Systems Security Certified Practitioner SSCP (SSCP) — Questions 826900

991 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQeasy

Which of the following is the correct order of the access control process?

A.Identification, authentication, authorization, accountability
B.Identification, authorization, authentication, accountability
C.Authorization, authentication, identification, accountability
D.Authentication, identification, authorization, accountability
AnswerA

Correct. This is the logical order.

Why this answer

The sequence is: identification (user claims identity), authentication (verifies claim), authorization (determines access rights), and accountability (tracks actions).

827
MCQhard

Refer to the exhibit. User bob, a member of the projectdev group, attempts to create a new file in /data/project but gets 'Permission denied'. What is the most likely reason?

A.The group permission (r-x) and the mask (rwx) combine to limit bob to read and execute only
B.Bob is not the owner of the directory
C.Bob's effective permissions are limited by the user:alice entry
D.The 'other' permission is '---', blocking all access for users not in the file's user or group
AnswerA

The effective group permission is determined by the ACL group entry (r-x) and the mask (rwx) – the more restrictive is applied, resulting in r-x, which lacks write.

Why this answer

The directory /data/project has group permissions set to r-x (read and execute) for the projectdev group, and the umask is set to rwx (000), meaning no bits are masked. However, the group permission explicitly denies write access. Since bob is a member of projectdev, his effective permissions are limited to read and execute, preventing file creation.

Exam trap

ISC2 often tests the misconception that the 'other' permission applies to group members, when in fact group permissions take precedence for users in the group, and the umask only affects newly created files, not the directory's existing permissions.

How to eliminate wrong answers

Option B is wrong because ownership of the directory is irrelevant; bob's group membership grants him group-level permissions, which are the limiting factor. Option C is wrong because the user:alice entry is an ACL that applies specifically to user alice, not to bob, and does not affect bob's permissions. Option D is wrong because the 'other' permission applies only to users who are not the owner and not in the group; bob is in the projectdev group, so group permissions apply, not 'other'.

828
Multi-Selectmedium

A cloud security team is implementing CSPM (Cloud Security Posture Management) for their IaaS environment. Which THREE issues is CSPM MOST likely to detect? (Select THREE.)

Select 3 answers
A.IAM roles with overly permissive policies
B.Open security groups allowing unrestricted inbound access
C.Outdated OS patches on cloud VMs
D.Unencrypted S3 buckets
E.Runtime malware in a virtual machine
AnswersA, B, D

CSPM identifies privilege risks.

Why this answer

CSPM detects misconfigurations such as open security groups, unencrypted storage, and excessive IAM permissions.

829
MCQhard

An organization's risk register shows a high risk for phishing attacks. Which controls are considered detective controls for this risk?

A.Security awareness training.
B.Email filtering.
C.User reporting mechanism.
D.Multi-factor authentication.
AnswerC

User reporting detects phishing attacks that have reached users, enabling response.

Why this answer

A user reporting mechanism is a detective control because it enables users to identify and report suspected phishing emails after they have been received, allowing the security team to investigate and respond. Unlike preventive controls that block attacks, detective controls discover incidents that have already occurred, such as a user recognizing a malicious link or attachment in their inbox.

Exam trap

ISC2 often tests the distinction between preventive and detective controls, and the trap here is that candidates confuse 'user reporting' as a reactive or corrective control rather than recognizing it as a detective control that identifies an ongoing or past incident.

How to eliminate wrong answers

Option A is wrong because security awareness training is a preventive/deterrent control that educates users to avoid falling for phishing, not a control that detects attacks after they occur. Option B is wrong because email filtering is a preventive control that blocks phishing emails before they reach the user's inbox, not a detective measure that identifies incidents post-delivery. Option D is wrong because multi-factor authentication is a preventive control that protects accounts even if credentials are compromised, not a detective control that identifies phishing attempts or compromises.

