Systems Security Certified Practitioner SSCP (SSCP) — Questions 751825

991 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQeasy

When using CBC mode encryption, what is the purpose of the initialization vector (IV)?

A.To provide authentication
B.To increase the key length
C.To add randomness and prevent identical ciphertext for repeated plaintext
D.To enable parallel encryption
AnswerC

IV randomizes the first block, causing different ciphertexts.

Why this answer

Option C is correct because the initialization vector (IV) in CBC mode ensures that each encryption of the same plaintext with the same key produces a different ciphertext. The IV is XORed with the first plaintext block before encryption, introducing randomness that prevents patterns from being exposed in the ciphertext, which is critical for semantic security.

Exam trap

The trap here is that candidates confuse the IV's role in adding randomness with authentication or key extension, or they mistakenly think CBC supports parallel encryption because they overlook the sequential dependency of ciphertext blocks.

How to eliminate wrong answers

Option A is wrong because CBC mode provides no inherent authentication; it is a confidentiality-only mode, and authentication requires a separate MAC or an authenticated encryption mode like GCM or CCM. Option B is wrong because the IV does not increase the effective key length; the key length remains fixed, and the IV is a non-secret, random value used per message. Option D is wrong because CBC mode is inherently sequential—each ciphertext block depends on the previous one—so it cannot be parallelized during encryption; only decryption can be parallelized.

752
MCQmedium

An Identity Provider (IdP) sends an XML-based assertion to a Service Provider (SP) to grant access. Which federated identity standard is being used?

A.OAuth 2.0
B.Security Assertion Markup Language (SAML)
C.OpenID Connect (OIDC)
D.Kerberos
AnswerB

SAML uses XML-based assertions for federated identity.

Why this answer

SAML uses XML assertions to exchange authentication and authorization data between an IdP and an SP.

753
Multi-Selecthard

Which TWO of the following are appropriate actions when preserving digital evidence at a crime/incident scene?

Select 2 answers
A.Document all actions taken
B.Take photographs of the scene
C.Connect to the internet to check online resources
D.Use the system to check files
E.Power off the system immediately
AnswersA, B

Documentation ensures chain of custody and reproducibility.

Why this answer

Documenting all actions taken (Option A) is a fundamental principle of digital forensics, as it creates a verifiable chain of custody and ensures the integrity of evidence. This documentation includes timestamps, tools used, and any changes made to the system, which is critical for admissibility in legal proceedings. Without proper documentation, the evidence may be challenged as tampered or unreliable.

Exam trap

ISC2 often tests the misconception that immediately powering off a system is always the safest action, but in digital forensics, this can destroy volatile evidence and trigger data loss or corruption.

754
MCQeasy

An employee receives an email with an attachment claiming to be an invoice but contains a macro virus. What control would have blocked this?

A.User awareness training
B.Email attachment scanning
C.Spam filter
D.Macro security settings in Office
AnswerD

Macro settings can disable or restrict macro execution.

Why this answer

Macro security settings in Office can disable macros or require signed macros, preventing execution. Spam filter may not detect targeted phishing. Attachment scanning may miss zero-day variants.

User training reduces risk but does not technically block.

755
MCQmedium

A security analyst detects a workstation communicating with a known command-and-control server. The workstation is running critical applications. What should be the analyst's first step according to the NIST incident response lifecycle?

A.Power off the workstation immediately to stop the communication.
B.Isolate the workstation from the network while preserving volatile data.
C.Run a full antivirus scan on the workstation.
D.Notify management and wait for instructions.
AnswerB

Correct. Network isolation stops communication while preserving evidence.

Why this answer

According to the NIST incident response lifecycle, the first priority is containment. Isolating the workstation from the network stops communication with the command-and-control server while preserving volatile data (e.g., memory, running processes, network connections) for forensic analysis. Powering off would destroy this critical evidence, and running a scan or waiting for instructions delays containment and risks further compromise.

Exam trap

Cisco often tests the misconception that immediate power-off is the safest containment action, but the trap is that it destroys volatile evidence required for incident analysis and attribution.

How to eliminate wrong answers

Option A is wrong because powering off the workstation destroys volatile data (e.g., RAM contents, active network connections, process lists) that are essential for forensic analysis and identifying the scope of the compromise. Option C is wrong because running a full antivirus scan on a live, compromised system can alter evidence, trigger destructive malware behaviors, and does not immediately stop the command-and-control communication. Option D is wrong because notifying management and waiting for instructions violates the NIST principle of immediate containment; delaying action allows the attacker to continue exfiltration or lateral movement.

756
MCQeasy

A financial services company has recently deployed a new customer-facing web application on port 443. The application is essential for client transactions. Within the first week, the security team's monitoring system detected thousands of failed login attempts originating from a wide range of IP addresses across multiple countries. The attempts are using common usernames and passwords, indicating a coordinated brute-force attack. The company's perimeter firewall is configured with a default allow rule for inbound TCP traffic on port 443 to the web server's public IP address. The company operates with a small IT team and has a limited security budget. The web application is custom-developed and cannot be modified quickly. The security analyst must recommend a solution to mitigate the attack while maintaining availability for legitimate users. Which of the following is the most effective first step?

A.Implement IP blacklisting by manually adding offending IP addresses to the firewall's deny list
B.Change the web server port from 443 to a non-standard high port
C.Deploy a Web Application Firewall (WAF) configured with rate limiting and CAPTCHA challenges
D.Enable SSH access to the web server for administrative purposes
AnswerC

A WAF can automatically detect and mitigate brute-force patterns by rate-limiting requests from suspicious IPs, presenting CAPTCHAs to verify human users, and applying other application-layer controls without modifying the application.

Why this answer

Deploying a Web Application Firewall (WAF) with rate limiting and CAPTCHA is the most effective solution because it can identify and block malicious traffic patterns without requiring application changes. It operates at the application layer and can enforce policies such as rate limiting per IP, geolocation blocking, and CAPTCHA challenges, which directly mitigate brute-force attacks while minimizing impact on legitimate users. Other options are less effective: IP blacklisting is reactive and cannot handle distributed attacks; changing ports only provides obscurity; enabling SSH does not address the web application attack.

757
Multi-Selectmedium

Which TWO of the following are essential steps in a security incident response process according to the SSCP common body of knowledge? (Select the two best answers.)

Select 2 answers
A.Vulnerability scanning
B.Penetration testing
C.Eradication
D.Identification
E.Risk assessment
AnswersC, D

Eradication involves removing the incident artifacts and is a key phase.

758
Multi-Selectmedium

Which TWO of the following are best practices for password management?

Select 2 answers
A.Implement account lockout after a few failed attempts
B.Allow reuse of the last 5 passwords
C.Store passwords in plaintext for quick recovery
D.Share passwords via email for convenience
E.Enforce password complexity requirements
AnswersA, E

Lockout mitigates brute-force attacks.

Why this answer

Password complexity and account lockout are standard best practices. Storing passwords in plaintext and reusing passwords are poor practices.

759
Multi-Selecteasy

Which THREE characteristics are important for a password hashing algorithm?

Select 3 answers
A.Fixed output length
B.Salt usage
C.Reversible
D.Slow computation
E.Constant time comparison
AnswersB, D, E

Salt prevents rainbow table attacks.

Why this answer

B is correct because salting ensures that each password hash is unique even if two users have the same password, preventing precomputed rainbow table attacks. A salt is a random value concatenated with the password before hashing, and it must be stored alongside the hash for verification.

Exam trap

ISC2 often tests the misconception that fixed output length is a key requirement for password hashing, when in fact it is a generic property of all hash functions and not specific to password storage security.

760
Multi-Selectmedium

Which TWO of the following are methods to defend against SYN flood attacks? (Select TWO)

Select 2 answers
A.Enabling IP routing
B.Using UDP instead of TCP
C.Increasing the SYN backlog queue size
D.SYN cookies
E.Disabling TCP timestamps
AnswersC, D

A larger backlog allows more pending connections, mitigating exhaustion.

Why this answer

SYN cookies avoid resource exhaustion by not allocating memory until the handshake completes, and increasing the backlog queue allows more half-open connections before reaching capacity.

761
MCQmedium

A user reports they can now access files in a shared drive that were previously denied. Upon investigation, the IT team discovers the user was added to a new group that has read/write permissions to the drive. This situation is best described as:

A.Separation of duties violation
B.Inconsistent access control list
C.Role explosion
D.Privilege creep
AnswerD

The user gained additional permissions through group membership, which is a classic example of privilege creep.

Why this answer

Privilege creep occurs when users accumulate more permissions over time than they need for their current role, often through group memberships. In this scenario, the user was added to a new group that granted read/write access to a shared drive, resulting in unintended elevated access. This is a classic example of privilege creep because the user's access rights expanded beyond what was originally authorized, violating the principle of least privilege.

