A security team is implementing a risk treatment plan for a high-risk vulnerability. The cost to fix the vulnerability is $100,000, but the expected loss if exploited is $1,000,000. The annual likelihood of exploitation is 2%. Which risk treatment strategy is most appropriate?

A.Avoid the risk by decommissioning the asset
B.Remediate the vulnerability immediately
C.Accept the risk and monitor for changes
D.Transfer the risk by purchasing cyber insurance
AnswerC

Expected loss is lower than remediation cost.

Why this answer

The annualized loss expectancy (ALE) is $20,000 (2% × $1,000,000), which is less than the $100,000 remediation cost. Since the cost to fix exceeds the expected loss, accepting the risk and monitoring for changes is the most cost-effective strategy. This aligns with the risk management principle that treatment should be proportional to the risk exposure.

Exam trap

ISC2 often tests the misconception that any high-severity vulnerability must be immediately remediated, ignoring the quantitative cost-benefit analysis that shows accepting risk can be the most appropriate strategy when the annualized loss is lower than the fix cost.

How to eliminate wrong answers

Option A is wrong because decommissioning the asset would eliminate all business value from it, which is an extreme measure not justified when the annual expected loss ($20,000) is far lower than the remediation cost ($100,000). Option B is wrong because immediate remediation would cost $100,000 to prevent a $20,000 annual expected loss, violating the cost-benefit principle of risk management. Option D is wrong because transferring the risk via cyber insurance would still involve premiums and deductibles that likely exceed the $20,000 ALE, and insurance does not reduce the technical vulnerability itself.

62
MCQhard

What does this log entry most likely indicate?

A.The SSH service is misconfigured
B.A user mistyped their password
C.An attacker is attempting to gain access by guessing usernames
D.The user account 'admin' has been disabled
AnswerC

The presence of an invalid username suggests reconnaissance or brute-force activity.

Why this answer

The log shows a failed SSH authentication for an 'invalid user' (i.e., a username that does not exist on the system). This is typical of a brute-force or reconnaissance attack where the attacker tries common usernames. Option B correctly identifies this as an attacker attempting to guess usernames.

Option A is incorrect because it is not a mistyped password for a valid user. Option C is incorrect as the log does not indicate misconfiguration. Option D is incorrect because the user 'admin' does not exist, not just disabled.

63
Multi-Selecteasy

Which THREE of the following are common methods to identify risks in an organization?

Select 3 answers
A.Brainstorming.
B.Hash verification.
C.Fault tree analysis.
D.Delphi technique.
E.SWOT analysis.
AnswersA, D, E

Structured brainstorming sessions are a common qualitative risk identification technique.

Why this answer

Brainstorming is a common method for risk identification because it leverages group creativity to surface potential threats, vulnerabilities, and impacts that might not be captured by automated tools. In an organizational context, structured brainstorming sessions (e.g., using nominal group technique) help elicit a wide range of risks from diverse stakeholders, ensuring coverage across technical, operational, and strategic domains.

Exam trap

ISC2 often tests the distinction between risk identification methods (qualitative, human-driven) and risk analysis or control techniques (quantitative, automated), so candidates may incorrectly select hash verification or fault tree analysis because they sound technical or security-related, but they are not used for identifying new risks in an organizational context.

64
MCQhard

During a security audit, it is discovered that several employees have access to shared network drives containing sensitive HR data. The HR manager states that these employees no longer need access. What is the most efficient way to revoke access?

A.Remove the users from the security group that grants access to the drives.
B.Delete the user accounts of the affected employees.
C.Reconfigure the shared drive to deny access to all users except HR.
D.Manually remove each user's permissions on the shared drive.
AnswerA

Group-based management allows efficient revocation by modifying group membership.

Why this answer

The most efficient way to revoke access is to remove the users from the security group that grants access to the drives. In Windows environments, shared drive permissions are typically assigned to Active Directory security groups rather than individual users. By removing the users from the group, their permissions are revoked immediately across all resources that group has access to, without needing to touch each resource individually.

Exam trap

The trap here is that candidates may think manually removing permissions (Option D) is more precise, but they overlook that group-based management is the most efficient and scalable method in enterprise environments, and that deleting accounts (Option B) is a disproportionate response that violates operational continuity.