830
MCQhard

A company runs a critical web application on an internal server that authenticates users against a Microsoft SQL Server database. The application was developed by a vendor that is no longer in business, and the source code is unavailable. The current authentication process stores user passwords using reversible encryption. The security team has identified this as a high-risk vulnerability. They propose implementing a database-level trigger that hashes the password column during INSERT and UPDATE operations, and modifying the application's stored procedures to compare hashed values during login. However, after implementation, users report that they cannot log in. The authentication logs show that the password comparison always fails. The database administrator confirms that the trigger is working and that new user registrations store the SHA-256 hash. What is the most likely cause of the login failures?

A.The trigger does not hash the password during UPDATE operations that are performed by the same user.
B.The application is using a different hashing algorithm than the trigger.
C.The stored procedure for login is still comparing the plain-text password with the hash.
D.The trigger hashes the password only if the password column is part of a specific set of columns.
AnswerC

The stored procedure likely was not modified to hash the input before comparison, resulting in failure.

Why this answer

Option C is correct because the stored procedure for login likely still expects a plain-text password and compares it directly to the stored hash, causing failure. Option A is incorrect because the trigger should fire on all updates, including those by the same user. Option B is incorrect because the trigger uses SHA-256 and the stored procedure should use the same algorithm.

Option D is incorrect because the trigger should be defined on the password column.

831
Multi-Selecthard

A SIEM correlation rule triggers when an administrative account logs in after hours and subsequently performs a bulk export of a customer database. Which THREE threat types does this scenario most likely indicate?

Select 3 answers
A.Malware infection
B.Denial of service
C.Privilege escalation
D.Data exfiltration
E.Insider threat
AnswersC, D, E

After-hours admin login may indicate escalation or misuse.

Why this answer

Option C is correct because the scenario describes an administrative account performing actions (after-hours login and bulk database export) that exceed its normal privileges or intended use, which is the essence of privilege escalation. The SIEM rule detects this by correlating the account's elevated access with anomalous behavior, indicating the account may have been compromised or misused to gain unauthorized capabilities.

Exam trap

The trap here is that candidates may confuse 'insider threat' (Option E) with 'privilege escalation' (Option C), but the question asks for three threat types, and both are distinct: privilege escalation focuses on the abuse of elevated access, while insider threat is the broader category of malicious or negligent actions by authorized users.

832
MCQeasy

A network technician needs to ensure that only authorized DHCP servers can assign IP addresses on the network. Which switch feature should be enabled?

A.DHCP snooping
B.Dynamic ARP Inspection
C.Port security
D.BPDU guard
AnswerA

DHCP snooping blocks unauthorized DHCP server responses.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding database by monitoring DHCP traffic on untrusted ports. By enabling DHCP snooping on the switch, only DHCP servers connected to trusted ports can assign IP addresses, preventing rogue DHCP server attacks.

Exam trap

ISC2 often tests DHCP snooping by confusing it with Dynamic ARP Inspection, but the key distinction is that DHCP snooping directly controls DHCP server messages, while DAI relies on the snooping database to validate ARP traffic.

How to eliminate wrong answers

Option B (Dynamic ARP Inspection) is wrong because it validates ARP packets using the DHCP snooping binding table to prevent ARP spoofing, not to control which DHCP servers can assign IP addresses. Option C (Port security) is wrong because it limits the number of MAC addresses allowed on a switch port to prevent MAC flooding, not to authorize DHCP servers. Option D (BPDU guard) is wrong because it protects spanning tree protocol by disabling ports that receive BPDUs, which is unrelated to DHCP server authorization.

833
MCQmedium

A security analyst is reviewing security events on a Linux server and needs to ensure that all authentication attempts, including both successful and failed logins, are logged. Which configuration should be used?

A.Use PAM to log authentication events to /var/log/secure
B.Enable and configure auditd with rules to capture login events
C.Set up SELinux to audit login attempts
D.Configure syslog to monitor /var/log/auth.log
AnswerB

auditd is the Linux audit daemon; rules can be added to log all login attempts.

Why this answer

The auditd service is used for auditing in Linux, including authentication events. Configuring auditd rules for logins captures all attempts.

834
MCQhard

Refer to the exhibit. A systems administrator configures this Group Policy setting. What is the direct consequence?

