Systems Security Certified Practitioner SSCP (SSCP) — Questions 676750

991 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQmedium

A security analyst reviews a cryptographic implementation and notices that the same initialization vector (IV) is used repeatedly with the same key in CBC mode. What is the primary risk?

A.Loss of confidentiality
B.Loss of authentication
C.Non-repudiation is compromised
D.Loss of integrity
AnswerA

IV reuse can lead to identical ciphertext blocks for identical plaintext, revealing patterns.

Why this answer

In CBC (Cipher Block Chaining) mode, the initialization vector (IV) is XORed with the first plaintext block before encryption. Reusing the same IV with the same key means that identical plaintext blocks will produce identical ciphertext blocks, revealing patterns in the data. This directly breaks confidentiality, as an attacker can detect repeated plaintext segments, infer message structure, or even recover plaintext through known-plaintext attacks.

Exam trap

The trap here is that candidates often confuse confidentiality with integrity or authentication, mistakenly thinking IV reuse primarily enables data tampering (integrity) or impersonation (authentication), when in fact the core cryptographic weakness is the exposure of plaintext patterns, directly violating confidentiality.

How to eliminate wrong answers

Option B is wrong because loss of authentication refers to the inability to verify the origin or identity of the sender, which is not directly caused by IV reuse; CBC mode does not provide authentication by itself (that requires a MAC). Option C is wrong because non-repudiation is a property that prevents a party from denying an action, typically provided by digital signatures, not by CBC mode or IV usage. Option D is wrong because loss of integrity means data has been tampered with undetected; while IV reuse can enable certain attacks (e.g., bit-flipping), the primary and most immediate risk is the exposure of plaintext patterns, i.e., loss of confidentiality.

677
MCQeasy

Which of the following is a secure hash algorithm currently recommended by NIST?

A.SHA-1
B.RC4
C.MD5
D.SHA-256
AnswerD

SHA-256 is a current standard and is considered secure.

Why this answer

SHA-256 is a member of the SHA-2 family of secure hash algorithms and is currently recommended by NIST for cryptographic use. It produces a 256-bit (32-byte) hash value and is widely deployed in protocols such as TLS, SSH, and IPsec, as well as in digital signatures and certificate validation.

Exam trap

Cisco often tests the distinction between hash algorithms and encryption ciphers, so candidates may mistakenly select RC4 because it is a well-known cryptographic algorithm, but it is not a hash function at all.

How to eliminate wrong answers

Option A is wrong because SHA-1 is no longer considered secure by NIST due to demonstrated collision attacks (e.g., the SHAttered attack in 2017) and is deprecated for most cryptographic applications. Option B is wrong because RC4 is a stream cipher, not a hash algorithm, and it is also deprecated due to severe biases in its output. Option C is wrong because MD5 is a broken hash algorithm with practical collision attacks (e.g., used in the Flame malware) and is explicitly not recommended by NIST for any security purpose.

678
MCQmedium

Which of the following is a primary advantage of using TLS 1.3 over earlier versions?

A.Mandatory forward secrecy
B.Reduced handshake latency with 0-RTT
C.Support for RC4 cipher suites
D.Backward compatibility with SSL 3.0
AnswerA

All TLS 1.3 cipher suites use ephemeral Diffie-Hellman, providing forward secrecy.

Why this answer

TLS 1.3 requires forward secrecy for all cipher suites, meaning that session keys are not derived from the server's private key, protecting past sessions if the private key is compromised.

679
Multi-Selecthard

A security engineer is designing a key management system for a large enterprise. Which two of the following practices are essential for securing cryptographic keys throughout their lifecycle?

Select 2 answers
A.Store keys in dedicated hardware security modules (HSMs).
B.Use the same key for encryption, digital signatures, and key exchange.
C.Email keys to authorized users for convenience.
D.Store keys in the same database as encrypted data.
E.Rotate keys regularly and upon compromise.
AnswersA, E

HSMs provide tamper-resistant storage and protect keys from unauthorized access.

Why this answer

Key storage in hardware security modules (HSMs) and regular key rotation are critical for key security. Storing keys with the data and emailing them violate security best practices. Using a single key for all purposes reduces security.

680
Multi-Selectmedium

A security administrator is implementing the 3-2-1 backup rule. Which THREE actions are required to comply with this rule? (Select THREE.)

Select 3 answers
A.Store one copy offsite
B.Maintain at least three copies of the data
C.Use two different media types (e.g., disk and tape)
D.Perform daily full backups
E.Use encryption for all backup copies
AnswersA, B, C

Correct. Offsite copy protects against site-level disasters.

Why this answer

The 3-2-1 rule requires three copies, two different media types, and one offsite copy.

681
MCQmedium

A company implements a DMZ to host public services. Which of the following is the best practice for securing the DMZ?

A.Allow all traffic from the internet to the DMZ
B.Disable logging on DMZ firewalls
C.Use separate firewall rules for inbound and outbound traffic
D.Place the DMZ behind the internal firewall
E.Use the same subnet for DMZ and internal network
AnswerC

Allows strict control over traffic flows.

Why this answer

Option C is correct because DMZ security relies on strict separation of inbound and outbound traffic rules. Inbound rules should permit only necessary traffic (e.g., HTTP/HTTPS to web servers) from the internet to the DMZ, while outbound rules should restrict DMZ-initiated connections to the internal network, typically allowing only established sessions or specific protocols. This prevents an attacker who compromises a DMZ host from using it as a pivot to access internal resources.

Exam trap

The trap here is that candidates often confuse the DMZ's placement (thinking it should be behind the internal firewall for extra protection) with the need for separate rule sets, but the correct placement is between two firewalls (or a single firewall with three interfaces) with distinct inbound and outbound rules to enforce isolation.

How to eliminate wrong answers

Option A is wrong because allowing all traffic from the internet to the DMZ defeats the purpose of a DMZ, which is to expose only specific services while blocking all other traffic. Option B is wrong because disabling logging on DMZ firewalls eliminates the ability to detect and investigate security incidents, violating fundamental security monitoring practices. Option D is wrong because placing the DMZ behind the internal firewall would expose the internal network to direct internet traffic if the DMZ is compromised, negating the isolation a DMZ provides.

Option E is wrong because using the same subnet for DMZ and internal network removes network segmentation, allowing broadcast traffic and potential lateral movement between zones.

682
MCQhard

A security analyst is tuning a SIEM and needs to reduce false positives from a rule that alerts on failed logins. The rule currently triggers on any single failed login. Which modification would best reduce false positives while still detecting brute-force attacks?

A.Add a threshold of 5 failed logins within 5 minutes
B.Disable the rule entirely
C.Increase the severity level of the alert
D.Ignore failed logins from known users
AnswerA

This reduces noise and still catches brute force.

Why this answer

Option A is correct because adding a threshold of 5 failed logins within 5 minutes reduces false positives from isolated accidental lockouts while still detecting the sustained pattern of failed attempts characteristic of brute-force attacks. This aligns with SIEM tuning best practices where aggregation over a time window filters out noise without losing signal.

Exam trap

Cisco often tests the misconception that increasing severity or ignoring specific users reduces false positives, when in fact only time-based thresholding or contextual filtering (e.g., source IP reputation) properly addresses the root cause of noise from isolated events.

How to eliminate wrong answers

Option B is wrong because disabling the rule entirely would remove detection of brute-force attacks, creating a security gap. Option C is wrong because increasing the severity level does not reduce false positives; it only changes the alert's priority, leaving the same number of noisy alerts. Option D is wrong because ignoring failed logins from known users would miss attacks where a legitimate user's account is compromised and used for brute-force attempts, and it assumes user identity is reliably verified at the authentication layer.

683
MCQhard

An organization is implementing a jump server architecture for managing critical servers. Which additional control BEST reduces the risk of lateral movement if the jump server is compromised?

A.Enable verbose logging on all target servers.
B.Require multi-factor authentication for all jump server logins.
C.Implement SSH key-based authentication with agent forwarding restricted to specific target hosts.
D.Use a separate VLAN for management traffic.
AnswerC

Restricts which hosts can be accessed from the jump server, reducing lateral movement.

Why this answer

Option C is correct because restricting SSH agent forwarding to specific target hosts prevents an attacker who compromises the jump server from using forwarded credentials to authenticate to arbitrary internal systems. This containment limits lateral movement by ensuring that even if the jump server is breached, the attacker cannot reuse SSH keys to pivot to non-approved targets.

Exam trap

The trap here is that candidates often choose multi-factor authentication (Option B) thinking it prevents all post-compromise risks, but MFA only protects the initial login, not lateral movement after the jump server is already compromised.

How to eliminate wrong answers

Option A is wrong because verbose logging on target servers is a detective control that records activity after the fact; it does not prevent an attacker from moving laterally from a compromised jump server. Option B is wrong because multi-factor authentication for jump server logins protects the initial access to the jump server but does not restrict lateral movement once an attacker has already compromised that server. Option D is wrong because a separate VLAN for management traffic segments network traffic but does not prevent an attacker who already controls the jump server from using its SSH agent or credentials to reach other hosts within that VLAN.

684
MCQmedium

An organization has experienced a ransomware attack. After containing the incident, the response team plans to restore systems from backups. Which step is most critical before restoring production systems?

A.Verify the integrity of backup data by restoring to an isolated test environment.
B.Notify law enforcement immediately.
C.Patch the exploited vulnerability and ensure the backup is free of malware.
D.Disconnect all systems from the network.
AnswerC

Correct. Eradication and patching prevent recurrence.