Exam trap

The trap here is confusing privilege creep with role explosion, but privilege creep focuses on individual permission accumulation over time, while role explosion is about an excessive number of roles in the system design.

How to eliminate wrong answers

Option A is wrong because separation of duties is a control designed to prevent fraud or error by requiring multiple individuals to complete a sensitive task, not a situation where a user gains unintended access. Option B is wrong because an inconsistent access control list would imply conflicting or erroneous permissions on the resource itself, whereas here the permissions are consistent but the user was added to a group that legitimately has those permissions. Option C is wrong because role explosion refers to the proliferation of too many roles in an RBAC system, making management complex, not the gradual accumulation of permissions by a single user.

762
MCQhard

A patch management process is being audited. Which finding indicates a critical gap in the process?

A.Exception requests for unpatched systems are documented
B.Patches are not tested in a staging environment before production deployment
C.Critical systems are patched monthly
D.Patches are deployed within 30 days of release
AnswerB

Missing testing can cause production issues.

Why this answer

Failure to test patches in a staging environment can lead to instability when deployed to production.

763
MCQhard

An organization's risk register lists a vulnerability with an annualized loss expectancy (ALE) of $50,000. The cost of implementing a mitigation control is $40,000 with an expected lifespan of 5 years. The control is expected to reduce the ALE by 80%. What is the net present value (NPV) of implementing this control over 5 years, assuming a discount rate of 5%? (Ignore residual risk for simplicity.)

A.$120,000
B.$133,180
C.$200,000
D.$160,000
AnswerB

Correctly calculated NPV.

Why this answer

The correct answer is B because the net present value (NPV) is calculated by subtracting the initial control cost from the present value of the annual savings over 5 years. The control reduces the ALE by 80%, saving $40,000 per year ($50,000 × 0.8). Using a 5% discount rate, the present value of these savings is $40,000 × 4.3295 (PV annuity factor for 5 years at 5%) = $173,180.

Subtracting the $40,000 implementation cost gives an NPV of $133,180.

Exam trap

The trap here is that candidates often forget to discount future savings to present value, leading them to pick the undiscounted total savings ($200,000) or a simple subtraction ($160,000), rather than applying the 5% discount rate correctly.

How to eliminate wrong answers

Option A is wrong because $120,000 represents the total undiscounted savings ($40,000 × 5 = $200,000) minus the control cost ($40,000) but ignores the time value of money (discount rate). Option C is wrong because $200,000 is the total undiscounted savings over 5 years without subtracting the control cost or applying the discount rate. Option D is wrong because $160,000 might come from incorrectly using a 4-year savings calculation or misapplying the discount factor (e.g., $40,000 × 4 = $160,000), failing to account for the 5% discount rate.

764
MCQmedium

An organization is planning to deploy a remote access VPN for employees. The solution must support strong encryption, mutual authentication, and work through firewalls without requiring additional ports. Which technology is most suitable?

A.L2TP/IPsec
B.PPTP
C.IPsec tunnel mode
D.SSL/TLS VPN
AnswerD

SSL VPN uses port 443, widely allowed, and provides strong security.

Why this answer

SSL/TLS VPNs (e.g., Cisco AnyConnect) operate over port 443 (HTTPS), which is commonly allowed through firewalls, and provide strong encryption and authentication.

765
MCQmedium

A security analyst receives an alert from the EDR system indicating that a workstation has been communicating with a known malicious IP address. The analyst confirms the alert and notes that the user is still logged in. Which immediate containment action should the analyst take FIRST?

A.Isolate the workstation using the EDR agent's network isolation capability
B.Create a full forensic image of the hard drive
C.Disable the user's Active Directory account
D.Block the malicious IP address at the firewall
AnswerA

Isolating the endpoint stops all network traffic, preventing data exfiltration or lateral movement.

Why this answer

The first priority is to contain the incident by isolating the endpoint to prevent further communication. EDR agents often have a feature to isolate the host from the network immediately.

766
MCQeasy

A small business has 50 employees and uses a cloud-based email service. The IT manager receives a report that several employees have been receiving phishing emails that appear to come from the company's CEO. The emails request that employees purchase gift cards and send the codes urgently. Two employees have already complied, losing $500 total. The manager wants to prevent this from recurring. The company has a limited budget and no dedicated security staff. Which of the following actions should the manager take FIRST?

A.Create a policy prohibiting gift card purchases
B.Enable multi-factor authentication (MFA) on the CEO's email account
C.Conduct security awareness training for all employees
D.Set up email filtering rules to block emails with the CEO's name
AnswerB

MFA significantly reduces the risk of account takeover, which is the source of these phishing emails.

Why this answer

Implementing multi-factor authentication (MFA) on the CEO's account prevents attackers from using stolen credentials to send phishing emails. Option A is training, which is important but does not stop the current vector; B is a long-term policy; D is a technical control but does not prevent the initial account compromise.

767
MCQmedium

An organization's disaster recovery plan specifies an RPO of 4 hours and an RTO of 24 hours for a critical database. Which of the following best describes these metrics?

A.RPO means up to 4 hours of data loss; RTO means the database must be recovered within 24 hours.
B.RPO means recovery point objective; RTO means recovery time objective.
C.RPO means the database can be down for up to 4 hours; RTO means up to 24 hours of data loss.
D.RPO means the database must be recovered within 4 hours; RTO means up to 24 hours of data loss.
AnswerA

Correct. RPO = data loss, RTO = recovery time.

Why this answer

Option A is correct because RPO (Recovery Point Objective) defines the maximum acceptable data loss measured in time, meaning up to 4 hours of transactions could be lost. RTO (Recovery Time Objective) defines the maximum acceptable downtime, meaning the database must be fully operational within 24 hours after a disaster.

Exam trap

The trap here is confusing RPO with downtime and RTO with data loss, leading candidates to swap the definitions or misassign the time values.

How to eliminate wrong answers

Option B is wrong because it merely expands the acronyms without explaining the practical meaning of the metrics (e.g., it doesn't state that RPO is about data loss and RTO is about downtime). Option C is wrong because it reverses the definitions: RPO is about data loss, not downtime, and RTO is about downtime, not data loss. Option D is wrong because it swaps the values: RPO is 4 hours of data loss, not recovery time, and RTO is 24 hours of downtime, not data loss.

768
Multi-Selectmedium

A security analyst is configuring a SIEM to detect potential data exfiltration. Which TWO log sources are most critical for detecting large outbound data transfers?

Select 2 answers
A.Network flow logs (e.g., NetFlow)
B.DNS logs
C.Proxy logs
D.System event logs
E.Application error logs
AnswersA, C

Correct: Network flow logs provide data on traffic volume and destinations.

Why this answer

Network flow logs (e.g., NetFlow) are critical because they provide metadata about all network conversations, including source/destination IPs, ports, protocols, and byte counts. By analyzing flow records, a SIEM can detect anomalous spikes in outbound traffic volume or connections to unusual external hosts, which are strong indicators of data exfiltration. NetFlow does not inspect packet payloads, but its aggregated traffic patterns make it ideal for identifying large-scale transfers.

Exam trap

Cisco often tests the misconception that DNS logs are sufficient for detecting exfiltration (e.g., via DNS tunneling), but the question specifically asks for detecting 'large outbound data transfers,' which require volume-based analysis from NetFlow or proxy logs, not just query patterns.

769
Multi-Selecthard

A company is migrating to a cloud-based SaaS application and wants to implement federated identity. Users will authenticate using their existing corporate Active Directory credentials. Which THREE components are essential for a SAML-based federation? (Select THREE.)

Select 3 answers
A.Identity Provider (IdP)
B.Trust relationship between IdP and SP
C.Ticket Granting Ticket (TGT)
D.Attribute Authority (AA)
E.Service Provider (SP)
AnswersA, B, E

IdP authenticates users and issues SAML assertions.

Why this answer

SAML federation requires an Identity Provider (IdP), a Service Provider (SP), and trust between them. The IdP authenticates the user and sends an assertion to the SP via an HTTP redirect.

770
MCQeasy

A company's backup strategy includes weekly full backups and daily differential backups. A ransomware attack occurred on Wednesday, corrupting data. The last full backup was Sunday. Which backup set should be restored first?

A.Wednesday differential backup
B.Sunday full backup
C.Monday differential backup
D.Tuesday differential backup
AnswerB

Full backup must be restored first as it contains the baseline data.

Why this answer

The correct restoration order is to first restore the Sunday full backup, because differential backups contain all changes since the last full backup. Without the full backup as a base, the differential backups cannot be applied. After restoring the full backup, you would then apply the most recent differential backup (Wednesday) to bring the data to the point just before the attack.

Exam trap

The trap here is that candidates often confuse differential backups with incremental backups, mistakenly thinking they need to restore all differentials in order, or they try to restore the most recent differential without the full backup first.