A.Members of Backup Operators cannot connect to the server using Remote Desktop.
B.Members of Backup Operators are prohibited from local console logon.
C.Members of Backup Operators can connect via Remote Desktop.
D.Members of Backup Operators are prevented from using any remote access method.
AnswerA

The deny setting explicitly blocks RDP access for that group.

Why this answer

Option C is correct because the 'Deny log on through Remote Desktop Services' policy explicitly prevents the specified group from using RDP. Option A is wrong because the policy denies, not allows. Option B is wrong because it affects only Remote Desktop, not console.

Option D is wrong because it does not affect other remote access methods like SSH unless specifically configured.

835
MCQmedium

Which access control model allows the owner of a resource to determine who can access it and what permissions they have?

A.Mandatory Access Control (MAC)
B.Discretionary Access Control (DAC)
C.Attribute-Based Access Control (ABAC)
D.Role-Based Access Control (RBAC)
AnswerB

DAC allows owners to set permissions.

Why this answer

Discretionary Access Control (DAC) gives resource owners discretion to grant or deny access to others.

836
MCQmedium

A system administrator is configuring a file encryption solution for a shared network drive. The solution must allow multiple users to read the files without sharing a single symmetric key. Which approach should be used?

A.Use a different symmetric key for each user and re-encrypt the file for each user
B.Encrypt the file with each user's public key directly
C.Encrypt the file with a symmetric key, then encrypt that key with each authorized user's public key
D.Encrypt the file with a single symmetric key and share that key securely with all users
AnswerC

This is a hybrid encryption approach that scales well and maintains security.

Why this answer

Option C describes hybrid encryption, which is the correct approach for this scenario. The file is encrypted with a random symmetric key (session key) for efficiency, and that symmetric key is then encrypted with each authorized user's public key. This allows multiple users to decrypt the symmetric key with their private key and then decrypt the file, without sharing a single symmetric key.

Exam trap

The trap here is that candidates may choose Option B (direct public key encryption) because they understand asymmetric encryption but overlook the performance and practical limitations of encrypting large files with public key algorithms, which are designed for small data like keys.

How to eliminate wrong answers

Option A is wrong because re-encrypting the entire file for each user with a different symmetric key is computationally expensive and does not scale; it also requires managing multiple encrypted copies. Option B is wrong because directly encrypting the file with each user's public key would require encrypting the entire file multiple times, which is inefficient for large files and does not leverage symmetric key performance. Option D is wrong because sharing a single symmetric key with all users violates the requirement of not sharing a single symmetric key and introduces a single point of compromise.

837
MCQmedium

A company implements mandatory access control (MAC) on its classified document system. A user with a security clearance of Secret attempts to read a document labeled Top Secret. What happens?

A.The user is prompted to request a temporary upgrade
B.The access is denied by the system
C.The document is downgraded to Secret for the user
D.The user can read the document because they have a valid clearance
AnswerB

MAC denies any access that violates the lattice.

Why this answer

In a mandatory access control (MAC) system, access decisions are based on comparing the user's security clearance (Secret) with the document's classification label (Top Secret). Since the clearance level is lower than the document's classification, the system automatically denies the read operation. This is a fundamental property of MAC, where the system enforces the Bell-LaPadula model's simple security property (no read up).

Exam trap

The trap here is that candidates confuse MAC with discretionary access control (DAC), where a user might be able to request temporary access or have permissions changed by the owner, but in MAC, all access decisions are system-enforced and cannot be overridden by users.

How to eliminate wrong answers

Option A is wrong because MAC does not support user-initiated temporary upgrades; clearance changes require administrative action and are not prompted by the system. Option C is wrong because MAC never automatically downgrades a document's classification label to match a user's clearance; labels are immutable and set by the security administrator. Option D is wrong because having a valid clearance is insufficient; the clearance must equal or exceed the document's classification level for read access.

838
MCQhard

A security professional is designing a key management system and needs to ensure that keys are generated using a truly random source. Which of the following is the most appropriate method for generating cryptographic keys?

A.Hardware random number generator
B.Cryptographically secure PRNG seeded with a static password
C.Pseudorandom number generator (PRNG) seeded with current timestamp
D.User-memorized passphrase
AnswerA

Hardware RNG provides true randomness.