How to eliminate wrong answers

Option B is wrong because deleting user accounts is an extreme and irreversible action that disrupts all other services and access the employees may need, and it is not a targeted revocation of drive access. Option C is wrong because reconfiguring the shared drive to deny all users except HR would affect all other employees who might legitimately need access, and it does not address the specific users who should lose access without impacting others. Option D is wrong because manually removing each user's permissions on the shared drive is inefficient and error-prone, especially in large environments, and does not leverage group-based access control which is the standard for scalable permission management.

65
MCQmedium

A company's policy requires that all data at rest be encrypted. Which of the following is the most effective method to encrypt files on a laptop?

A.Encrypt only the user's home folder.
B.Encrypt individual files using a symmetric key.
C.Implement full disk encryption (FDE).
D.Use a self-extracting encrypted archive.
AnswerC

FDE provides blanket encryption for the entire drive.

Why this answer

Full disk encryption (FDE) encrypts the entire storage volume, including the operating system, swap files, temporary files, and all user data. This ensures that if the laptop is lost or stolen, all data at rest is protected without relying on the user to selectively encrypt files or folders, which can leave sensitive data exposed in unencrypted system areas.

Exam trap

The trap here is that candidates often choose encrypting only the home folder or individual files because they think it is sufficient, but they overlook that system areas like swap, temp, and hibernation files can contain sensitive data in plaintext, making full disk encryption the only comprehensive solution for data at rest on a laptop.

How to eliminate wrong answers

Option A is wrong because encrypting only the user's home folder leaves the operating system, swap files, temporary files, and other system areas unencrypted, which can contain cached or residual copies of sensitive data. Option B is wrong because encrypting individual files with a symmetric key requires manual selection and management of each file, increasing the risk of human error and leaving metadata, temporary copies, and swap space unencrypted. Option D is wrong because a self-extracting encrypted archive only protects the specific files placed inside it, leaving the rest of the filesystem and system areas unencrypted, and it requires user interaction to create and extract, making it impractical for comprehensive data-at-rest protection.

66
Multi-Selecthard

Which THREE are common types of network-based attacks? (Choose three.)

Select 3 answers
A.Buffer overflow
B.ARP spoofing
C.SQL injection
D.SYN flood
E.DNS amplification
AnswersB, D, E

An attack on Layer 2 to intercept traffic.

Why this answer

ARP spoofing is a network-based attack where an attacker sends falsified Address Resolution Protocol (ARP) messages over a local area network. This links the attacker's MAC address with the IP address of a legitimate host, allowing interception, modification, or blocking of traffic intended for that host. It is a classic Layer 2 attack that exploits the lack of authentication in ARP (RFC 826).

Exam trap

The trap here is that candidates often confuse application-layer attacks (like SQL injection or buffer overflow) with network-based attacks, but the SSCP exam specifically tests whether you can distinguish attacks that operate at Layer 2 or Layer 3 of the OSI model from those targeting software or databases.

67
MCQhard

An organization uses a cloud-based file synchronization service to share project files with external partners. The security team discovers that an unauthorized third party accessed sensitive documents by guessing weak passwords. Which additional control would most effectively mitigate this risk?

A.Enforcing multi-factor authentication for all external users.
B.Requiring all file transfers to use SFTP instead of HTTPS.
C.Implementing file-level encryption with keys stored on-premises.
D.Configuring the service to use a custom domain certificate.
AnswerA

MFA prevents login even if passwords are guessed, reducing the risk of unauthorized access.

Why this answer

Option B is correct because multi-factor authentication directly addresses credential guessing by requiring a second factor. Option A is incorrect because file-level encryption with on-premises keys does not prevent unauthorized access if the attacker already has valid credentials. Option C is incorrect because SFTP does not inherently provide stronger authentication than HTTPS.

Option D is incorrect because a custom domain certificate does not affect authentication strength.

68
Multi-Selectmedium

Which three of the following are best practices for securing a wireless network? (Choose three.)

Select 3 answers
A.Use MAC address filtering
B.Set a weak passphrase for guest network
C.Disable SSID broadcast
D.Enable WPA3-Enterprise
E.Implement rogue AP detection
AnswersC, D, E

Hiding the SSID reduces casual detection.