Why this answer

Option C is correct because restoring from backups while the original vulnerability remains unpatched would allow the ransomware to reinfect the systems immediately. Additionally, if the backup itself contains malware (e.g., the ransomware encrypted the backup repository), restoring it would reintroduce the infection. Patching the exploited vulnerability and verifying the backup is clean ensures a safe restoration point, breaking the attack chain.

Exam trap

The trap here is that candidates often choose Option A (verify backup integrity) because it sounds thorough, but they miss that the most critical step is to eliminate the root cause of the infection to prevent immediate reinfection after restoration.

How to eliminate wrong answers

Option A is wrong because verifying backup integrity in an isolated test environment is a good practice but not the most critical step before restoration; the primary risk is reinfection from the same vulnerability or a compromised backup, not data corruption. Option B is wrong because notifying law enforcement is a post-incident legal and compliance step that does not directly prevent reinfection or data loss during restoration; it should occur after containment and evidence preservation, not before restoring systems. Option D is wrong because disconnecting all systems from the network is a containment step that should have been performed earlier in the incident response process; by the time the team plans to restore from backups, containment is already assumed to be complete, and re-disconnecting would hinder the restoration process.

685
MCQeasy

A small business uses a wireless network for employees and guests. The network uses WPA2-PSK with a single SSID, and the guest network is separate but broadcasts the same SSID. Recently, employees report intermittent connection drops and slow internet speeds. A site survey shows multiple access points from neighboring businesses operating on channels 1, 6, and 11. The business's access points are set to auto-channel selection. What is the most likely cause of the issue?

A.RADIUS server misconfiguration
B.Rogue access point
C.Channel interference due to overlapping channels
D.Weak PSK passphrase
AnswerC

Auto-channel selection often leads to channel overlap with neighboring networks, causing interference and performance degradation.

Why this answer

The correct answer is C. With multiple neighboring access points operating on channels 1, 6, and 11, and the business's access points set to auto-channel selection, the most likely cause is channel interference. Auto-channel selection may not dynamically avoid co-channel or adjacent-channel overlap, leading to contention, retransmissions, and degraded performance.

The separate guest network broadcasting the same SSID can also cause client confusion and increased collisions.

Exam trap

The trap here is that candidates may confuse WPA2-PSK with WPA2-Enterprise and assume a RADIUS misconfiguration is involved, or they may overlook that auto-channel selection does not dynamically mitigate interference from neighboring APs on the same non-overlapping channels.

How to eliminate wrong answers

Option A is wrong because RADIUS server misconfiguration is irrelevant to WPA2-PSK, which uses a pre-shared key for authentication, not 802.1X/EAP; RADIUS is only used in WPA2-Enterprise mode. Option B is wrong because a rogue access point would typically present a different SSID or security configuration, and the symptoms of intermittent drops and slow speeds are more consistent with channel congestion than an unauthorized device; a rogue AP would more likely cause authentication failures or security alerts. Option D is wrong because a weak PSK passphrase does not cause intermittent connection drops or slow speeds; it would either allow connection (if correct) or prevent it (if incorrect), and performance issues are unrelated to passphrase strength.

686
MCQeasy

Which protocol is used to securely transfer files over a network and operates on TCP port 22?

A.Telnet
B.SFTP
C.FTP
D.SSH
AnswerD

SSH uses TCP port 22 and provides secure encrypted communications for file transfer and remote administration.

Why this answer

SSH (Secure Shell) is used for secure remote login and file transfer, and it operates on TCP port 22. FTP uses ports 20-21, Telnet uses port 23, and SFTP (which runs over SSH) also uses port 22.

687
Multi-Selectmedium

A company is upgrading its legacy systems to use modern cryptographic standards. Which two of the following algorithms should be avoided due to known weaknesses or deprecation?

Select 2 answers
A.SHA-256 for hashing
B.MD5 for hashing
C.AES-256 for encryption
D.ECDH for key exchange
E.3DES for encryption
AnswersB, E

MD5 is cryptographically broken; collision attacks are feasible.

Why this answer

MD5 and 3DES are considered weak: MD5 has collision vulnerabilities, and 3DES is deprecated due to small block size and performance issues. SHA-256, AES-256, and ECDH are modern and secure.

688
MCQhard

Based on the TLS connection output, what is a potential security vulnerability?

A.The certificate has expired
B.The key exchange is ephemeral, reducing security
C.The cipher suite uses AES-128, which is too weak
D.The certificate uses SHA-1 for the signature algorithm
AnswerD

SHA-1 is deprecated due to collision attacks.

Why this answer

The signature algorithm sha1WithRSAEncryption is deprecated for certificates; SHA-1 is weak and should not be used. Options A, B, D are incorrect: the certificate is not expired (no date shown), AES-128 is acceptable, and ECDHE provides forward secrecy.

689
MCQeasy

An organization is migrating its on-premises applications to a cloud provider. Which of the following security controls should be implemented to protect data at rest in the cloud?

A.Implement multi-factor authentication for all users.
B.Configure network segmentation using VPCs.
C.Use access keys for API authentication.
D.Enable CloudTrail or equivalent audit logging.
E.Enable server-side encryption on storage services.
AnswerE

Server-side encryption encrypts data at rest automatically.

Why this answer

Option B is correct because enabling server-side encryption (SSE) ensures data is encrypted when stored by the cloud provider. Option A (network segmentation) protects in transit; C (access keys) are for authentication; D (MFA) is for user identity; E (audit logs) are detective.

690
MCQhard

A healthcare organization stores patient records in a database that is encrypted at rest using AES-256-CBC. The encryption key is stored in a plaintext configuration file on the database server, with file permissions set to read-only for the database service account and administrators. During an internal audit, the security team flags this as a critical vulnerability because the key is co-located with the encrypted data. The system administrator argues that the file permissions are sufficient to prevent unauthorized access. Separately, the organization must comply with HIPAA requirements for encryption key management. Which remediation most effectively addresses the vulnerability and meets compliance requirements?

A.Change the encryption algorithm from AES-256-CBC to AES-256-GCM.
B.Implement file integrity monitoring (FIM) on the configuration file to alert on unauthorized access.
C.Move the encryption key to a hardware security module (HSM) accessible only via authenticated API calls.
D.Encrypt the configuration file containing the key with a second AES-256 key stored in the same directory.
AnswerC

An HSM provides tamper-resistant key storage and meets compliance requirements.

Why this answer

Option C is correct because moving the encryption key to a hardware security module (HSM) physically separates the key from the encrypted data, eliminating the co-location vulnerability. HSMs provide tamper-resistant key storage and enforce access controls via authenticated API calls, which aligns with HIPAA requirements for proper key management and protection of electronic protected health information (ePHI).

Exam trap

The trap here is that candidates often confuse encryption algorithm improvements (like GCM) or monitoring controls (like FIM) with proper key management, failing to recognize that co-location of the key with the data is the core vulnerability that must be addressed by physical or logical separation.

How to eliminate wrong answers

Option A is wrong because changing the cipher mode from CBC to GCM addresses data integrity and authentication, not the fundamental issue of key storage co-location or access control. Option B is wrong because file integrity monitoring (FIM) only detects unauthorized access or changes after the fact; it does not prevent an attacker who gains access to the server from reading the plaintext key from the configuration file. Option D is wrong because encrypting the configuration file with a second key stored in the same directory merely adds a layer of obfuscation; the second key remains co-located and accessible, so an attacker who compromises the server can retrieve both keys.

691
Multi-Selectmedium

Which TWO of the following are characteristics of the Biba integrity model? (Choose TWO.)

Select 2 answers
A.No write-up
B.No write-down
C.No read-up
D.Discretionary access
E.No read-down
AnswersA, E

Subjects cannot write to higher integrity levels.

Why this answer

Biba is a MAC model for integrity with rules: no write-up (integrity levels) and no read-down (to prevent corruption).

692
MCQeasy

Which of the following is a common vulnerability source that would be documented in a risk register?

A.Password policies
B.Intrusion alerts
C.Firewall logs
D.CVE entries
AnswerD

CVEs are specific known vulnerabilities.

Why this answer

D is correct because CVE (Common Vulnerabilities and Exposures) entries are standardized identifiers for known security vulnerabilities, making them a direct source of vulnerability information that should be documented in a risk register. A risk register captures identified risks, including specific vulnerabilities, and CVE entries provide the precise technical details needed to assess and track those risks.

Exam trap

Cisco often tests the distinction between vulnerability sources (like CVE entries) and security controls or monitoring outputs (like password policies, intrusion alerts, or firewall logs), trapping candidates who confuse operational data with vulnerability documentation.

How to eliminate wrong answers

Option A is wrong because password policies are security controls or guidelines, not vulnerability sources; they define rules for password creation and management, whereas a risk register documents actual or potential vulnerabilities, not policy documents. Option B is wrong because intrusion alerts are outputs from an intrusion detection system (IDS) indicating potential security incidents, not vulnerability sources; they represent events that may exploit vulnerabilities, but the alerts themselves are not the vulnerabilities. Option C is wrong because firewall logs are records of network traffic and firewall rule actions, used for monitoring and forensics, not a source of vulnerability information; they can help identify attacks but do not list or describe vulnerabilities like CVE entries do.

693
MCQmedium

A security administrator receives an alert from the SIEM indicating a configuration change on a critical server. The change was not part of any approved change request. What should be the first step?

A.Investigate the change to determine its source and impact
B.Notify the server owner
C.Revert the server to the last known good configuration
D.Disable the server's network access
AnswerA

Investigation helps decide the appropriate response.

Why this answer

The first step when an unauthorized configuration change is detected is to investigate the change to determine its source and impact. This aligns with the incident response process, where initial assessment (identification and scoping) precedes containment or remediation. Without investigation, reverting or disabling could destroy forensic evidence or disrupt legitimate services.