Why this answer

Hardware random number generators (HRNGs) provide true randomness, while CSPRNGs are deterministic. For key generation, a hardware RNG is best.

839
Multi-Selectmedium

Which TWO of the following are primary purposes of a risk register?

Select 2 answers
A.Track the status of risk treatment plans
B.Document identified risks and their characteristics
C.Record network traffic logs
D.Store vulnerability scan results
E.Provide a checklist for compliance audits
AnswersA, B

The risk register tracks mitigation actions and their progress.

Why this answer

Option A is correct because a risk register is a living document used to track the status of risk treatment plans, including whether controls have been implemented, are in progress, or are overdue. This ensures that risk owners are accountable and that residual risk is managed over time. Option B is correct because the primary function of a risk register is to document identified risks along with their characteristics, such as probability, impact, risk score, and owner.

These two functions are core to the risk management process as defined by frameworks like NIST SP 800-37 and ISO 31000.

Exam trap

The trap here is that candidates confuse the risk register with operational security tools like vulnerability scanners or log management systems, leading them to select options that describe technical data storage rather than the risk management documentation and tracking functions.

840
MCQeasy

An organization wants to allow secure remote access for employees. Which protocol is most appropriate for a site-to-site VPN?

A.PPTP
B.SSL/TLS
C.IPsec
D.SSH
E.L2TP
AnswerC

IPsec provides strong encryption and authentication for site-to-site VPNs.

Why this answer

IPsec is the correct choice for a site-to-site VPN because it operates at the network layer (Layer 3), providing encryption and authentication for all IP traffic between two entire networks. It supports both tunnel and transport modes, and uses protocols like ESP (Encapsulating Security Payload) and AH (Authentication Header) to ensure confidentiality, integrity, and origin authentication, making it the standard for permanent site-to-site connections.

Exam trap

The trap here is that candidates often confuse SSL/TLS with site-to-site VPNs because of its common use in remote access VPNs (e.g., AnyConnect), but SSL/TLS is a transport-layer protocol designed for client-to-server connections, not for routing entire network segments.

How to eliminate wrong answers

Option A (PPTP) is wrong because it uses outdated MPPE encryption and relies on PPP authentication, which has known security vulnerabilities (e.g., MS-CHAPv2 cracking) and is not suitable for secure site-to-site VPNs. Option B (SSL/TLS) is wrong because it operates at the transport layer (Layer 4) and is designed for client-to-site remote access VPNs (e.g., OpenVPN or AnyConnect), not for routing traffic between two entire networks. Option D (SSH) is wrong because it is a protocol for secure remote command-line access and port forwarding (tunneling individual TCP connections), not for encapsulating entire IP networks.

Option E (L2TP) is wrong because it is a tunneling protocol that provides no encryption by itself (RFC 2661); it is typically paired with IPsec (L2TP/IPsec) for security, but alone it is not appropriate for a secure site-to-site VPN.

841
Multi-Selectmedium

A network administrator is configuring a VPN using IPsec. Which two protocols are used within IPsec to ensure data integrity and confidentiality? (Choose two.)

Select 2 answers
A.SSL (Secure Sockets Layer)
B.L2TP (Layer 2 Tunneling Protocol)
C.ESP (Encapsulating Security Payload)
D.IKE (Internet Key Exchange)
E.AH (Authentication Header)
AnswersC, E

ESP provides both confidentiality and integrity, making it essential for data security in IPsec.

Why this answer

C is correct because ESP (Encapsulating Security Payload) provides both data confidentiality (via encryption) and data integrity (via authentication), making it the primary IPsec protocol for securing payloads. E is correct because AH (Authentication Header) ensures data integrity and origin authentication but does not provide confidentiality, as it does not encrypt the payload. Together, ESP and AH are the two core IPsec protocols that handle integrity and confidentiality, though ESP alone is typically used in modern deployments.

Exam trap

The trap here is that candidates often confuse IKE as a protocol that provides data integrity or confidentiality, when in fact it only handles key exchange and SA negotiation, not the actual data protection.