How to eliminate wrong answers

Option A is wrong because the Wednesday differential backup cannot be restored first; it must be applied after the full backup to provide the incremental changes. Option C is wrong because the Monday differential backup is not the most recent differential backup, and restoring it alone would miss changes made on Tuesday and Wednesday. Option D is wrong because the Tuesday differential backup, while more recent than Monday, still requires the full backup first and is not the final differential needed to reach Wednesday's state.

771
MCQmedium

A security administrator is configuring a Linux server to enforce mandatory access control (MAC). Which of the following tools provides MAC on Linux?

A.PAM
B.iptables
C.chmod
D.SELinux
AnswerD

SELinux provides mandatory access control.

Why this answer

SELinux and AppArmor are Linux security modules that implement mandatory access control policies beyond traditional discretionary access control.

772
Multi-Selecthard

Which THREE of the following are valid steps in the change management process? (Select THREE)

Select 3 answers
A.Post-implementation review
B.Vulnerability scanning
C.Baseline configuration update
D.Impact assessment
E.Change request submission
AnswersA, D, E

After implementation, a review ensures the change was successful and lessons are learned.

Why this answer

A post-implementation review is a valid step in the change management process because it evaluates whether the change met its objectives, identifies any issues, and captures lessons learned. This review typically occurs after the change has been implemented and verified, ensuring that the change was successful and that any unintended consequences are documented.

Exam trap

The trap here is that candidates may confuse operational security activities like vulnerability scanning or configuration updates with formal change management process steps, which are specifically about the lifecycle of a change request from submission through review.

773
MCQhard

A network engineer is designing a secure WAN link between two offices using IPsec VPN. The company requires encryption of all traffic, authentication of both endpoints, and protection against replay attacks. Which combination of IPsec protocols and modes should be used?

A.AH in tunnel mode
B.AH in transport mode
C.ESP in tunnel mode
D.ESP in transport mode
AnswerC

ESP in tunnel mode encrypts and authenticates the entire packet, suitable for site-to-site VPNs.

Why this answer

ESP in tunnel mode encrypts and authenticates the entire original IP packet, providing confidentiality, integrity, and authentication for the entire payload. It also includes sequence numbers to protect against replay attacks, making it the correct choice for a secure WAN link between two offices.

Exam trap

The trap here is that candidates often confuse AH with ESP, assuming AH provides encryption, or they incorrectly choose transport mode for site-to-site VPNs because they focus on endpoint authentication rather than the need to encapsulate the entire original packet for network-to-network communication.

How to eliminate wrong answers

Option A is wrong because AH (Authentication Header) provides integrity and authentication but does not encrypt traffic, failing the encryption requirement. Option B is wrong because AH in transport mode also lacks encryption and only protects the payload, not the original IP header, which is insufficient for a VPN tunnel between networks. Option D is wrong because ESP in transport mode encrypts only the payload, not the original IP header, and is typically used for end-to-end communication between hosts, not for site-to-site VPNs where tunnel mode is required to encapsulate the entire original packet.

774
MCQmedium

During a security audit, it is discovered that a legacy system uses SNMPv1 for network monitoring. Which of the following is the primary security concern?

A.Weak hashing
B.Community strings transmitted in cleartext
C.No access control
D.Lack of encryption
AnswerB

The community string serves as a password and is sent in plaintext, allowing interception and unauthorized access.

Why this answer

SNMPv1 transmits community strings (effectively passwords) in cleartext over the network. An attacker capturing network traffic can directly read the community string and gain unauthorized access to SNMP-managed devices. This lack of confidentiality is the primary security concern because it exposes the entire monitoring infrastructure to compromise.

Exam trap

The trap here is that candidates often confuse 'no access control' (Option C) with the lack of authentication, but SNMPv1 does have community strings as a form of access control; the real issue is that these strings are transmitted in cleartext, making them easily intercepted.

How to eliminate wrong answers

Option A is wrong because SNMPv1 does not use hashing for authentication; it relies on plaintext community strings, so 'weak hashing' is not a relevant concern. Option C is wrong because SNMPv1 does have a basic form of access control via read-only (RO) and read-write (RW) community strings, though it is rudimentary and easily bypassed once the community string is known. Option D is wrong because while SNMPv1 indeed lacks encryption, the question asks for the 'primary' security concern; the immediate exposure of community strings in cleartext is the most direct and exploitable vulnerability, making lack of encryption a secondary consequence.

775
Multi-Selecthard

A company is selecting a cryptographic algorithm for digital signatures. Which THREE of the following algorithms can be used for digital signatures? (Select THREE.)

Select 3 answers
A.SHA-256
B.DSA
C.AES
D.RSA
E.ECDSA
AnswersB, D, E

DSA is a digital signature algorithm.

Why this answer

RSA, ECDSA, and DSA are all capable of digital signatures. AES is symmetric and not for signatures; SHA-256 is a hash function.

776
MCQhard

In a federated identity scenario, a user authenticates to their home domain and accesses a resource in a partner domain. The partner domain trusts the authentication performed by the home domain. What is the home domain's role in this trust relationship?

A.Relying Party
B.Identity Provider (IdP)
C.Service Provider (SP)
D.Kerberos Distribution Center (KDC)
AnswerB

The IdP authenticates users and provides identity information.

Why this answer

In federated identity, the Identity Provider (IdP) is the home domain that authenticates the user and issues assertions. The Service Provider (SP) trusts the IdP's authentication.

777
MCQmedium

An organization uses Kerberos for single sign-on (SSO) within its Windows domain. Which component issues ticket-granting tickets (TGTs) after verifying user credentials?

A.Ticket Granting Service (TGS)
B.Key Distribution Center (KDC)
C.Authentication Service (AS)
D.Domain Controller
AnswerC

AS authenticates and issues TGTs.

Why this answer

In Kerberos, the Authentication Service (AS) within the Key Distribution Center (KDC) authenticates users and issues TGTs. The Ticket Granting Service (TGS) issues service tickets later.

778
Multi-Selectmedium

Which TWO of the following are examples of biometric authentication? (Choose two.)

Select 2 answers
A.Smart card
B.Retina scan
C.PIN
D.Fingerprint
E.Password
AnswersB, D

Retina scan is a biometric trait.

Why this answer

Retina scan is a biometric authentication method because it uses unique physiological characteristics of the eye's retinal blood vessel pattern to verify identity. Biometric authentication relies on measurable biological traits, and the retina's pattern is highly distinctive and difficult to replicate, making it a strong form of authentication.

Exam trap

ISC2 often tests the distinction between authentication factors (something you know, have, or are) and tricks candidates into selecting smart cards or PINs as biometrics because they are commonly associated with security, but they are not based on biological traits.

779
Multi-Selectmedium

Which TWO of the following are key components of the 3-2-1 backup rule?

Select 2 answers
A.One copy stored in a different geographic location
B.Daily full backups
C.All backups must be encrypted
D.At least three copies of the data
E.At least two different media types
AnswersD, E

Three copies include the original and two backups.

Why this answer

The 3-2-1 backup rule mandates at least three copies of the data (one primary and two backups) to ensure redundancy against failures. Option D directly states this requirement, which is the '3' in the rule.

Exam trap

Cisco often tests the exact wording of the 3-2-1 rule, and candidates mistakenly think 'different geographic location' is a separate numbered component, but it is actually the '1' (one offsite copy) and not a distinct key component like the number of copies or media types.

780
Multi-Selecthard

An organization is implementing a new vulnerability management program. The CISO wants to establish remediation SLAs based on risk severity. Which THREE of the following are commonly recommended SLAs?

Select 3 answers
A.High: 30 days
B.Informational: No SLA
C.Medium: 90 days
D.Critical: 24-72 hours
E.Low: 180 days
AnswersA, C, D

High vulnerabilities typically have 30-day SLA.

Why this answer

Option A is correct because high-severity vulnerabilities typically require remediation within 30 days to balance risk reduction with operational feasibility. This aligns with common industry frameworks like PCI DSS and NIST SP 800-53, which recommend 30-day SLAs for high-risk findings to prevent exploitation while allowing time for patching cycles.

Exam trap

Cisco often tests the misconception that all vulnerability severities must have a formal SLA, but informational findings are excluded because they pose no exploitable risk and are typically documented for awareness only.

781
MCQeasy

Which transport layer protocol is used by DNS for its queries and responses, and why is it appropriate?

A.UDP, because it guarantees packet ordering.
B.TCP, because it provides error checking and retransmission.
C.TCP, because reliability is critical for DNS resolution.
D.UDP, because it is connectionless and fast, suitable for short exchanges.
AnswerD

DNS queries are typically small and benefit from UDP's low overhead.

Why this answer

DNS primarily uses UDP for its fast, low-overhead queries. TCP is used for zone transfers or when responses exceed 512 bytes.