Exam trap

The trap here is that candidates often jump to immediate containment (revert or disable) without recognizing that the first step in incident response is always to verify and scope the incident before taking action.

How to eliminate wrong answers

Option B is wrong because notifying the server owner is premature; the security administrator must first gather information about the change to provide accurate context. Option C is wrong because reverting the server to the last known good configuration could destroy forensic evidence and may not address the root cause, potentially allowing the change to reoccur. Option D is wrong because disabling the server's network access is a containment step that should only be taken after investigation confirms malicious intent or immediate threat, as it could cause unnecessary service disruption.

694
MCQmedium

A healthcare organization is implementing an access control system to ensure that employees can only access patient records necessary for their job functions. Which model best enforces this principle?

A.Role-Based Access Control (RBAC)
B.Rule-Based Access Control (RuBAC)
C.Discretionary Access Control (DAC)
D.Mandatory Access Control (MAC)
AnswerA

RBAC assigns permissions to roles based on job functions, and users are assigned to roles, effectively enforcing least privilege.

Why this answer

Role-Based Access Control (RBAC) is the correct model because it assigns permissions based on job roles, ensuring employees only access patient records necessary for their duties. In healthcare, RBAC aligns with the principle of least privilege by mapping roles (e.g., nurse, doctor, billing) to specific data access, as defined in standards like NIST SP 800-53. This directly enforces the requirement that access is tied to job functions, not individual discretion or system-wide rules.

Exam trap

ISC2 often tests the distinction between RBAC and Rule-Based Access Control, where candidates mistakenly choose RuBAC because they confuse 'rules' with 'roles,' not realizing RuBAC applies static conditions to all users rather than dynamic role assignments.

How to eliminate wrong answers

Option B (Rule-Based Access Control) is wrong because it uses global rules (e.g., time-of-day or IP-based conditions) applied uniformly to all users, not role-specific job functions, making it too coarse for granular patient record access. Option C (Discretionary Access Control) is wrong because it allows data owners to grant access at their discretion, violating the mandatory job-function restriction and risking unauthorized sharing of patient records. Option D (Mandatory Access Control) is wrong because it enforces system-wide labels (e.g., classification levels like 'Confidential') rather than job roles, which is overly rigid and does not map to specific healthcare job functions.

695
MCQhard

Which network security control can enforce that only authorized devices with current antivirus and patches can connect to the network?

A.Firewall rules
B.Network Access Control
C.Intrusion Prevention System
D.Port security
AnswerB

NAC assesses device health (e.g., antivirus, patches) before allowing network access.

Why this answer

Network Access Control (NAC) enforces security policies by checking device compliance before granting access, typically using 802.1X for authentication and quarantine for non-compliant devices.

696
MCQmedium

Based on the exhibit, what is the most likely cause of the web application outage?

A.Network connectivity issue between web and DB
B.Application pool memory leak
C.SQL Server service is down
D.Database server disk failure
AnswerC

The 'Connection refused' error on port 1433 indicates the SQL Server is not listening or is down.

Why this answer

The exhibit shows that the web application is returning HTTP 500 errors, which typically indicate a server-side issue. Since the web server can connect to the database server (as shown by the successful ping), but the application fails, the most likely cause is that the SQL Server service is down, preventing the application from executing queries. This aligns with the correct answer C.

Exam trap

The trap here is that candidates assume a successful ping implies full database availability, but ping only tests network layer connectivity, not the application layer service (SQL Server).

How to eliminate wrong answers

Option A is wrong because the exhibit shows a successful ping from the web server to the database server, indicating network connectivity is intact. Option B is wrong because a memory leak in the application pool would cause gradual performance degradation or application crashes, not an immediate HTTP 500 error with successful network connectivity. Option D is wrong because a disk failure would likely cause SQL Server to log errors or fail to start, but the exhibit does not show disk-related symptoms; the immediate cause is the SQL Server service being down, not the underlying storage.

697
MCQmedium

A security metric shows that patch compliance is at 85%. The goal is 95%. Which action should be taken first?

A.Increase the frequency of vulnerability scans
B.Disable automatic updates to prevent issues
C.Prioritize patching based on vulnerability criticality
D.Exclude non-critical systems from patching
AnswerC

Focuses resources on most critical patches first.

Why this answer

To improve patch compliance, prioritize patching based on vulnerability criticality to address highest risk first.

698
MCQeasy

After containing a malware outbreak, the incident response team needs to ensure the malware is completely removed from all systems. Which phase of the incident response process is this?

A.Post-Incident
B.Eradication
C.Detection
D.Recovery
AnswerB

Eradication involves removing malware and closing vulnerabilities.

Why this answer

The eradication phase is specifically focused on removing the root cause of the incident, such as deleting malware files, registry keys, and disabling malicious services from all affected systems. After containment (which stops the spread), eradication ensures the threat is completely eliminated before recovery begins. This aligns with the NIST SP 800-61 incident response lifecycle, where eradication follows containment and precedes recovery.

Exam trap

The trap here is confusing eradication with recovery, as candidates often think 'removing malware' is part of getting systems back online, but recovery only begins after the threat is fully eradicated to avoid restoring infected data.

How to eliminate wrong answers

Option A is wrong because the post-incident phase occurs after recovery and involves lessons learned, documentation, and forensic analysis, not active removal of malware. Option C is wrong because detection is the initial phase where the incident is identified through alerts or anomalies, not the phase for removing the threat. Option D is wrong because recovery focuses on restoring systems to normal operation (e.g., restoring from clean backups, reconnecting to networks) after the malware has already been eradicated.

699
Multi-Selecthard

A network administrator is designing a secure remote access solution for employees using company laptops. The solution must support strong authentication, encryption, and be resistant to man-in-the-middle attacks. Which THREE components should be included?

Select 3 answers
A.L2TP tunneling protocol
B.EAP-TLS for authentication
C.IPsec in tunnel mode
D.PPTP with MPPE encryption
E.IKEv2 key exchange protocol
AnswersB, C, E

EAP-TLS uses certificates for mutual authentication, preventing MITM.

Why this answer

IKEv2 supports strong authentication and mobility; EAP-TLS provides certificate-based authentication; IPsec provides encryption and authentication.

700
MCQmedium

A security analyst is tuning a SIEM to reduce false positives. Which of the following actions is most likely to reduce false positives while maintaining detection of real threats?

A.Increase the severity of all alerts to high
B.Modify correlation rules to require multiple events before alerting
C.Disable all anomaly-based detection rules
D.Create a whitelist for known benign IP addresses
AnswerB

Requiring multiple events reduces single-event false positives and improves signal-to-noise ratio.

Why this answer

Modifying correlation rules to require multiple events before alerting reduces false positives by ensuring that a single benign event does not trigger an alert. This technique, often called 'thresholding' or 'event correlation,' filters out noise while still detecting multi-step attack patterns, such as a brute-force login attempt that requires multiple failed logins within a time window.

Exam trap

The trap here is that candidates often confuse 'reducing false positives' with 'eliminating all alerts,' leading them to choose disabling detection rules (Option C) or whitelisting (Option D), rather than understanding that correlation tuning preserves detection capability while filtering noise.

How to eliminate wrong answers

Option A is wrong because increasing the severity of all alerts to high does not reduce false positives; it merely reclassifies them, potentially causing alert fatigue and desensitizing analysts to critical incidents. Option C is wrong because disabling all anomaly-based detection rules would eliminate the ability to detect unknown or zero-day threats, which rely on behavioral baselines rather than static signatures. Option D is wrong because creating a whitelist for known benign IP addresses reduces false positives only for those specific IPs, but does not address false positives from other sources or from legitimate traffic that does not match the whitelist; it also risks missing real threats if an attacker spoofs a whitelisted IP.

701
Multi-Selecteasy

A company is adopting a role-based access control (RBAC) model. Which TWO principles are fundamental to RBAC?

Select 2 answers
A.Roles can be organized in a hierarchy to inherit permissions
B.Users are assigned to roles based on their job functions
C.Access is controlled by the data owner
D.Permissions are assigned directly to users
E.Access decisions are based on subject and object attributes
AnswersA, B

Role hierarchy allows senior roles to inherit permissions from junior roles.

Why this answer

RBAC assigns permissions to roles, and users are members of roles. Least privilege and separation of duties are enforced through role design.

702
MCQhard

A financial institution uses a quantitative risk analysis to evaluate a new online payment system. The asset value is $5 million, the exposure factor is 40%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

A.$1,000,000
B.$800,000
C.$2,000,000
D.$2,500,000
AnswerA

Correct calculation: SLE = $5M × 0.4 = $2M; ALE = $2M × 0.5 = $1M.

Why this answer

The annualized loss expectancy (ALE) is calculated as single loss expectancy (SLE) multiplied by the annualized rate of occurrence (ARO). SLE is asset value ($5,000,000) times exposure factor (40%) = $2,000,000. Then ALE = $2,000,000 × 0.5 = $1,000,000.

This quantitative risk analysis formula is standard in financial risk assessments for payment systems.

Exam trap

ISC2 often tests the distinction between SLE and ALE, trapping candidates who stop after calculating SLE ($2,000,000) and forget to multiply by the ARO (0.5).

How to eliminate wrong answers

Option B ($800,000) is wrong because it incorrectly multiplies the asset value by the ARO without applying the exposure factor (i.e., $5,000,000 × 0.5 × 0.4? No, it's $5,000,000 × 0.4 × 0.5 = $1,000,000; $800,000 suggests a miscalculation like using 0.4 × 0.5 = 0.2 then $5,000,000 × 0.2 = $1,000,000? Actually $800,000 would come from $5,000,000 × 0.4 × 0.4 or similar error). Option C ($2,000,000) is wrong because it represents the SLE only (asset value × exposure factor) and fails to multiply by the ARO of 0.5. Option D ($2,500,000) is wrong because it incorrectly multiplies the asset value by the ARO only ($5,000,000 × 0.5) and ignores the exposure factor entirely.