Why this answer

Disabling SSID broadcast prevents the access point from including its network name in beacon frames, making the network less visible to casual scanning tools. While this does not provide true security (as the SSID can still be discovered via passive monitoring of probe responses or association frames), it reduces the attack surface by hiding the network from non-malicious users and automated discovery scripts.

Exam trap

ISC2 often tests the misconception that disabling SSID broadcast is a strong security measure, when in reality it is only a minor obscurity technique that does not protect against determined attackers using passive sniffing tools like Wireshark or airodump-ng.

69
MCQhard

A security awareness program is being developed. Which topic is MOST critical for all employees to understand to reduce the risk of social engineering?

A.The risks of posting on social media
B.The proper use of mobile devices
C.How to recognize and report phishing attempts and other suspicious communications
D.How to create strong passwords
AnswerC

Social engineering often uses phishing or pretexting; reporting is vital.

Why this answer

Social engineering attacks, such as phishing, vishing, and smishing, exploit human psychology rather than technical vulnerabilities. The most critical defense for all employees is the ability to recognize indicators of these attacks (e.g., spoofed sender addresses, urgent language, mismatched URLs) and follow the proper reporting procedure to enable rapid incident response. Without this skill, even the strongest technical controls can be bypassed by a single successful click.

Exam trap

ISC2 often tests the distinction between general security best practices (like strong passwords) and the specific, human-focused defense against social engineering, where recognition and reporting are paramount.

How to eliminate wrong answers

Option A is wrong because while social media risks are relevant, they are a subset of social engineering vectors and not the most immediate, universal threat; the primary attack vector is email-based phishing. Option B is wrong because mobile device usage policies (e.g., MDM, encryption) address device security but do not directly train employees to identify deceptive communications. Option D is wrong because strong passwords mitigate credential-guessing attacks, but social engineering bypasses passwords entirely by tricking users into revealing them or executing actions without authentication.

70
MCQeasy

An IT administrator needs to ensure that all workstations receive security patches in a timely manner. Which process is MOST effective for this?

A.Use only operating systems that no longer require security patches
B.Assign a technician to manually patch each workstation monthly
C.Deploy a centralized patch management solution
D.Enable automatic updates on each workstation from the vendor
AnswerC

Automates patching, provides reporting, and ensures consistency.

Why this answer

Option C is correct because a centralized patch management system automates deployment and reporting. Option A is wrong because automatic updates from vendor can be unreliable and may not be centrally reported. Option B is wrong because manual patching is error-prone and not scalable.

Option D is wrong because using older OS versions is insecure and against best practice.

71
MCQmedium

A company uses a SIEM to detect anomalies. An alert indicates a user logged in from two geographically distant locations within 5 minutes. What is the most likely indication?

A.Insider threat
B.Time synchronization issue
C.Credential theft and reuse
D.Misconfigured VPN
AnswerC

This is a classic sign of stolen credentials being used by an attacker.

Why this answer

Option B is correct because such a scenario strongly suggests credential theft and reuse, where an attacker has obtained the user's credentials and is using them from a different location. Option A is less likely as insider threat would not typically require rapid geo-hopping. Option C is possible but less common.

Option D would cause log inconsistencies but not typically this pattern.

72
MCQeasy

A company wants to ensure that employees connecting from home use a secure tunnel to access internal resources. Which protocol should be implemented?

A.SFTP
B.Telnet
C.SSH
D.SSL/TLS VPN
AnswerD

A SSL/TLS VPN creates an encrypted tunnel for remote users to access internal resources securely.

Why this answer

An SSL/TLS VPN creates an encrypted tunnel over HTTPS (port 443) between the remote user's browser or client and the corporate VPN gateway, securing all traffic to internal resources. This is the standard solution for remote access VPNs because it uses ubiquitous SSL/TLS protocols, avoids the need for IPsec client software, and can traverse firewalls and NAT devices easily.

Exam trap

ISC2 often tests the distinction between SSH (a secure remote administration tool) and SSL/TLS VPN (a full remote access VPN solution), leading candidates to mistakenly choose SSH because they know it provides encryption, without realizing it does not create a comprehensive network tunnel for all internal resource access.