782
Drag & Dropmedium

Drag and drop the steps for configuring a Windows Firewall rule to allow inbound RDP traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Windows Firewall: create inbound rule for port 3389, allow connection, select profiles, name it.

783
MCQmedium

Refer to the exhibit. Which of the following is most likely a web browsing session?

A.192.168.1.100:49152 to 203.0.113.10:80
B.192.168.1.100:49154 to 74.125.224.72:443
C.192.168.1.100:49153 to 192.168.1.1:53
D.Both A and C
AnswerD

Both are web sessions (HTTP and HTTPS).

Why this answer

Option D is correct because both A and C represent typical web browsing sessions: A uses HTTP on port 80, and C uses DNS on port 53, which is essential for resolving domain names before a web request can be made. Web browsing inherently involves DNS queries to translate hostnames to IP addresses, making both sessions part of the browsing activity.

Exam trap

ISC2 often tests the misconception that web browsing only involves HTTP (port 80) and ignores the essential DNS resolution step, leading candidates to overlook DNS queries as part of the browsing session.

How to eliminate wrong answers

Option A is wrong because it is actually a valid web browsing session (HTTP on port 80), so it is not incorrect; the question asks for the most likely web browsing session, and A is correct. Option B is wrong because it uses HTTPS on port 443, which is also a valid web browsing session (secure web traffic), so it is not incorrect; the trap is that candidates might think only HTTP is web browsing, but HTTPS is equally valid. Option C is wrong because it is a DNS query (port 53) to a local router (192.168.1.1), which is a supporting service for web browsing but not the web browsing session itself; DNS resolution occurs before the actual HTTP/HTTPS request.

784
MCQmedium

An organization has implemented a PAM solution for managing privileged accounts. Which feature allows administrators to request temporary elevated access for a specific task?

A.Session recording
B.Just-in-time provisioning
C.Password vaulting
D.Role-based access control
AnswerB

JIT grants temporary privileges as needed.

Why this answer

Just-in-time (JIT) provisioning grants temporary privileges as needed, reducing the risk of standing privileges.

785
MCQeasy

Which type of IDS monitors network traffic at a specific network segment and analyzes packets for malicious patterns?

A.NIDS
B.HIDS
C.UBA
D.SIEM
AnswerA

Network-based IDS monitors network traffic for malicious patterns.

Why this answer

A Network Intrusion Detection System (NIDS) is specifically designed to monitor traffic on a network segment, capturing packets in real time and analyzing them for known attack signatures or anomalous patterns. Unlike host-based systems, NIDS operates at the network layer, inspecting headers and payloads to detect malicious activity such as port scans, DoS attacks, or exploit attempts.

Exam trap

Cisco often tests the distinction between network-based and host-based monitoring, and the trap here is that candidates confuse HIDS with NIDS because both involve 'intrusion detection,' but HIDS operates on the host while NIDS operates on the network segment.

How to eliminate wrong answers

Option B (HIDS) is wrong because a Host-based Intrusion Detection System monitors activities on a single host (e.g., system logs, file integrity, process behavior), not network traffic at a segment level. Option C (UBA) is wrong because User Behavior Analytics focuses on identifying deviations in user activity patterns, often using machine learning, rather than analyzing raw network packets for malicious patterns. Option D (SIEM) is wrong because a Security Information and Event Management system aggregates and correlates logs from multiple sources, but does not directly capture or analyze network packets at a segment level.

786
MCQmedium

Based on the exhibit, which type of attack is most likely being attempted?

A.Cross-site scripting (XSS)
B.SQL injection
C.Directory traversal
D.Buffer overflow
AnswerB

The parameter contains SQL syntax designed to drop a table, which is characteristic of a SQL injection attack.

Why this answer

The exhibit shows a URL parameter containing SQL injection syntax (DROP TABLE users;). The %22%3B%20 sequence decodes to "; " which is used to break out of a SQL query. The destination is an internal host (10.0.0.100), likely a web application server.

A status code of 500 indicates a server error, possibly due to the malicious input. Thus, SQL injection (Option D) is correct. The other options do not match the pattern.

787
MCQhard

An organization is implementing a federated identity system to allow employees to access a partner's cloud application using their corporate credentials. The solution must support single sign-on and use XML-based assertions. Which technology should be used?

A.Kerberos
B.SAML
C.OAuth 2.0
D.OpenID Connect
AnswerB

SAML (Security Assertion Markup Language) uses XML assertions for federated SSO.

Why this answer

SAML uses XML-based assertions to exchange authentication and authorization data between an identity provider and a service provider.

788
MCQhard

A company is implementing a risk monitoring program. Which of the following is the best key performance indicator (KPI) to measure the effectiveness of the vulnerability management process?

A.Mean time to remediate (MTTR) critical vulnerabilities
B.Percentage of systems with up-to-date patches
C.Number of vulnerability scans performed per month
D.Number of vulnerabilities discovered per scan
AnswerA

MTTR directly measures how quickly critical risks are addressed.

Why this answer

Mean time to remediate (MTTR) critical vulnerabilities directly measures how quickly the organization closes the window of exposure for the highest-risk flaws. This KPI reflects the efficiency of the remediation workflow—from detection through patching or compensating control deployment—and is a standard metric in frameworks like NIST SP 800-40 and the CVSS scoring system. A lower MTTR indicates a more effective vulnerability management process because it reduces the time attackers have to exploit known weaknesses.

Exam trap

The trap here is that candidates often confuse activity metrics (like scan frequency or patch coverage) with outcome metrics (like remediation speed), leading them to choose a KPI that sounds operational but does not directly measure the effectiveness of the vulnerability management process.

How to eliminate wrong answers

Option B is wrong because the percentage of systems with up-to-date patches is a compliance-oriented metric that does not account for the severity or criticality of vulnerabilities; a system could be fully patched against low-severity issues while still harboring an unpatched critical vulnerability. Option C is wrong because the number of vulnerability scans performed per month measures activity volume, not process effectiveness; frequent scans are useless if findings are not remediated promptly. Option D is wrong because the number of vulnerabilities discovered per scan is a measure of the attack surface or scan coverage, not the effectiveness of remediation; a high discovery count could indicate a thorough scan but says nothing about how quickly or completely those vulnerabilities are fixed.

789
MCQhard

An administrator notices that a certificate used for code signing is about to expire. The certificate is signed by a trusted root CA. What is the correct procedure to ensure continued trust?

A.Continue using the expired certificate until a new one is obtained
B.Extend the validity period of the existing certificate by modifying the certificate
C.Switch to a self-signed certificate
D.Request a new certificate from the same CA before expiration
AnswerD

This ensures continuity and trust from the same root.

Why this answer

The correct procedure is to request a new certificate from the same trusted root CA before the current certificate expires. This ensures that the new certificate is signed by the same trusted root, maintaining the chain of trust without interruption. Continuing to use an expired certificate would break trust validation, as clients and operating systems reject expired code-signing certificates to prevent execution of untrusted code.

Exam trap

The trap here is that candidates may think extending the validity period or using a self-signed certificate is acceptable, but Cisco tests the understanding that only a certificate from the same trusted CA preserves the existing chain of trust without requiring manual trust configuration.

How to eliminate wrong answers

Option A is wrong because using an expired certificate violates trust models; code-signing certificates are validated for expiration, and expired certificates cause signature verification failures, leading to warnings or blocked execution. Option B is wrong because certificate validity periods cannot be extended by modifying the certificate; the validity is cryptographically bound by the CA's signature, and any alteration invalidates the signature. Option C is wrong because switching to a self-signed certificate breaks the chain of trust; self-signed certificates are not trusted by default and require manual installation on every client, which is impractical for code signing.

790
Multi-Selectmedium

An organization is planning to implement a Single Sign-On (SSO) solution. Which THREE of the following are commonly associated with SSO technologies?

Select 3 answers
A.Kerberos
B.Biometrics
C.Public Key Infrastructure (PKI)
D.OAuth 2.0
E.SAML
AnswersA, D, E

Kerberos is a ticket-based SSO protocol.

Why this answer

Kerberos uses tickets for SSO, SAML provides federated SSO with XML assertions, and OAuth 2.0 is an authorization framework often used for SSO. Biometrics and PKI are not SSO technologies themselves.

791
Multi-Selecthard

Which THREE of the following are key objectives of data classification?

Select 3 answers
A.Identify and protect sensitive information
B.Reduce storage costs by identifying duplicate data
C.Establish a foundation for risk management decisions
D.Determine the encryption algorithm to use
E.Comply with legal and regulatory requirements
AnswersA, C, E

Classification determines sensitivity and required protections.

Why this answer

Data classification is a foundational security control that directly supports the identification and protection of sensitive information. By categorizing data based on its sensitivity and criticality, organizations can apply appropriate security controls, such as access controls and encryption, to safeguard confidential data from unauthorized disclosure or modification.