703
MCQmedium

A company stores log files on a dedicated log server. To ensure log integrity, they implement a solution where logs are written to a WORM (Write Once, Read Many) device. Which property does this primarily protect?

A.Integrity
B.Non-repudiation
C.Availability
D.Confidentiality
AnswerA

WORM ensures logs cannot be altered, preserving integrity.

Why this answer

WORM (Write Once, Read Many) technology ensures that once data is written, it cannot be altered, deleted, or overwritten. This directly protects the integrity of the log files by preventing any unauthorized or accidental modification, which is critical for maintaining a reliable audit trail.

Exam trap

The trap here is that candidates often confuse integrity with non-repudiation, thinking that preventing modification also proves who wrote the data, but WORM alone does not provide cryptographic proof of origin.

How to eliminate wrong answers

Option B is wrong because non-repudiation is primarily about proving the origin of data (e.g., through digital signatures or PKI), not about preventing modification after writing. Option C is wrong because availability concerns ensuring data is accessible when needed, which WORM does not directly address (it may even hinder availability if the device fails). Option D is wrong because confidentiality involves preventing unauthorized access or disclosure, whereas WORM focuses on write protection, not read access controls.

704
Matchingmedium

Match each access control model to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Owner sets permissions

System-enforced labels

Roles determine access

Attributes and policies

Why these pairings

These are the four primary access control models.

705
Multi-Selecthard

Which THREE of the following are security features of WPA3 compared to WPA2? (Select THREE)

Select 3 answers
A.Backward compatibility with WEP
B.Protected Management Frames (PMF) mandatory
C.192-bit security suite for Enterprise mode
D.Simultaneous Authentication of Equals (SAE) replaces PSK
E.Use of TKIP encryption
AnswersB, C, D

PMF is required in WPA3.

Why this answer

WPA3 introduces SAE (Simultaneous Authentication of Equals) to replace PSK, provides 192-bit security in Enterprise mode, and mandates PMF (Protected Management Frames).

706
Multi-Selectmedium

A company is migrating from WPA2 to WPA3 for wireless security. Which THREE features does WPA3 introduce? (Select three)

Select 3 answers
A.192-bit security suite for Enterprise networks
B.Wi-Fi Protected Setup (WPS)
C.Simultaneous Authentication of Equals (SAE)
D.Protected Management Frames (PMF) mandatory
E.CCMP encryption as mandatory
AnswersA, C, D

WPA3-Enterprise offers 192-bit minimum security strength.

Why this answer

WPA3 introduces SAE (Simultaneous Authentication of Equals) to replace PSK, mandates PMF (Protected Management Frames), and offers 192-bit security for Enterprise mode. WPS is removed in WPA3. CCMP is used in WPA2 as well.

707
MCQeasy

An administrator wants to ensure that users cannot share passwords. Which control is most effective at reducing the risk of password sharing?

A.Account lockout policies
B.Multifactor authentication
C.Password complexity
D.Password history
AnswerB

MFA requires a second factor that is often physical or biometric, making it difficult to share credentials.

Why this answer

Multifactor authentication (MFA) is the most effective control because it requires users to present two or more distinct factors (e.g., something you know, something you have, something you are) to authenticate. Even if a user shares their password (something you know), an attacker cannot authenticate without the second factor (e.g., a one-time passcode from a hardware token or biometric). This directly reduces the risk of password sharing by making the shared credential insufficient for access.

Exam trap

The trap here is that candidates often choose password complexity or account lockout policies because they associate them with 'stronger security,' but they fail to recognize that these controls do not address the specific threat of voluntary password sharing, which MFA directly mitigates by adding an independent authentication factor.

How to eliminate wrong answers

Option A is wrong because account lockout policies (e.g., locking after 5 failed attempts) are designed to prevent brute-force attacks, not to prevent users from voluntarily sharing their passwords; a shared password still works until the account is locked. Option C is wrong because password complexity (e.g., requiring uppercase, numbers, symbols) only makes passwords harder to guess or crack, but does nothing to stop a user from sharing that complex password with another person. Option D is wrong because password history (e.g., remembering the last 10 passwords) prevents users from reusing old passwords, but it has no effect on sharing the current password with others.

708
MCQmedium

A company uses multiple virtual machines on a single hypervisor. To prevent a VM from escaping its virtualized environment and compromising the hypervisor, which of the following should be implemented?

A.Use a separate network for VM management traffic
B.Apply hypervisor security patches and disable unnecessary VM guest tools
C.Deploy a host-based firewall on each VM
D.Enable VM snapshots to restore in case of compromise
AnswerB

Patching hypervisor and minimizing guest tools reduce the risk of VM escape.

Why this answer

VM escape attacks exploit vulnerabilities in the hypervisor. Keeping the hypervisor patched and disabling unnecessary VM guest tools reduces attack surface.

709
MCQeasy

An organization wants to protect endpoints from ransomware that encrypts files and demands payment. Which control should be implemented FIRST?

A.Deploy email spam filtering
B.Implement application whitelisting
C.Conduct user security awareness training
D.Enable file-level backup to a separate location
AnswerB

Blocks unauthorized executables from running.

Why this answer

Option B is correct because application whitelisting blocks unauthorized executables, including ransomware, from running. Option A is wrong because email filtering can reduce but not block all ransomware delivery. Option C is wrong because user training is important but not a technical control that immediately prevents execution.

Option D is wrong because backups help recovery but do not prevent infection.

710
Multi-Selectmedium

A security analyst is reviewing application security and identifies risks related to the OWASP Top 10. Which THREE are examples of OWASP Top 10 vulnerabilities? (Select THREE.)

Select 3 answers
A.Security Misconfiguration
B.Injection
C.Man-in-the-Middle (MitM)
D.Cross-Site Scripting (XSS)
E.Buffer overflow
AnswersA, B, D

Misconfiguration is a widespread issue in the OWASP Top 10.

Why this answer

Injection, XSS, and Security Misconfiguration are classic OWASP Top 10 categories.

711
MCQmedium

A new employee needs access to the CRM, email, and file servers. The security policy requires that access privileges are granted based on job function. Which process should be used?

A.The employee completes a request form detailing the access they need
B.The IT department grants full access to all systems and later reviews
C.The identity management team assigns the employee to a role that includes the necessary permissions
D.The employee's supervisor decides which access is appropriate and informs IT
AnswerC

Role-based access control aligns with job functions.

Why this answer

Option C is correct because role-based access control (RBAC) assigns permissions based on job functions, not individual requests or ad-hoc approvals. By placing the employee into a predefined role (e.g., 'Sales Rep'), the identity management team ensures that the CRM, email, and file server permissions are granted consistently and in compliance with the security policy. This process enforces the principle of least privilege and simplifies auditing.

Exam trap

The trap here is that candidates often choose the supervisor's approval (Option D) because it seems logical, but the SSCP exam emphasizes automated role-based assignment over manual approval to enforce consistent, policy-driven access control.

How to eliminate wrong answers

Option A is wrong because allowing the employee to self-select access needs violates the principle of least privilege and bypasses the job-function-based policy; it introduces risk of over-provisioning. Option B is wrong because granting full access upfront and reviewing later is a 'trust but verify' model that contradicts the security policy's requirement to grant access based on job function, and it creates a window of excessive privilege. Option D is wrong because while the supervisor may understand the role, the decision should be automated through role assignment rather than relying on a manual, subjective decision that could lead to inconsistent or excessive permissions.

712
MCQmedium

An organization's disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour for its critical database. Which of the following DR site configurations BEST meets these requirements?

A.Cold site with weekly backup tapes shipped offsite
B.Cloud-based cold site with daily backups
C.Hot site with synchronous replication
D.Warm site with hourly log shipping to a standby database
AnswerD

Hourly log shipping achieves RPO of 1 hour; warm site provides hardware ready for activation within hours, meeting RTO.

Why this answer

Option D is correct because a warm site with hourly log shipping to a standby database can achieve an RPO of 1 hour (by losing at most one hour of transactions) and an RTO of 4 hours (by applying the logs and bringing the standby online within that window). The standby database is kept nearly current with minimal lag, meeting both recovery objectives without the cost of full synchronous replication.

Exam trap

The trap here is that candidates often choose a hot site (Option C) because it provides the best protection, but the question asks for the configuration that BEST meets the specified RTO/RPO, not the most robust or expensive option, making the warm site the most cost-effective and appropriate choice.

How to eliminate wrong answers

Option A is wrong because a cold site requires hardware setup and restoration from weekly backup tapes, which cannot meet a 4-hour RTO (setup alone often takes days) and the weekly backups exceed the 1-hour RPO (potential data loss of up to a week). Option B is wrong because a cloud-based cold site still requires provisioning resources and restoring from daily backups, which cannot achieve a 4-hour RTO (provisioning and restoration take longer) and the daily backups exceed the 1-hour RPO (potential data loss of up to 24 hours). Option C is wrong because a hot site with synchronous replication provides near-zero RPO and very low RTO (minutes), which over-delivers on the requirements and is unnecessarily expensive; the question asks for the configuration that BEST meets the stated RTO/RPO, not exceeds them with higher cost.

713
MCQeasy

During an incident, the IR team needs to collect volatile data. Which order should they follow?