How to eliminate wrong answers

Option A is wrong because SFTP (SSH File Transfer Protocol) is designed only for secure file transfer, not for creating a full network tunnel to access multiple internal resources. Option B is wrong because Telnet transmits all data, including credentials, in cleartext and provides no encryption or security whatsoever. Option C is wrong because SSH creates a secure shell session or port forwarding tunnel, but it is not designed as a full VPN solution for all internal resource access; it requires manual port forwarding and does not natively support routing all client traffic through the tunnel.

73
MCQhard

A security analyst is reviewing traffic logs and sees that a host is sending ICMP echo requests to multiple external IPs. This behavior is most likely indicative of:

A.Normal network monitoring
B.A DDoS attack
C.A DNS amplification attack
D.A ping sweep reconnaissance
AnswerD

Ping sweeps are used to identify active hosts.

Why this answer

ICMP echo requests (ping) sent to multiple external IPs from a single host is characteristic of a ping sweep, which is a reconnaissance technique used to map live hosts on a network. Unlike a DDoS or amplification attack, this activity originates from one host and targets many destinations to identify which IPs are responsive, aiding an attacker in planning further exploitation.

Exam trap

ISC2 often tests the distinction between reconnaissance and attack phases, so the trap here is confusing a single-source sweep (reconnaissance) with a multi-source flood (DDoS), leading candidates to incorrectly select the DDoS option.

How to eliminate wrong answers

Option A is wrong because normal network monitoring typically uses SNMP, NetFlow, or passive traffic analysis, not active ICMP echo requests to multiple external IPs, which would be noisy and unnecessary for routine monitoring. Option B is wrong because a DDoS attack involves many sources overwhelming a single target, whereas this scenario shows one host sending to many targets, which is the reverse traffic pattern. Option C is wrong because a DNS amplification attack uses spoofed source IPs with DNS queries to amplify traffic toward a victim, not ICMP echo requests from a single host to multiple IPs.

74
MCQhard

An organization is implementing 802.1X authentication for wired network access. Which server is required to authenticate users?

A.DHCP server
B.TACACS+ server
C.Kerberos server
D.RADIUS server
AnswerD

RADIUS is the standard authentication server for 802.1X, handling user credentials and policy enforcement.

Why this answer

802.1X is a port-based network access control protocol that uses the Extensible Authentication Protocol (EAP) to authenticate devices before granting network access. The authentication server in an 802.1X deployment must be a RADIUS server, as defined in IEEE 802.1X-2020, because it acts as the backend that validates credentials and communicates with the authenticator (switch) via RADIUS (RFC 2865).

Exam trap

The trap here is that candidates often confuse TACACS+ with RADIUS because both are AAA protocols, but 802.1X specifically mandates RADIUS for EAP transport, whereas TACACS+ encrypts the entire packet and is used for device administration, not port-based network access control.

How to eliminate wrong answers

Option A is wrong because a DHCP server dynamically assigns IP addresses and does not perform authentication; it operates after network access is granted. Option B is wrong because TACACS+ is a Cisco-proprietary protocol that separates authentication, authorization, and accounting (AAA) but is not used in 802.1X; 802.1X requires RADIUS for EAP encapsulation and port-based control. Option C is wrong because a Kerberos server provides ticket-based authentication for network services (e.g., Active Directory) but does not support the EAP-over-RADIUS exchange required by 802.1X; it is not designed for port-based access control.

75
Multi-Selectmedium

Which TWO of the following are essential components of a disaster recovery plan (DRP)?

Select 2 answers
A.Recovery Time Objective (RTO)
B.Recovery Point Objective (RPO)
C.Business Continuity Plan (BCP)
D.A RACI matrix for incident response
E.Results of a penetration test
AnswersA, B

RTO is a key metric in DRP.

Why this answer

Options A and D are correct. Recovery Time Objective (RTO) defines the maximum acceptable downtime, and Recovery Point Objective (RPO) defines the maximum acceptable data loss. Option B is wrong while a business continuity plan (BCP) is related, it is broader and not specific to DRP.

Option C is wrong the RACI matrix is for responsibility assignment, not a core DRP component. Option E is wrong a penetration test is a security assessment, not a DRP component.

Page 1 of 7

Page 2

All pages