Exam trap

ISC2 often tests the distinction between the objectives of data classification and the subsequent actions or technologies that classification enables, leading candidates to mistakenly select options like 'determine encryption algorithm' as a direct objective.

792
MCQmedium

A security awareness training program aims to reduce successful phishing attacks. Which metric is most appropriate for measuring the effectiveness of this training?

A.Percentage of employees who click simulated phishing links
B.Training completion rate
C.Number of reported phishing emails
D.Number of security incidents caused by phishing
AnswerA

Correct. This directly measures the effectiveness of training in reducing risky behavior.

Why this answer

The primary goal is to reduce user susceptibility, so tracking the number of employees who click on simulated phishing links directly measures behavior change.

793
Multi-Selectmedium

A security analyst is investigating a phishing incident that led to credential theft. Which TWO actions are appropriate during the containment phase? (Select TWO)

Select 2 answers
A.Reset the compromised user's password
B.Update the incident response plan
C.Conduct a lessons learned meeting
D.Restore the user's machine from backup
E.Block the phishing domain at the email gateway
AnswersA, E

Correct. Prevents further unauthorized access with stolen credentials.

Why this answer

Resetting the compromised user's password (A) immediately invalidates the stolen credentials, preventing the attacker from using them for further unauthorized access. This is a critical containment step because it cuts off the attacker's authenticated session and access to resources like email, VPN, or cloud services. Blocking the phishing domain at the email gateway (E) prevents additional users from receiving the phishing email, reducing the attack surface and stopping the spread of the incident.

Both actions directly limit the impact and scope of the breach during the containment phase.

Exam trap

Cisco often tests the distinction between containment and recovery phases, trapping candidates who confuse restoring from backup (a recovery action) with immediate containment steps like password resets or blocking malicious infrastructure.

794
Multi-Selectmedium

A cloud security architect is designing a solution to protect workloads running in a public cloud. Which THREE of the following are key security controls that should be implemented?

Select 3 answers
A.Store encryption keys in the same cloud region as the data
B.Deploy a Cloud Security Posture Management (CSPM) tool
C.Disable multi-factor authentication for service accounts
D.Use a Cloud Workload Protection Platform (CWPP)
E.Implement IAM roles with least privilege
AnswersB, D, E

CSPM identifies and remediates misconfigurations.

Why this answer

IAM roles control permissions for cloud resources. CSPM detects misconfigurations. CWPP provides runtime protection for workloads.

795
MCQmedium

A company wants to track all hardware assets including serial numbers and locations. What is the primary repository for this information?

A.CMDB
B.Patch management tool
C.Vulnerability database
D.SIEM
AnswerA

Central repository for configuration items including hardware.

Why this answer

A Configuration Management Database (CMDB) stores details about hardware assets and their relationships.

796
MCQmedium

An organization wants to detect insider threats by identifying abnormal user behavior. Which technology is best suited for this purpose?

A.User Behavior Analytics (UBA)
B.Network-based IDS
C.Vulnerability scanner
D.Signature-based antivirus
AnswerA

UBA specifically analyzes user behavior to detect anomalies that may indicate insider threats.

Why this answer

User Behavior Analytics (UBA) is specifically designed to detect insider threats by establishing a baseline of normal user activity and then identifying anomalous deviations, such as unusual login times, abnormal data access patterns, or atypical file transfers. Unlike other security tools that rely on known signatures or network traffic patterns, UBA applies machine learning and statistical modeling to user-centric data (e.g., authentication logs, file system events, and endpoint activity) to uncover subtle, non-signature-based indicators of malicious insider behavior.

Exam trap

The trap here is that candidates often confuse Network-based IDS (which detects network-level attacks) with user behavior analysis, failing to recognize that insider threats typically involve legitimate credentials and non-malicious network traffic that bypass signature-based detection.

How to eliminate wrong answers

Option B is wrong because a Network-based IDS (Intrusion Detection System) monitors network traffic for known attack signatures or protocol anomalies, but it lacks the user-context and behavioral baseline needed to detect insider threats that do not generate malicious network packets (e.g., a user exfiltrating data via legitimate cloud storage). Option C is wrong because a vulnerability scanner identifies known software weaknesses (e.g., missing patches, misconfigurations) by comparing system states against a database of CVEs; it does not analyze user behavior or detect ongoing anomalous actions. Option D is wrong because signature-based antivirus relies on static file signatures and heuristics to detect known malware; it cannot identify abnormal user behavior such as a legitimate user accessing files outside their normal pattern or performing unauthorized privilege escalation.

797
Multi-Selecthard

Which THREE of the following are valid methods for enforcing separation of duties in an IT environment? (Select the three best answers.)

Select 3 answers
A.Sharing administrative passwords among team members
B.Having the same person approve and implement a change
C.Implementing a two-person rule for critical changes
D.Monitoring and logging all privileged actions
E.Using role-based access control (RBAC) to assign permissions
AnswersC, D, E

The two-person rule requires approval from a second person, enforcing separation.

Why this answer

Option C is correct because the two-person rule requires two authorized individuals to perform a critical change, ensuring that no single person has both the authority and the ability to execute a high-risk action. This directly enforces separation of duties by dividing the task into two distinct roles, such as one person approving and another implementing the change, which prevents fraud or errors from a single compromised account.

Exam trap

The trap here is that candidates may confuse monitoring and logging (Option D) as a direct enforcement method rather than a detective control, or think that RBAC (Option E) alone enforces separation of duties without considering that RBAC must be combined with workflow rules to prevent role conflicts.

798
Multi-Selecteasy

Which THREE of the following are standard phases of the incident response lifecycle?

Select 3 answers
A.Preparation
B.Containment, Eradication, and Recovery
C.Auditing
D.Budgeting
E.Detection and Analysis
AnswersA, B, E

Preparation is the first phase, involving planning and training.

Why this answer

Option A is correct because Preparation is the foundational phase of the incident response lifecycle, as defined by NIST SP 800-61 Rev. 2. This phase involves establishing policies, creating incident response plans, forming a CSIRT, and provisioning tools (e.g., SIEM, forensic workstations) before any incident occurs. Without proper preparation, all subsequent phases are significantly less effective.

Exam trap

ISC2 often tests candidates by including plausible-sounding business or audit terms (like Auditing or Budgeting) as distractors, expecting test-takers to confuse supporting activities with formal lifecycle phases defined in NIST or SANS frameworks.

799
Matchingmedium

Match each security control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Firewall

IDS

Backup restoration

Warning signs

Why these pairings

These are common examples of security control categories.

800
Multi-Selecteasy

An organization is planning to implement multi-factor authentication. Which TWO of the following are valid authentication factors?

Select 2 answers
A.Security question
B.Fingerprint
C.Password
D.Smart card
E.IP address
AnswersB, D

Biometric is something you are.

Why this answer

The three categories are something you know, something you have, and something you are. Fingerprint (something you are) and smart card (something you have) are valid factors.

801
MCQmedium

A security analyst is troubleshooting a network issue where users on VLAN 10 cannot reach a server on VLAN 20. The router has an ACL applied to the interface connected to VLAN 10. Which step should the analyst take first to isolate the problem?

A.Review the ACL configuration on the router interface
B.Run a traceroute from a user machine to the server
C.Check the ARP table for the server's MAC address
D.Verify the VLAN configuration on the switch
AnswerA

The ACL on the router interface can block traffic between VLANs; this is the first logical step.

Why this answer

The ACL applied to the router interface connected to VLAN 10 is the most likely cause of the connectivity issue, as it can explicitly permit or deny traffic from VLAN 10 to VLAN 20. Reviewing the ACL configuration first allows the analyst to quickly determine if the traffic is being blocked by a deny statement or missing permit entry, which is a common and immediate cause of such inter-VLAN routing failures. This step is the most efficient because it directly addresses the access control mechanism at the routing boundary.

Exam trap

ISC2 often tests the principle of starting with the most likely cause at the Layer 3/4 boundary (the ACL) rather than jumping to lower-layer troubleshooting like ARP or VLAN verification, which would be premature when an ACL is explicitly present.

How to eliminate wrong answers

Option B is wrong because running a traceroute from a user machine to the server would show where packets are dropped, but it does not identify the specific ACL rule causing the drop; it only confirms the symptom, not the root cause. Option C is wrong because checking the ARP table for the server's MAC address is irrelevant to ACL filtering; ARP resolves IP to MAC addresses at Layer 2, while ACLs operate at Layer 3/4 on the router. Option D is wrong because verifying the VLAN configuration on the switch would only confirm that VLANs 10 and 20 exist and are correctly assigned to ports, but it does not address the router's ACL, which is the explicit access control mechanism applied to the routed interface.

802
MCQeasy

A security team identifies a vulnerability in a web application that allows SQL injection. Which risk response strategy involves implementing input validation and parameterized queries to reduce the risk to an acceptable level?