A.Hard disk, memory, network connections, running processes
B.Network connections, running processes, memory, hard disk
C.Running processes, memory, network connections, hard disk
D.Memory, running processes, network connections, hard disk
AnswerD

Memory is the most volatile and should be captured first.

Why this answer

Option D is correct because volatile data must be collected in order of decreasing volatility to minimize data loss. Memory (RAM) is the most volatile, followed by running processes, network connections, and finally the hard disk, which is non-volatile. This order ensures that transient evidence (e.g., encryption keys, active network sessions) is captured before it disappears.

Exam trap

ISC2 often tests the order of volatility (OOV) principle, and the trap here is that candidates mistakenly think running processes are more volatile than memory, or they confuse the order by prioritizing network connections over process state.

How to eliminate wrong answers

Option A is wrong because it starts with the hard disk, which is non-volatile, and delays collection of memory and network connections, risking loss of critical transient data. Option B is wrong because it places network connections before running processes and memory, but network connections depend on process state and can change rapidly; memory should be captured first to preserve process artifacts. Option C is wrong because it lists running processes before memory, but memory contains the actual process data (e.g., code, variables) that must be captured before processes are terminated or altered.

714
MCQmedium

Which access control mechanism most likely failed to prevent this unauthorized privilege escalation?

A.Sudoers configuration
B.Account lockout policy
C.Password policy
D.SELinux
AnswerB

An account lockout policy would have locked the account after a threshold of failed attempts, preventing the eventual successful login.

Why this answer

An account lockout policy is designed to prevent brute-force attacks by locking an account after a specified number of failed login attempts. In the context of unauthorized privilege escalation, a lockout policy would not prevent a user who already has valid credentials from escalating privileges through other means, such as exploiting a misconfigured sudoers file or a kernel vulnerability. Therefore, the failure of the account lockout policy is the most likely mechanism that allowed the escalation, as it does not control what an authenticated user can do after login.

Exam trap

ISC2 often tests the misconception that account lockout policies are a catch-all defense against unauthorized access, when in fact they only prevent brute-force login attempts and do not control actions taken by an already authenticated user.

How to eliminate wrong answers

Option A is wrong because the sudoers configuration directly controls which users can execute commands with elevated privileges; if it were misconfigured (e.g., allowing a user to run all commands as root without a password), it could be the mechanism that failed, but the question asks which mechanism most likely failed to prevent the escalation, and a lockout policy is unrelated to post-authentication privilege escalation. Option C is wrong because a password policy (e.g., complexity, length, history) only affects the strength of user passwords and does not prevent an authorized user from escalating privileges after successful authentication. Option D is wrong because SELinux is a mandatory access control (MAC) system that enforces security policies at the kernel level, and while it can limit privilege escalation, its failure would be due to misconfiguration or being in permissive mode, not because of a lockout policy; the lockout policy is the least relevant to the escalation event.

715
MCQmedium

A Linux system administrator needs to restrict network traffic to a server, allowing only HTTP and HTTPS from the internet. Which tool should be used to configure packet filtering rules?

A.PAM
B.SELinux
C.auditd
D.iptables
AnswerD

iptables is a packet filter firewall utility.

Why this answer

iptables or nftables are Linux firewall tools for packet filtering. PAM handles authentication. SELinux enforces MAC. auditd logs events.

They do not filter network traffic.

716
MCQeasy

Which of the following is a secure protocol for remote administration of a server, replacing insecure protocols like Telnet?

A.FTP
B.SSH
C.HTTP
D.Telnet
AnswerB

SSH encrypts all traffic, making it secure for remote administration.

Why this answer

SSH (Secure Shell) is the correct answer because it provides encrypted remote administration capabilities, replacing insecure protocols like Telnet that transmit data in plaintext. SSH uses public-key cryptography for authentication and symmetric encryption (e.g., AES, ChaCha20) for session confidentiality, protecting against eavesdropping and man-in-the-middle attacks.

Exam trap

The trap here is that candidates may confuse Telnet with SSH or think that FTP or HTTP can be used for remote administration, but the question specifically asks for a secure replacement for Telnet, which is SSH.

How to eliminate wrong answers

Option A (FTP) is wrong because it is a file transfer protocol, not a remote administration protocol, and it transmits credentials and data in plaintext unless secured with FTPS or SFTP. Option C (HTTP) is wrong because it is a web protocol used for transferring hypertext, not for remote server administration, and it lacks encryption by default (HTTPS is the secure variant). Option D (Telnet) is wrong because it is the very insecure protocol that SSH replaces, sending all data including passwords in cleartext over TCP port 23.

717
Multi-Selecteasy

During the containment phase of incident response, a security analyst identifies malware on a critical server. Which TWO actions should be taken FIRST to contain the threat and preserve evidence? (Choose two.)

Select 2 answers
A.Capture a forensic image of the hard drive.
B.Reboot the server to clear the malware from memory.
C.Disconnect the network cable from the server.
D.Run a full antivirus scan on the server.
E.Capture the contents of RAM using a tool like WinPmem.
AnswersC, E

This prevents the malware from communicating with command-and-control servers and spreading to other systems.

Why this answer

The immediate priority is to isolate the affected server from the network to prevent lateral movement and to capture volatile evidence (RAM) before it is lost. Disconnecting the network cable stops network-level spread, and capturing RAM preserves critical volatile data for forensic analysis.

718
Multi-Selectmedium

A security analyst is investigating a network incident. Which TWO of the following are indicators of a man-in-the-middle attack using ARP spoofing? (Select TWO)

Select 2 answers
A.High number of TCP retransmissions from a single host.
B.An ARP entry for the default gateway points to an unknown MAC address.
C.The ARP cache shows two different MAC addresses for the same IP address (e.g., gateway IP).
D.The switch's CAM table has multiple MAC entries on the same port.
E.Multiple IP addresses resolve to the same MAC address in the ARP cache.
AnswersB, C

The attacker's MAC is associated with the gateway IP.

Why this answer

Duplicate MAC addresses for the same IP (since attacker claims the IP) and an entry matching the attacker's MAC with the gateway IP indicate ARP spoofing.

719
MCQhard

A helpdesk ticket reports that users can browse internal web servers but cannot access external websites. The IT team checks firewall logs and sees dropped packets with the DF flag set. What is the most likely cause?

A.The firewall is blocking outbound TCP port 80 and 443.
B.A firewall is blocking ICMP 'fragmentation needed' messages, preventing Path MTU Discovery.
C.The DNS server is not resolving external domain names.
D.The switch port connecting the firewall is set to the wrong VLAN.
AnswerB

This is a classic problem where DF packets are dropped because the firewall blocks ICMP type 3 code 4 messages.

Why this answer

The DF (Don't Fragment) flag being set in dropped packets indicates that packets are too large to traverse a network path without fragmentation, but the firewall is blocking the ICMP 'fragmentation needed' (Type 3, Code 4) messages. Without these ICMP messages, Path MTU Discovery (PMTUD) fails, causing the sending host to believe the packet was delivered when it was actually dropped. This prevents external websites from loading while internal servers (likely on the same MTU-friendly network) remain accessible.

Exam trap

The trap here is that candidates often assume the DF flag indicates a firewall rule explicitly blocking fragmented packets, rather than recognizing it as a symptom of missing ICMP feedback in the PMTUD process.

How to eliminate wrong answers

Option A is wrong because blocking outbound TCP ports 80 and 443 would prevent all HTTP/HTTPS traffic, not just external websites, and the DF flag behavior is unrelated to port blocking. Option C is wrong because DNS resolution failure would prevent name resolution for both internal and external sites, but users can browse internal web servers, indicating DNS is working. Option D is wrong because a wrong VLAN on the switch port would cause complete connectivity loss to the firewall, not selective dropping of packets with the DF flag.

720
MCQeasy

A web application is vulnerable to SQL injection. Which security control would be MOST effective at detecting and blocking such attacks at the network perimeter?

A.Intrusion Detection System (IDS)
B.Web Application Firewall (WAF)
C.Application whitelisting
D.Host-based firewall
AnswerB

WAF specifically inspects HTTP/HTTPS traffic and blocks OWASP Top 10 attacks.

Why this answer

A Web Application Firewall (WAF) inspects HTTP traffic and can block injection attacks.

721
MCQmedium

Which UDP port is used by the Simple Network Management Protocol (SNMP) for receiving traps?

A.UDP 161
B.UDP 162
C.UDP 123
D.UDP 514
AnswerB

UDP 162 is used for SNMP traps.

Why this answer

SNMP traps are sent from agents to managers on UDP port 162, while SNMP queries typically use port 161.

722
MCQmedium

A company is implementing a biometric authentication system for physical access to a data center. The system must minimize false acceptances. Which metric is most directly related to false acceptance rate (FAR)?

A.Crossover error rate (CER)
B.Equal error rate (EER)
C.False rejection rate (FRR)
D.Threshold setting
AnswerD

The threshold determines how closely a biometric sample must match the stored template; a stricter threshold lowers FAR.

Why this answer

FAR is the rate at which an unauthorized person is incorrectly accepted. The threshold setting directly impacts FAR; a lower threshold reduces FAR but may increase FRR.

723
MCQhard

An organization uses User Behavior Analytics (UBA) to detect insider threats. Which of the following activities would most likely trigger an alert for a compromised account?

A.User receives a large number of emails
B.User logs in from a recognized corporate device
C.User attempts to access a database at 2:00 AM, which is outside their normal pattern
D.User accesses the same files as usual during business hours
AnswerC

Deviations from baseline (time, location) are strong indicators.