A.Risk transfer
B.Risk mitigation
C.Risk acceptance
D.Risk avoidance
AnswerB

Mitigation applies controls to reduce risk.

Why this answer

Option B is correct because risk mitigation involves applying controls to reduce the likelihood or impact of a risk to an acceptable level. Implementing input validation and parameterized queries directly addresses the SQL injection vulnerability by preventing malicious SQL from being executed, thereby reducing the risk without eliminating the application's functionality.

Exam trap

Cisco often tests the distinction between risk mitigation (applying controls to reduce risk) and risk avoidance (eliminating the activity entirely), tricking candidates who think input validation removes the risk completely rather than reducing it to an acceptable level.

How to eliminate wrong answers

Option A is wrong because risk transfer shifts the financial burden of a loss to a third party (e.g., insurance), not the technical control of the vulnerability. Option C is wrong because risk acceptance means acknowledging the risk without taking action, which contradicts the active implementation of security controls. Option D is wrong because risk avoidance would require removing the vulnerable web application entirely or disabling the feature that allows user input, which is not the same as applying input validation and parameterized queries.

803
MCQmedium

During incident response, a team member uses a tool to capture memory from a compromised Windows system. Which of the following best describes the order of volatility?

A.Network connections, memory, disk
B.Disk, memory, network
C.Memory, network, disk
D.Memory, disk, network connections
AnswerA

Network connections change rapidly, memory is less volatile, disk is most persistent.

Why this answer

Option A is correct because the order of volatility dictates that the most volatile data (network connections) should be captured first, followed by memory, and finally disk. Network connections change constantly and are lost when the system is powered off, while memory (RAM) persists until power loss, and disk is the least volatile as it retains data even after shutdown. This sequence ensures critical evidence is preserved before it disappears.

Exam trap

The trap here is that candidates often confuse volatility with importance, assuming disk (which contains persistent data) is more critical to capture first, when in fact the most volatile data (network connections) must be prioritized to prevent loss.

How to eliminate wrong answers

Option B is wrong because it places disk before memory, but disk is less volatile than memory and should be captured last; capturing disk first risks losing transient network and memory data. Option C is wrong because it places memory before network connections, but network connections are more volatile than memory and must be captured first to avoid losing active session data. Option D is wrong because it places disk before network connections, ignoring that network connections are the most volatile and must be captured before both memory and disk.

804
MCQmedium

An organization uses Kerberos for SSO. A user reports that after entering their password, they receive a 'ticket expired' error when trying to access a network share. The system administrator checks the Kerberos configuration. Which ticket is most likely expired?

A.Session key
B.Ticket-Granting Ticket (TGT)
C.Service ticket
D.Authentication Server (AS) reply
AnswerB

TGT expiration requires the user to re-authenticate to the KDC to obtain a new TGT.

Why this answer

The Ticket-Granting Ticket (TGT) has a limited lifetime (typically 8-10 hours). When it expires, the user must re-authenticate to get a new TGT.

805
MCQeasy

Which of the following is the primary purpose of a risk register?

A.To record all security incidents after they occur
B.To track changes made to system configurations
C.To document and track identified risks and their treatment
D.To automatically detect vulnerabilities in the network
AnswerC

Correct purpose of a risk register.

Why this answer

The primary purpose of a risk register is to document and track identified risks along with their treatment plans, including risk owners, likelihood, impact, and mitigation status. This aligns with the Risk Identification, Monitoring and Analysis domain, where the risk register serves as a central repository for risk management activities throughout the system development life cycle.

Exam trap

The trap here is that candidates confuse the risk register with an incident log or vulnerability scanner output, but the risk register is specifically a forward-looking planning document for managing identified risks, not a reactive or automated detection tool.

How to eliminate wrong answers

Option A is wrong because a risk register is a proactive tool for documenting potential risks before they occur, not a reactive log for recording security incidents after they happen (incident response logs serve that purpose). Option B is wrong because tracking changes to system configurations is the function of a change management system or configuration management database (CMDB), not a risk register. Option D is wrong because automatic vulnerability detection is performed by vulnerability scanners (e.g., Nessus, OpenVAS) or SIEM tools, not by a risk register, which is a manual or semi-automated documentation and tracking artifact.

806
MCQmedium

A security analyst notices that a service account has been granted domain administrator privileges. Which principle of access control is being violated?

A.Need-to-know
B.Separation of duties
C.Least privilege
D.Accountability
AnswerC

Service accounts should have minimal permissions.

Why this answer

Least privilege means users and accounts should have only the minimum permissions necessary. Service accounts rarely need domain admin rights.

807
MCQhard

An organization is implementing a password policy that requires passwords to be at least 12 characters, include uppercase, lowercase, digits, and special characters, and be changed every 90 days. Additionally, users cannot reuse any of the last 10 passwords. Which password policy element does the last requirement address?

A.Password expiry
B.Password length
C.Password history
D.Password complexity
AnswerC

Password history prevents reuse of previous passwords.

Why this answer

Password history prevents users from reusing previous passwords, enforcing password uniqueness over time.

808
MCQhard

A security engineer needs to select a hashing algorithm for storing user passwords in a database. Which of the following is the most secure choice?

A.SHA-256
B.MD5
C.bcrypt
D.SHA-1
E.PBKDF2
AnswerC

bcrypt is designed for password hashing, includes salt, and is deliberately slow.

Why this answer

Option D is correct because bcrypt is specifically designed for password hashing with a cost factor to resist brute-force. Option A (MD5) is broken; B (SHA-1) is weak; C (SHA-256) is fast and suitable for integrity, not passwords; E (PBKDF2) is also good, but bcrypt is often preferred due to built-in salt and adaptive cost.

809
Multi-Selectmedium

A security auditor is reviewing the configuration of a remote access VPN. Which TWO features are considered best practices for securing the VPN connection?

Select 2 answers
A.Using IKEv2 with pre-shared keys only
B.Disabling encryption to reduce latency
C.Implementing multi-factor authentication (MFA)
D.Enabling split tunneling for all traffic to improve performance
E.Using TLS 1.3 with mandatory forward secrecy
AnswersC, E

MFA adds an extra layer of security beyond passwords.

Why this answer

Using TLS 1.3 (which mandates forward secrecy) and enforcing split tunneling only for trusted networks are security best practices.

810
MCQmedium

A user claims to be 'jsmith' and provides a password. What is the term for the step where the system verifies that the password matches the one on file for 'jsmith'?

A.Authorization
B.Identification
C.Authentication
D.Accountability
AnswerC

Authentication verifies the identity claim.

Why this answer

Authentication is the process of verifying the identity claimed by a user. Identification is the claim (e.g., username), and authentication is the verification (e.g., password).

811
Multi-Selectmedium

Which TWO of the following are characteristics of mandatory access control (MAC)?

Select 2 answers
A.The system enforces access decisions based on policies
B.Security labels are assigned to subjects and objects
C.Access decisions are based on the user’s discretion
D.It is commonly used in commercial environments
E.Users can grant access to other users
AnswersA, B

MAC is system-enforced, not user-controlled.

Why this answer

Mandatory access control (MAC) enforces access decisions based on centrally defined policies, not at the discretion of individual users. The system compares security labels assigned to subjects (e.g., users, processes) and objects (e.g., files, resources) to determine if access is allowed. This ensures that even the owner of an object cannot override the policy, which is a core characteristic of MAC.

Exam trap

The trap here is that candidates often confuse MAC with DAC, mistakenly thinking that MAC allows users to set permissions or that it is common in commercial environments, when in fact MAC is policy-driven and used in high-security contexts.

812
MCQmedium

Refer to the exhibit. A security analyst reviews the firewall configuration for a Windows workstation on a private network. What is the MOST significant weakness?

A.Inbound connections are set to Block by default
B.Default outbound connections are set to Allow, potentially allowing malware to communicate out
C.The rule 'RDP (UDP-In)' is set to Block and enabled, which blocks legitimate RDP traffic
D.The rule 'File and Printer Sharing (Echo Req)' is disabled, preventing network discovery
AnswerB

Allowing all outbound by default is a security weakness.

Why this answer

Option B is correct because Remote Desktop (TCP-In) rule is disabled (Enabled: No), so RDP is not allowed in, which might be intended but the issue is that the rule 'RDP (UDP-In)' is set to Block and Enabled: Yes, which blocks UDP RDP traffic. However, the question asks for 'most significant weakness'. The configuration shows inbound connections are blocked by default, but the RDP (UDP-In) rule is blocking UDP RDP.

This could be a problem if RDP is needed. But option B points out that the rule for UDP RDP is blocking, which might block legitimate traffic if RDP uses UDP. Actually, the exhibit shows 'RDP (UDP-In) Block Yes' meaning it is blocking UDP RDP.