Why this answer

User Behavior Analytics (UBA) establishes a baseline of normal user activity, including typical login times, locations, and access patterns. An attempt to access a database at 2:00 AM, which falls outside the user's established temporal baseline, represents a significant deviation that UBA algorithms flag as anomalous. This behavior is a classic indicator of a compromised account, as attackers often operate during off-hours to avoid detection.

Exam trap

The trap here is that candidates may confuse 'anomalous behavior' with 'malicious behavior,' but UBA specifically flags deviations from a baseline, and off-hours access is a textbook anomaly for a compromised account, whereas the other options represent normal or expected activities.

How to eliminate wrong answers

Option A is wrong because receiving a large number of emails is a common occurrence and does not inherently indicate compromise; UBA focuses on deviations in access and authentication patterns, not email volume. Option B is wrong because logging in from a recognized corporate device is expected behavior and aligns with the user's baseline, thus it would not trigger an alert for a compromised account. Option D is wrong because accessing the same files as usual during business hours is consistent with the user's normal pattern and would be considered low-risk, not indicative of compromise.

724
MCQmedium

A security analyst receives a user report about a workstation exhibiting unusual behavior, such as unexpected pop-ups and slow performance. The analyst first checks the antivirus logs and finds no alerts. What is the NEXT step in the detection and analysis phase?

A.Escalate the incident to senior management
B.Isolate the workstation from the network immediately
C.Perform a forensic memory capture
D.Classify the severity of the potential incident
AnswerD

Severity classification helps determine the appropriate response priority.

Why this answer

According to incident response best practices, after initial detection, the next step is to classify the severity of the potential incident to prioritize response efforts.

725
Multi-Selecthard

Which THREE of the following are common methods for implementing multifactor authentication (MFA)?

Select 3 answers
A.Retina scan and facial recognition
B.Password and SMS code
C.Smart card and PIN
D.Password and security question
E.Fingerprint and smart card
AnswersB, C, E

Something you know (password) + something you have (phone for SMS).

Why this answer

Option B is correct because it combines something you know (password) with something you have (SMS code sent to a registered device). This satisfies the MFA requirement of using at least two distinct authentication factors, making it significantly more secure than single-factor password-only authentication.

Exam trap

ISC2 often tests the distinction between using multiple instances of the same factor (e.g., two biometrics or two passwords) versus using factors from different categories, which is the core requirement for true MFA.

726
MCQmedium

During a full interruption test of the disaster recovery plan, which of the following is the PRIMARY risk?

A.Vendor unavailability during the test
B.Employee confusion about their roles
C.Extended downtime or data loss if the plan fails
D.Cost overruns due to overtime pay
AnswerC

The realistic nature of the test can lead to actual outages if not carefully managed.

Why this answer

Full interruption tests involve actually failing over to the DR site, which may cause extended downtime or data loss if the plan has flaws or if the DR site fails.

727
MCQmedium

A company has a Recovery Time Objective (RTO) of 4 hours for its critical database. Which backup strategy best supports this RTO?

A.Daily full backups to disk
B.Weekly full backups to tape
C.Hourly incremental backups to disk
D.Monthly full backups with daily differentials to tape
AnswerC

Frequent backups reduce data loss and disk allows fast recovery.

Why this answer

To meet a short RTO, backup frequency should be high and restoration quick, so frequent backups to fast media are needed.

728
MCQmedium

You work for a hospital that has recently transitioned to an electronic health record (EHR) system. The system stores protected health information (PHI) and must comply with HIPAA. The hospital's security policy requires that all access to PHI be logged and that any unauthorized access be detected promptly. The IT department has implemented logging on the EHR system, but the security team is overwhelmed by the volume of logs and cannot review them in a timely manner. Additionally, there have been incidents where employees accessed patient records without a legitimate need, but these were only discovered months later during random audits. The hospital needs to improve its detection capabilities. Which of the following is the most effective solution?

A.Deploy a Security Information and Event Management (SIEM) system with automated alerting.
B.Retain logs for a longer period to allow more thorough audits.
C.Assign additional staff to manually review logs on a daily basis.
D.Increase the verbosity of logging to capture more details.
AnswerA

SIEM aggregates logs, detects anomalies, and alerts in real time, improving detection.

Why this answer

A SIEM system aggregates logs from the EHR system and applies correlation rules to detect patterns indicative of unauthorized access, such as an employee viewing records outside their department or during off-hours. It generates real-time alerts, enabling the security team to respond promptly rather than relying on manual log review. This directly addresses the problem of being overwhelmed by log volume and delayed detection.

Exam trap

The trap here is that candidates may think increasing log verbosity or retention improves detection, but without automated analysis, more data only worsens the signal-to-noise ratio and delays incident discovery.

How to eliminate wrong answers

Option B is wrong because retaining logs for a longer period does not improve detection speed; it only preserves evidence for later audits, which still occur months after the incident. Option C is wrong because assigning additional staff to manually review logs is not scalable and would still be overwhelmed by the high volume of logs, leading to delayed or missed detections. Option D is wrong because increasing log verbosity would generate even more log data, exacerbating the existing problem of log overload without providing automated analysis or alerting.

729
MCQeasy

A security analyst is reviewing logs and finds multiple failed login attempts from an external IP address followed by a successful login. Which type of attack is most likely occurring?

A.Password spraying
B.Brute force attack
C.Credential stuffing
D.Social engineering
AnswerB

Multiple attempts from a single source indicate brute force.

Why this answer

A brute force attack involves systematically trying all possible password combinations until the correct one is found. The log pattern of multiple failed attempts from a single external IP followed by a success is the classic signature of a brute force attack, as the attacker iterates through a password list or character space against the same username.

Exam trap

The trap here is that candidates confuse 'brute force' with 'credential stuffing' because both involve multiple login attempts, but credential stuffing uses known breached credentials (often from different IPs) and shows a higher initial success rate, whereas brute force targets a single account with many guesses from one IP.

How to eliminate wrong answers

Option A is wrong because password spraying involves trying a small set of common passwords against many usernames, not multiple failed attempts from a single IP against one account. Option C is wrong because credential stuffing uses previously breached username/password pairs from other services, which would typically show a high success rate or rapid failures, not a long sequence of failures from one IP. Option D is wrong because social engineering relies on manipulating users (e.g., phishing or pretexting) to reveal credentials, not on automated login attempts visible in logs.

730
MCQeasy

A security analyst is reviewing the access control policy and notices that some users have been granted 'write' access to a directory that contains sensitive financial reports. Which principle of information security is being violated?

A.Non-repudiation
B.Least privilege
C.Availability
D.Confidentiality
AnswerB

Granting more access than needed violates least privilege.

Why this answer

The principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. Granting 'write' access to a directory containing sensitive financial reports to users who do not require that level of access violates this principle, as it introduces unnecessary risk of unauthorized modification or data leakage.

Exam trap

The trap here is that candidates may confuse the violation of least privilege with a breach of confidentiality, but the question specifically highlights the granting of unnecessary write permissions, which is a direct violation of the least privilege principle, not merely a confidentiality issue.

How to eliminate wrong answers

Option A is wrong because non-repudiation ensures that a party cannot deny having performed an action, typically achieved through digital signatures or audit logs, and is not directly related to the level of access granted. Option C is wrong because availability ensures that systems and data are accessible when needed, often addressed through redundancy and fault tolerance, not by restricting write permissions. Option D is wrong because confidentiality protects data from unauthorized disclosure, which is a concern here, but the specific violation described is the granting of excessive permissions (write access) rather than the exposure of data itself; the core principle being violated is least privilege, not confidentiality.

731
MCQeasy

An organization uses role-based access control (RBAC). An employee transfers from the Sales department to the Marketing department. What is the most secure way to update the employee's access?

A.Remove the Sales role and then add the Marketing role
B.Add the Marketing role and remove the Sales role after 30 days
C.Modify the Sales role to include Marketing permissions
D.Create a new custom role with combined permissions
AnswerA

This ensures no overlapping permissions.

Why this answer

In RBAC, access is determined by the roles assigned to a user. The most secure method is to remove the old role (Sales) first to eliminate any residual permissions, then add the new role (Marketing). This ensures the employee does not retain access to Sales resources during the transition, adhering to the principle of least privilege.

Exam trap

The trap here is that candidates may think adding the new role first ensures continuity of access, but the most secure approach is to remove the old role first to prevent any period of dual access.

How to eliminate wrong answers

Option B is wrong because adding the Marketing role before removing the Sales role creates a 30-day window where the employee has permissions from both departments, violating least privilege and increasing the risk of unauthorized access. Option C is wrong because modifying the Sales role to include Marketing permissions would grant those permissions to all Sales users, not just the transferring employee, leading to privilege creep and potential data leakage. Option D is wrong because creating a new custom role with combined permissions is unnecessary and inefficient; it complicates role management and may inadvertently grant the employee access to both departments' resources if the Sales role is not removed.

732
Multi-Selecthard

Which THREE of the following are essential elements of an effective incident response plan? (Choose three.)

Select 3 answers
A.Containment, eradication, and recovery
B.Detection and analysis
C.Public relations and media notification
D.Cyber insurance purchasing
E.Preparation and training
AnswersA, B, E

These steps limit damage, remove threats, and restore operations.

Why this answer

The incident response plan lifecycle, as defined by NIST SP 800-61, includes four core phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. Options A, B, and E directly map to these essential phases, ensuring the organization can detect an incident, contain it to prevent spread, eradicate the root cause, recover normal operations, and continuously improve through training and preparation.

Exam trap

The trap here is that candidates confuse supporting activities (like PR or insurance) with the mandatory operational phases defined in the NIST incident response lifecycle, leading them to select non-essential business functions instead of the core technical steps.