Option A is incorrect because the default inbound is block, which is good. Option C is correct? Wait, let's analyze: The weakness is that outbound connections are allowed by default, which is typical but could be a weakness if not controlled. Option D is incorrect because File and Printer Sharing rule is disabled, which is good for security.

The most significant weakness is allowing all outbound connections by default, which could allow malware to communicate out. Option C says 'Default outbound connections are set to Allow, potentially allowing malware to communicate out.' That is a common weakness. Option B is also plausible but blocking UDP RDP might be intentional.

However, many organizations block UDP RDP to prevent vulnerabilities. But outbound allow is a bigger concern. So I'll go with C.

But to align with typical exam, outbound allow default is a common weakness. So option C is correct.

813
MCQhard

An organization uses role-based access control (RBAC). After a merger, a user account from the acquired company is migrated into the parent company's domain. The user is assigned to multiple roles, but is unable to access a critical application that requires a specific role. The administrator verified that the user's account is enabled and the application server is reachable. What is the MOST likely cause?

A.The user's group memberships are conflicting with the required role.
B.The user's account was not assigned the required role.
C.There is a firewall rule blocking traffic from the user's IP range.
D.The application's session timeout is set too low.
AnswerB

Without the role, the user lacks the necessary permissions.

Why this answer

In RBAC, access is granted based on the roles explicitly assigned to a user account. Since the administrator confirmed the account is enabled and the application server is reachable, the most likely cause is that the required role was not assigned to the migrated user. Without that role assignment, the user lacks the necessary permissions to access the critical application, regardless of other roles held.

Exam trap

The trap here is that candidates may assume group membership conflicts (Option A) cause access denial in RBAC, but RBAC roles are independent and additive—conflicts do not occur; the real issue is the missing role assignment.

How to eliminate wrong answers

Option A is wrong because RBAC does not have conflicting group memberships; roles are additive and do not conflict with each other—if the required role were assigned, access would be granted. Option C is wrong because the administrator verified the application server is reachable, which implies network connectivity is not blocked; a firewall rule would prevent reachability, not just application access. Option D is wrong because a low session timeout would cause the user to be logged out after inactivity, not prevent initial access to the application.

814
MCQhard

An organization implements a policy that the same individual cannot both create a purchase order and approve it in the financial system. Which security principle does this control primarily enforce?

A.Job rotation
B.Least privilege
C.Need-to-know
D.Separation of duties
AnswerD

Separation of duties divides critical functions among multiple users to prevent fraud and errors.

Why this answer

Separation of duties (SoD) is the security principle that prevents a single individual from performing conflicting tasks, such as creating and approving a purchase order. By splitting these responsibilities, the organization reduces the risk of fraud, errors, and unauthorized transactions, ensuring that no single person has unchecked control over a critical financial process.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege, but least privilege only limits permissions to the minimum needed, whereas separation of duties specifically prevents a single user from executing two conflicting functions that could enable fraud or error.

How to eliminate wrong answers

Option A is wrong because job rotation is a practice where employees periodically switch roles to cross-train and reduce monotony, not a control that enforces dual-authority over a single transaction. Option B is wrong because least privilege limits users to only the permissions necessary for their job, but it does not inherently prevent the same person from both creating and approving a purchase order if both actions fall within their role. Option C is wrong because need-to-know restricts access to information based on job necessity, not the segregation of conflicting duties within a process.

815
MCQmedium

A vulnerability scan identifies a critical flaw in a web server. The server is currently in production and cannot be patched immediately due to compatibility issues. The risk response chosen is to implement a web application firewall (WAF) rule to block exploitation attempts. This is an example of which risk response?

A.Risk acceptance
B.Risk avoidance
C.Risk transfer
D.Risk mitigation
AnswerD

Applying a WAF rule reduces the risk without eliminating it entirely.

Why this answer

Implementing a WAF rule to block exploitation attempts reduces the likelihood or impact of the vulnerability without removing the flaw itself. This is a classic risk mitigation technique, as it applies a compensating control to lower residual risk while the server remains unpatched. Risk mitigation involves taking action to reduce risk to an acceptable level, which is exactly what deploying a WAF signature achieves.

Exam trap

Cisco often tests the distinction between risk mitigation and risk avoidance, where candidates mistakenly think that blocking exploitation attempts 'avoids' the risk, but avoidance requires eliminating the vulnerability entirely (e.g., removing the server), not just reducing its exploitability.

How to eliminate wrong answers

Option A is wrong because risk acceptance means acknowledging the risk and taking no action to reduce it, whereas a WAF rule is an active control. Option B is wrong because risk avoidance would require removing the vulnerable server from production or disabling the affected service entirely, not just blocking exploit attempts. Option C is wrong because risk transfer involves shifting the financial impact of a loss to a third party (e.g., insurance or outsourcing), not implementing a technical control like a WAF.

816
MCQhard

A security administrator is configuring a web server to use TLS. They want to optimize performance while maintaining strong security. Which cipher suite should they prioritize?

A.TLS_DHE_RSA_WITH_AES_128_CBC_SHA
B.TLS_RSA_WITH_AES_128_CBC_SHA256
C.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
D.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
AnswerD

This suite offers forward secrecy, strong authentication with ECDSA, and efficient authenticated encryption.

Why this answer

Option D is correct because TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uses Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) for perfect forward secrecy, ECDSA for efficient authentication, AES-256 in GCM mode for authenticated encryption, and SHA-384 for integrity. This combination provides the strongest security with modern, optimized algorithms, making it the best choice for performance and security on a TLS web server.

Exam trap

The trap here is that candidates often choose option C (ECDHE_RSA) because it uses ECDHE and GCM, but they overlook that ECDSA with AES-256 and SHA-384 provides stronger security and better performance than RSA-based authentication, especially in modern TLS configurations.

How to eliminate wrong answers

Option A is wrong because TLS_DHE_RSA_WITH_AES_128_CBC_SHA uses DHE (which is slower than ECDHE due to larger key sizes) and CBC mode (which is vulnerable to padding oracle attacks like POODLE) with SHA-1 (deprecated due to collision attacks). Option B is wrong because TLS_RSA_WITH_AES_128_CBC_SHA256 uses RSA key exchange (no perfect forward secrecy, as the private key can decrypt all past sessions if compromised) and CBC mode (still susceptible to timing attacks). Option C is wrong because TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uses RSA for authentication (larger keys, slower than ECDSA) and AES-128 (weaker than AES-256 for long-term security), while the question asks to prioritize the strongest combination; ECDSA with AES-256 and SHA-384 is superior.

817
Multi-Selectmedium

An organization has suffered a ransomware attack that encrypted files on several file servers. The incident response team is planning recovery. Which TWO actions should be performed to verify that the restored systems are clean before returning them to production? (Select TWO)

Select 2 answers
A.Restore the systems from the most recent backup
B.Change all user passwords associated with the systems
C.Run a full antivirus and anti-malware scan on the restored systems
D.Apply all security patches to the operating system
E.Monitor the systems for any signs of reinfection or anomalous behavior for a period of time
AnswersC, E

Scanning ensures no malware remains in the restored data.

Why this answer

Option C is correct because running a full antivirus and anti-malware scan on the restored systems ensures that no remnants of the ransomware (e.g., dormant payloads, modified registry keys, or backdoor executables) remain in the restored data. Even if the backup was taken before the infection, the restore process could reintroduce malware if the backup itself was compromised or if the ransomware had persisted in the system state. A thorough scan validates that the restored environment is free of known malicious signatures and behavioral indicators.

Exam trap

The trap here is that candidates often assume restoring from a clean backup (Option A) is sufficient to guarantee a clean system, but the SSCP exam emphasizes that backups must be verified as malware-free and that additional validation steps (scanning and monitoring) are required before returning systems to production.

818
MCQeasy

Which of the following is the PRIMARY purpose of implementing a clean desk policy?

A.To lower office cleaning costs
B.To comply with fire safety regulations
C.To reduce the risk of data breaches
D.To improve employee productivity
AnswerC

Clean desk policies prevent unauthorized access to sensitive information left on desks.

Why this answer

A clean desk policy is a physical security control designed to prevent unauthorized access to sensitive information by ensuring that documents, devices, and media are securely stored when not in use. By reducing the visibility of confidential data, it directly mitigates the risk of data breaches from shoulder surfing, theft, or accidental exposure. This aligns with the principle of least exposure and supports compliance with data protection frameworks like GDPR or HIPAA.

Exam trap

The trap here is that candidates confuse a clean desk policy with general workplace organization or fire safety, overlooking its core role as a physical security control to protect confidential data from unauthorized access.

How to eliminate wrong answers

Option A is wrong because a clean desk policy does not target cleaning costs; it is a security measure, not a housekeeping budget control. Option B is wrong because while a clean desk may indirectly reduce fire hazards by clearing clutter, fire safety regulations are primarily addressed by fire codes, extinguisher placement, and egress paths, not by a policy focused on information security. Option D is wrong because although a tidy workspace can boost morale, the primary purpose of a clean desk policy is security, not productivity improvement.