733
MCQmedium

A company uses role-based access control (RBAC). A user is assigned to the 'Sales' role, which grants access to CRM and reporting, and also to the 'Sales Manager' role, which grants additional access to team reports. However, the user cannot access team reports. What is the most likely cause?

A.An access control list on the report folder explicitly denies the 'Sales' role
B.The user account has been disabled
C.RBAC role hierarchy is not configured
D.The user's session is not properly managed
AnswerC

Without a hierarchy, the user's permissions are the union of both roles; if the system only uses the first role's permissions, team reports are inaccessible.

Why this answer

In RBAC, role hierarchy allows roles to inherit permissions from other roles. Without a configured hierarchy, the 'Sales Manager' role does not automatically inherit permissions from the 'Sales' role, and the user may not have direct permission to access team reports if that permission is only assigned to the 'Sales Manager' role but the user's effective permissions are not properly combined. The most likely cause is that the RBAC role hierarchy is not configured, so the user's membership in both roles does not result in the union of their permissions.

Exam trap

The trap here is that candidates assume assigning a user to multiple roles automatically grants the combined permissions of all roles, but without a configured role hierarchy or permission aggregation, the user may only have permissions from the primary role or the system may require explicit inheritance.

How to eliminate wrong answers

Option A is wrong because an explicit deny on the report folder would block access regardless of role membership, but the scenario states the user cannot access team reports despite being assigned the 'Sales Manager' role, which suggests the issue is with permission inheritance, not an explicit deny. Option B is wrong because if the user account were disabled, the user would not be able to access any resources, not just team reports, and the question implies the user can access CRM and reporting. Option D is wrong because session management issues would typically cause authentication or authorization failures across all resources, not a specific permission problem with team reports, and RBAC permissions are evaluated at the time of access request, not tied to session state.

734
Multi-Selectmedium

Which TWO of the following are functions of a network firewall?

Select 2 answers
A.Resolving domain names to IP addresses
B.Filtering traffic based on IP addresses and ports
C.Performing Network Address Translation (NAT)
D.Encrypting data at rest
E.Assigning IP addresses to hosts
AnswersB, C

Core function of a firewall.

Why this answer

Option B is correct because a network firewall's primary function is to enforce access control policies by filtering traffic based on Layer 3 (IP addresses) and Layer 4 (ports) information. This stateless or stateful inspection allows the firewall to permit or deny packets according to rules, such as allowing HTTP traffic (TCP port 80) from a specific source IP. This is a core security mechanism to segment networks and block unauthorized access.

Exam trap

The trap here is that candidates confuse optional features (like NAT or DHCP) with core firewall functions, or they mistake DNS resolution for a firewall capability, when the SSCP exam expects you to know that filtering based on IP/port is the fundamental purpose.

735
MCQmedium

After a ransomware attack, the recovery team must restore encrypted files from backups. The backups are stored on a separate network segment and were last verified three days ago. What should the team do FIRST?

A.Disconnect the infected systems from the network.
B.Verify the integrity and cleanliness of the backup.
C.Contact law enforcement.
D.Restore all files from the most recent backup.
AnswerB

Ensuring backup is clean prevents re-infection.

Why this answer

Before restoring, ensure the backup system is not compromised. Option B is correct. Option A may restore malware; Option C is premature; Option D is not a first step.

736
MCQmedium

A company's VPN logs show that a user's account authenticated from two different geographic locations within a span of 10 minutes. The distances between locations make physical travel impossible. The security team investigates and finds that the user's password is complex and not shared. What is the MOST likely explanation?

A.The VPN server has a configuration error causing incorrect location logging.
B.The user's session token was stolen and used by an attacker.
C.The user's account is being used by multiple people with permission.
D.The user is using a VPN service to mask their true location.
AnswerB

A stolen session token allows reuse from a different location.

Why this answer

Option D is correct because the session token was likely stolen and reused from a different location. Option A is wrong; if the user used a VPN, their VPN connection would show one IP. Option B is wrong; a configuration error would affect multiple users.

Option C is wrong; multiple people using the account would imply password sharing, which is denied.

737
Multi-Selecteasy

Which TWO of the following are considered secure cryptographic hash functions as of current standards? (Select TWO.)

Select 2 answers
A.SHA-3
B.RC4
C.SHA-1
D.MD5
E.SHA-256
AnswersA, E

SHA-3 is the latest standard.

Why this answer

SHA-256 and SHA-3 are currently secure. MD5 and SHA-1 are broken or deprecated.

738
Matchingmedium

Match each cryptography term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Same key for encryption and decryption

Key pair: public and private

One-way function producing fixed output

Ensures authenticity and non-repudiation

Why these pairings

These are fundamental cryptography concepts.

739
MCQhard

A network analyst reviews firewall logs and sees multiple SYN packets to various ports from the same external IP in a short time, with no subsequent ACK. What is the most likely cause?

A.Brute force password attack on SSH
B.Distributed denial-of-service (DDoS) attack
C.ICMP ping sweep
D.Port scan using SYN scan technique
AnswerD

SYN scan is a common reconnaissance method.

Why this answer

A SYN scan sends SYN packets to multiple ports; if a port is open, the target responds with SYN-ACK, but the scanner never completes the handshake (no ACK). The absence of ACK packets after the SYN packets indicates the scanner is not establishing connections, which is characteristic of a SYN scan, not a brute force or DDoS attack.

Exam trap

ISC2 often tests the distinction between a SYN scan and a DDoS attack; the trap is that candidates see 'multiple SYN packets' and immediately think 'SYN flood DDoS,' but a SYN flood typically uses spoofed IPs and aims to exhaust resources, whereas a single IP scanning various ports without ACKs indicates reconnaissance.

How to eliminate wrong answers

Option A is wrong because a brute force password attack on SSH would involve repeated SSH connection attempts (complete TCP handshakes) to port 22, not just SYN packets to various ports without ACKs. Option B is wrong because a DDoS attack typically floods with traffic from many sources (distributed) to overwhelm a target, not just a single external IP sending SYN packets to various ports without completing connections. Option C is wrong because an ICMP ping sweep uses ICMP Echo Request packets, not TCP SYN packets, to discover live hosts.

740
MCQhard

A security analyst is reviewing a script that performs automated backups. The script uses a hardcoded password to connect to the database. What is the most secure alternative?

A.Change the password manually every week.
B.Store the password in an environment variable.
C.Replace the password with SSH key authentication.
D.Retrieve the password from a secrets management service at runtime.
E.Use a more complex password.
AnswerD

Secrets management (e.g., HashiCorp Vault) provides secure, audited access to credentials.

Why this answer

Option D is correct because using a secrets management solution centrally stores and rotates credentials, avoiding hardcoding. Option A (complex password) is still hardcoded; B (SSH keys) work for remote servers, not DB authentication; C (changing password manually) is not automated; E (using environment variables) is better but still exposed in process memory.

741
MCQhard

An incident responder is tasked with collecting forensic evidence from a compromised Linux server. Which command would the responder use to capture the contents of volatile memory (RAM) for analysis?

A.lime-forensics --dump /tmp/mem.lime
B.cat /proc/kcore > /tmp/mem.dump
C.memdump -o /tmp/mem.dump
D.dd if=/dev/mem of=/tmp/mem.dump bs=1M
AnswerA

LiME is the correct tool for Linux memory acquisition, outputting a .lime file.

Why this answer

Option A is correct because LiME (Linux Memory Extractor) is specifically designed to capture volatile memory from Linux systems with minimal footprint, outputting a raw memory dump that can be analyzed with tools like Volatility. The `--dump` flag directs the acquisition to a specified file, ensuring the capture is forensically sound by avoiding writes to the compromised filesystem where possible.

Exam trap

The trap here is that candidates often assume `dd if=/dev/mem` is a valid method for full RAM capture, not realizing that modern Linux kernels restrict access to `/dev/mem` to only the first megabyte, making it useless for forensic memory acquisition.

How to eliminate wrong answers

Option B is wrong because `/proc/kcore` is a pseudo-file representing the kernel's view of memory, but it is not a complete or forensically reliable capture of physical RAM; it may omit certain memory regions and can change during read, leading to an inconsistent snapshot. Option C is wrong because `memdump` is not a standard Linux command; it is a tool from the `memdump` package that captures memory from `/dev/mem`, but it is less reliable than LiME for volatile memory acquisition and may not handle modern kernel protections. Option D is wrong because `dd if=/dev/mem` attempts to read physical memory via the `/dev/mem` device, which on modern Linux kernels is restricted to the first 1 MB of RAM by default (due to the `CONFIG_STRICT_DEVMEM` kernel option), making it incapable of capturing the full RAM contents.

742
MCQmedium

A company uses virtual machines for development. To ensure isolation between VMs on the same host, which control is most important?

A.Antivirus on each VM
B.Hypervisor patching
C.Strong passwords for VM consoles
D.Virtual network segmentation
AnswerD

Network segmentation isolates traffic between VMs.

Why this answer

Virtual network segmentation prevents VM-to-VM attacks by isolating traffic. Hypervisor patching is important for security but does not directly provide isolation. Strong passwords protect console access but not network traffic.

Antivirus protects within each VM but not between them.

743
MCQeasy

Which of the following is the BEST definition of Recovery Point Objective (RPO)?

A.The cost of data recovery
B.The time it takes to recover data after a disaster
C.The maximum acceptable data loss in terms of time
D.The number of backup copies stored
AnswerC

RPO defines how much data loss is tolerable, e.g., 1 hour.

Why this answer

Recovery Point Objective (RPO) defines the maximum acceptable amount of data loss measured in time, indicating how far back in time the data must be restored to resume operations after a disaster. It directly drives backup frequency and replication intervals, such as setting a 15-minute RPO requiring transaction log backups every 15 minutes in SQL Server or continuous data replication in a SAN environment.

Exam trap

Cisco often tests the confusion between RPO and RTO, where candidates mistakenly select 'the time it takes to recover data' (RTO) instead of the maximum acceptable data loss in time (RPO).

How to eliminate wrong answers

Option A is wrong because RPO is not a cost metric; cost of data recovery is typically associated with Recovery Cost Objective (RCO) or total cost of ownership, not RPO. Option B is wrong because the time to recover data after a disaster is defined as Recovery Time Objective (RTO), not RPO; RTO focuses on downtime duration, while RPO focuses on data loss tolerance. Option D is wrong because the number of backup copies stored relates to backup retention policies or the 3-2-1 rule, not RPO; RPO is a time-based metric, not a count of copies.

744
MCQhard

An organization is migrating from on-premises servers to a cloud IaaS model. The security team must ensure that virtual machine (VM) images are hardened before deployment. Which of the following is the MOST effective control to ensure consistency and compliance with security baselines?

A.Perform vulnerability scans on each VM after deployment
B.Apply the latest OS patches to each VM immediately after deployment
C.Create a golden image that is hardened and approved for use, and deploy VMs from that image
D.Train administrators on hardening procedures and rely on manual configuration
AnswerC

A golden image enforces a consistent secure baseline from the start.

Why this answer

Creating a golden image that is hardened and approved for use ensures that every VM deployed from it inherits a consistent, pre-configured security baseline. This approach eliminates configuration drift and manual errors by baking security controls into the image before deployment, making it the most effective control for consistency and compliance.

Exam trap

The trap here is that candidates often choose vulnerability scanning or patching because they focus on security after deployment, missing the core principle that proactive, immutable infrastructure via golden images is the most reliable way to enforce consistent baselines at scale.

How to eliminate wrong answers

Option A is wrong because performing vulnerability scans after deployment is a detective control, not a preventive one; it identifies issues but does not ensure consistent hardening across all VMs. Option B is wrong because applying patches after deployment is reactive and does not guarantee that other hardening configurations (e.g., registry settings, service disabling, group policies) are consistently applied. Option D is wrong because relying on manual configuration by administrators introduces human error and inconsistency, making it impossible to maintain a uniform security baseline across multiple VMs.

745
MCQmedium

A security analyst notices that an employee's account has been sending large amounts of data to an external IP address during non-business hours. The analyst suspects the employee's credentials have been compromised. What is the FIRST step the analyst should take according to incident response procedures?

A.Block the external IP address at the firewall.
B.Disable the employee's user account.
C.Contact law enforcement.
D.Inform the employee's manager.
AnswerB

This contains the incident by stopping the unauthorized activity.

Why this answer

Option A is correct because disabling the account immediately stops the malicious activity. Option B is wrong; blocking the IP may not stop the attacker if they have other methods. Option C is wrong; informing the manager is important but not the first action.

Option D is wrong; contacting law enforcement is premature.

746
MCQhard

A security analyst is investigating a network where an attacker successfully redirected traffic from a legitimate web server to a malicious server by corrupting the target domain's DNS records in a local resolver cache. Which attack technique was used?

A.SYN flood
B.DNS poisoning
C.ARP spoofing
D.Smurf attack
AnswerB

DNS poisoning corrupts DNS cache to redirect traffic.

Why this answer

DNS poisoning injects false DNS records into a resolver's cache, redirecting traffic to malicious sites.

747
MCQhard

During a vulnerability scan, a tool reports a critical vulnerability on a web server. The system owner claims it is a false positive because the server is not accessible from the internet. However, the server is accessible from the internal network. What is the best course of action?

A.Accept the risk and close the finding
B.Ignore the finding as the vulnerability scanner is known for false positives
C.Remove the server from the network to eliminate the risk
D.Verify the vulnerability manually and if confirmed, remediate according to internal risk
AnswerD

Manual verification confirms whether it's a true positive; if so, remediation should be prioritized based on internal risk.

Why this answer

Option D is correct because a vulnerability that is exploitable from the internal network still poses a significant risk, as internal threats (e.g., compromised endpoints, malicious insiders) can leverage it. The system owner’s claim that the server is not internet-facing does not negate the need for verification and remediation; internal attack surfaces must be managed according to the organization’s risk appetite. Manual verification ensures the scanner’s report is accurate, and if confirmed, remediation should follow internal risk-based prioritization.

Exam trap

The trap here is that candidates assume a server not accessible from the internet is automatically low-risk, ignoring the reality that internal network threats are a primary attack vector in many breaches, and that risk must be evaluated based on the asset’s exposure and criticality within the internal environment.

How to eliminate wrong answers

Option A is wrong because accepting the risk without verification ignores the fact that internal network access can lead to exploitation, and risk acceptance requires formal approval and justification, not a simple dismissal. Option B is wrong because dismissing a finding solely because the scanner is known for false positives is negligent; each finding must be manually verified, as scanners can produce both false positives and false negatives, and internal threats are real. Option C is wrong because removing the server from the network is an extreme, unnecessary measure that disrupts business operations; the correct approach is to verify and remediate the vulnerability, not isolate the asset without analysis.

748
MCQmedium

A security analyst is reviewing logs and notices multiple failed login attempts from a single IP address against an administrative account. The SIEM has not generated an alert. Which configuration change would best detect this scenario?

A.Enable signature-based detection on the IDS
B.Implement a host-based IDS on the server
C.Create a SIEM correlation rule to alert on multiple failed logins from the same source
D.Increase log retention to 1 year
AnswerC

A SIEM correlation rule can aggregate failed login events and trigger an alert when a threshold is met, which directly addresses the scenario.

Why this answer

Option C is correct because a SIEM correlation rule can specifically detect multiple failed login attempts from the same source IP address by aggregating and analyzing log events in real time. Unlike signature-based or host-based IDS solutions, a SIEM correlation rule can be tuned to match this exact behavioral pattern, triggering an alert when the configured threshold (e.g., 5 failures within 10 minutes) is exceeded. This directly addresses the gap where the SIEM failed to generate an alert due to the absence of such a rule.

Exam trap

The trap here is that candidates often confuse the roles of IDS/IPS and SIEM, mistakenly thinking signature-based or host-based IDS can natively correlate login failures from a single source, when in fact SIEM correlation rules are specifically designed for this multi-event behavioral detection.

How to eliminate wrong answers

Option A is wrong because signature-based detection on an IDS relies on known attack patterns (e.g., SQL injection signatures) and cannot detect behavioral anomalies like multiple failed logins from a single IP unless a specific signature is written for that pattern, which is inefficient and not the standard approach. Option B is wrong because a host-based IDS (HIDS) monitors local system calls and file integrity on the server, but it does not natively correlate login attempts across multiple log sources or aggregate events from a single source IP; it would only see individual login failures without context. Option D is wrong because increasing log retention to 1 year does not enable detection of ongoing attacks; it only preserves historical data for forensic analysis after an incident has occurred, failing to provide real-time alerting.

749
MCQmedium

A security administrator receives an alert about a potential SYN flood attack on a web server. At which OSI layer does this attack occur?

A.Layer 7 (Application)
B.Layer 3 (Network)
C.Layer 2 (Data Link)
D.Layer 4 (Transport)
AnswerD

SYN flood exploits TCP's connection establishment process at the transport layer.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a barrage of SYN packets without completing the handshake, exhausting server resources. This attack targets the Transport Layer (Layer 4), where TCP operates, as defined in RFC 793. The security administrator's alert specifically involves TCP SYN segments, which are Layer 4 protocol data units.

Exam trap

The trap here is that candidates confuse the attack's effect on the application (e.g., web server unavailability) with the layer being attacked, incorrectly selecting Layer 7 instead of recognizing the TCP handshake at Layer 4.

How to eliminate wrong answers

Option A is wrong because Layer 7 (Application) deals with application protocols like HTTP, FTP, and SMTP, not the TCP handshake mechanics exploited in a SYN flood. Option B is wrong because Layer 3 (Network) handles IP addressing and routing, not the stateful connection establishment that SYN floods abuse. Option C is wrong because Layer 2 (Data Link) covers MAC addresses and frame delivery on a local network segment, with no involvement in TCP's connection-oriented behavior.

750
MCQmedium

A company uses a SOAR platform for incident response. Which factor is most critical for effective automation?

A.High-quality playbooks
B.Integration with all security tools
C.Low false positive rate
D.Real-time threat intelligence feeds
AnswerA

Playbooks define the automated response actions; without quality playbooks, automation is ineffective.

Why this answer

High-quality playbooks are the most critical factor because SOAR automation relies on predefined, tested, and context-rich workflows to orchestrate response actions. Without accurate playbooks that map to specific incident types, automated actions can misidentify threats, execute incorrect containment steps, or fail to adapt to evolving attack patterns, rendering integrations and feeds ineffective.

Exam trap

ISC2 often tests the misconception that more integrations or real-time data automatically improve automation, but the trap here is that without high-quality playbooks, even perfect integrations and feeds lead to chaotic or harmful automated responses.

How to eliminate wrong answers

Option B is wrong because integration with all security tools is not the most critical factor; while broad integration enables data collection and action execution, it is useless without well-defined playbooks to orchestrate those tools effectively. Option C is wrong because a low false positive rate is a prerequisite for any detection system, but SOAR automation specifically depends on playbook logic to handle alerts correctly, not just on alert quality. Option D is wrong because real-time threat intelligence feeds enrich context but do not drive automation; playbooks must incorporate that intelligence into decision trees and response steps for it to be actionable.

Page 9

Page 10 of 14

Page 11