819
MCQhard

A security engineer is configuring a firewall to block all inbound traffic except for specific services. Which of the following design principles is being applied?

A.Separation of duties
B.Default deny
C.Defense in depth
D.Least privilege
AnswerD

Least privilege ensures entities have only the access needed to perform their functions.

Why this answer

The correct answer is D, Least Privilege, because the security engineer is configuring the firewall to block all inbound traffic except for specific services. This aligns with the principle of least privilege, which dictates that only the minimum necessary access should be granted—in this case, only allowing specific services through while denying everything else by default. The firewall rule set explicitly permits only required ports (e.g., TCP/443 for HTTPS) and implicitly denies all other traffic, ensuring that no unnecessary access is permitted.

Exam trap

The trap here is that candidates confuse the 'default deny' mechanism (a firewall policy stance) with the 'least privilege' design principle, but the question asks for the overarching principle, not the specific implementation method.

How to eliminate wrong answers

Option A is wrong because separation of duties is a control designed to prevent fraud or error by requiring multiple individuals to complete a sensitive task (e.g., one person configures the firewall, another audits the rules), not a principle about traffic filtering. Option B is wrong because default deny is a specific firewall policy stance (deny all traffic unless explicitly allowed), not a design principle; the question asks for the principle being applied, and default deny is a mechanism that implements least privilege. Option C is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewall, IDS, antivirus), not a single firewall configuration that blocks all inbound traffic except specific services.

820
MCQmedium

A security analyst notices that a web application is vulnerable to SQL injection. The application uses parameterized queries for most inputs but concatenates user input directly into a query for a legacy module. Which is the BEST immediate remediation?

A.Disable the legacy module until a full rewrite is completed.
B.Rewrite the legacy module to use parameterized queries.
C.Deploy a web application firewall (WAF) to block SQL injection patterns.
D.Implement input validation to reject special characters.
AnswerB

Parameterized queries prevent SQL injection by separating code from data.

Why this answer

Option B is correct because parameterized queries (prepared statements) are the definitive defense against SQL injection, as they separate SQL logic from user data by design. Rewriting the legacy module to use parameterized queries eliminates the root cause of the vulnerability at the code level, ensuring that user input is never concatenated into the SQL statement. This is the most secure and permanent fix, as it directly addresses the injection point in the application layer.

Exam trap

ISC2 often tests the misconception that a WAF or input validation is sufficient to prevent SQL injection, but the trap here is that only parameterized queries (or stored procedures with parameterized calls) eliminate the vulnerability at the code level, making them the best immediate remediation over compensating controls.

How to eliminate wrong answers

Option A is wrong because disabling the legacy module is a reactive, temporary workaround that disrupts business functionality and does not fix the underlying insecure coding practice; it should only be considered if the module cannot be secured immediately, but the question asks for the 'best immediate remediation,' which is a permanent code fix. Option C is wrong because a WAF is a compensating control that can be bypassed with advanced SQL injection techniques (e.g., encoding, out-of-band attacks) and does not address the root cause; it should be used as a defense-in-depth layer, not as a primary remediation. Option D is wrong because input validation (e.g., rejecting special characters) is unreliable and can be circumvented by attackers using alternative injection vectors (e.g., numeric fields, second-order injection) and may break legitimate input; it is not a substitute for parameterized queries.

821
MCQmedium

A security analyst reviews the exhibit. The internal IP 10.0.0.1 is a web server, and 203.0.113.5 is an external IP. What is the most likely issue?

A.The web server may be exfiltrating data to an external host
B.The external IP is scanning the web server for vulnerabilities
C.The web server is experiencing a DDoS attack from the external IP
D.An internal user is browsing a malicious website
AnswerA

Increasing outgoing data to a single external host is suspicious of data exfiltration.

Why this answer

The exhibit shows a high volume of outbound traffic from internal IP 10.0.0.1 (the web server) to external IP 203.0.113.5 on port 443 (HTTPS). This pattern is consistent with data exfiltration, where a compromised web server sends sensitive data to an external command-and-control (C2) server. The traffic is initiated by the internal server, not inbound, which rules out scanning or DDoS attacks.

Exam trap

The trap here is that candidates confuse the direction of traffic—assuming any external IP communicating with a web server must be an attacker scanning or attacking, rather than recognizing that the server itself may be the compromised source of outbound data.

How to eliminate wrong answers

Option B is wrong because vulnerability scanning typically involves inbound probes (e.g., SYN scans) from the external IP to the web server, not sustained outbound data flows. Option C is wrong because a DDoS attack would show a flood of inbound traffic from many sources, not a single external IP sending or receiving a steady outbound stream. Option D is wrong because an internal user browsing a malicious website would generate outbound traffic from a client workstation, not from a web server IP like 10.0.0.1.

822
MCQeasy

A company has 200 employees using a Windows Active Directory environment. The security administrator receives multiple alerts that user accounts are being locked out every 15 minutes. The help desk confirms that users who report the issue are able to log in successfully after unlocking their accounts, but they get locked out again shortly after. The administrator checks the domain controller security logs and sees many failed logon attempts with a specific service account name 'svc_backup' from multiple workstations. The svc_backup account is used for a backup application that runs scheduled tasks. What should the administrator do to resolve the issue?

A.Disable the svc_backup account until the backup vendor releases a patch
B.Change the password for svc_backup and update the backup application with the new password
C.Create a new service account with a different name and grant it the same permissions
D.Increase the account lockout threshold to prevent lockouts
AnswerB

This resolves the root cause - the service account's password is likely stale or incorrect, causing repeated authentication failures.

Why this answer

The repeated lockouts are caused by a service account (svc_backup) being used with an incorrect or expired password. The most effective solution is to reset the password for that account and update it in the backup application. Disabling the account or increasing the lockout threshold does not fix the root cause.

Creating a new account without addressing the password mismatch will not stop the current account from being used.

823
Multi-Selectmedium

An organization is designing network segmentation to protect sensitive data. Which TWO of the following are effective methods for implementing network segmentation?

Select 2 answers
A.Honeypots
B.NAT
C.Firewalls
D.Port security
E.VLANs
AnswersC, E

Firewalls enforce policies between segments.

Why this answer

VLANs segment traffic at Layer 2, and firewalls control traffic between segments at Layer 3+.

824
MCQhard

An organization wants to implement a cryptographic solution that ensures forward secrecy for its internal communications. Which key exchange method should be used?

A.RSA key exchange
B.Elliptic Curve Diffie-Hellman (ECDH)
C.Diffie-Hellman Ephemeral (DHE)
D.Static Diffie-Hellman
AnswerC

DHE generates temporary keys each session, so compromise of long-term keys does not expose past sessions.

Why this answer

DHE (Diffie-Hellman Ephemeral) generates a fresh, temporary key pair for each session and never reuses the private key, ensuring that compromise of a long-term key does not expose past session keys. This provides forward secrecy because the ephemeral keys are destroyed after the session ends, making it computationally infeasible to decrypt recorded traffic even if the server's static key is later compromised.

Exam trap

ISC2 often tests the distinction between 'Diffie-Hellman' (which can be static) and 'Diffie-Hellman Ephemeral' (DHE) — the trap is that candidates see 'Diffie-Hellman' and assume forward secrecy, forgetting that only the ephemeral variant provides it.

How to eliminate wrong answers

Option A is wrong because RSA key exchange uses the server's static private key to decrypt the premaster secret; if that private key is later compromised, all past sessions can be decrypted, so it does not provide forward secrecy. Option B is wrong because Elliptic Curve Diffie-Hellman (ECDH) alone is a static-static or static-ephemeral variant unless the ephemeral (ECDHE) version is specified; the question asks for a method that ensures forward secrecy, and standard ECDH without the 'E' does not guarantee ephemeral keys. Option D is wrong because Static Diffie-Hellman uses fixed, long-term keys for both parties, meaning compromise of either static private key allows decryption of all past and future sessions, thus providing no forward secrecy.

825
Multi-Selectmedium

Which TWO of the following are essential components of a secure configuration baseline for a new server deployment?

Select 2 answers
A.Disable all unnecessary services and ports
B.Apply the latest security patches to the operating system
C.Enable only error logging, not audit logging
D.Assign the same strong password to all local accounts
E.Use default passwords for all service accounts
AnswersA, B

Reduces attack surface.

Why this answer

Options B and D are correct. Disabling unused services reduces attack surface, and applying the latest patches closes known vulnerabilities. Option A is wrong because default passwords are insecure and should be changed.

Option C is wrong because logging can be disabled but it is often needed for monitoring; keeping logs is generally recommended. Option E is wrong because using a single password for all accounts violates least privilege.

Page 10

Page 11 of 14

Page 12