842
Multi-Selecthard

A security analyst is reviewing a web application for OWASP Top 10 vulnerabilities. Which THREE of the following are examples of injection flaws?

Select 3 answers
A.SQL injection
B.LDAP injection
C.Broken authentication
D.OS command injection
E.Cross-Site Scripting (XSS)
AnswersA, B, D

SQL injection is a type of injection flaw.

Why this answer

Injection flaws occur when untrusted data is sent to an interpreter. SQL, OS command, and LDAP injection are classic examples.

843
MCQmedium

A company deploys a guest Wi-Fi network that must be isolated from the internal network. The network team uses VLANs and a firewall. Which configuration best ensures isolation?

A.Configure the same SSID for both guest and internal networks but use different passwords.
B.Create a separate VLAN for guest traffic with a firewall rule blocking access to internal subnets.
C.Use WPA2 encryption with a pre-shared key and disable SSID broadcast.
D.Assign guest devices to the same subnet as internal devices but enforce MAC filtering.
AnswerB

This provides both VLAN segmentation and firewall enforcement.

Why this answer

Option B is correct because creating a separate VLAN for guest traffic logically segments the network at Layer 2, and adding a firewall rule that explicitly blocks access to internal subnets enforces isolation at Layer 3/4. This ensures guest devices cannot reach internal resources, even if they are on the same physical infrastructure.

Exam trap

The trap here is that candidates often confuse security features like encryption (WPA2) or hiding the SSID with network isolation, failing to recognize that VLANs and firewall rules are required for true Layer 2/3 separation.

How to eliminate wrong answers

Option A is wrong because using the same SSID for both guest and internal networks does not provide any logical separation; devices would still be on the same broadcast domain unless VLANs are used, and different passwords alone do not prevent traffic from crossing between networks. Option C is wrong because disabling SSID broadcast (hidden SSID) is a weak security measure that does not isolate traffic; it only hides the network name, and WPA2 with a PSK does not prevent guest devices from accessing internal subnets if they are on the same VLAN. Option D is wrong because assigning guest devices to the same subnet as internal devices eliminates any Layer 3 separation, and MAC filtering is an access control mechanism that can be easily spoofed and does not block traffic between devices on the same subnet.

844
MCQeasy

Which backup type copies all data that has changed since the last full backup, regardless of any incremental backups?

A.Synthetic full backup
B.Full backup
C.Differential backup
D.Incremental backup
AnswerC

Correct. Differential copies changes since last full backup.

Why this answer

A differential backup copies all data that has changed since the last full backup, regardless of any intermediate incremental backups. This means each differential backup grows in size as it accumulates all changes made after the last full backup, making it distinct from incremental backups which only capture changes since the last backup of any type.

Exam trap

The trap here is that candidates often confuse differential backups with incremental backups, but the key differentiator is the reference point: differential backs up all changes since the last full backup, while incremental backs up changes since the last backup of any type.

How to eliminate wrong answers

Option A is wrong because a synthetic full backup is a logical reconstruction of a full backup from previous full and incremental backups, not a backup type that copies changed data since the last full backup. Option B is wrong because a full backup copies all data, not just the data that has changed since the last full backup. Option D is wrong because an incremental backup copies only data that has changed since the last backup (which could be full, differential, or incremental), not specifically since the last full backup.

845
MCQhard

A security analyst is configuring a SIEM to detect data exfiltration. Which of the following correlation rules would best identify potential data exfiltration via DNS tunneling?

A.Correlate high outbound DNS query volume with requests to newly registered or suspicious domains
B.Correlate multiple failed logins from a single IP
C.Alert on any single failed login attempt
D.Alert when a user accesses a file share after hours
AnswerA

This pattern matches DNS tunneling behavior.

Why this answer

DNS tunneling encodes data in DNS queries and responses, often generating a high volume of outbound queries to domains that are newly registered or otherwise suspicious. Correlating these two indicators—unusual query volume and suspicious domain characteristics—directly targets the behavior of DNS tunneling, making it the most effective rule for detecting this exfiltration technique.

Exam trap

The trap here is that candidates often confuse general anomaly detection (like failed logins or after-hours access) with the specific network-layer indicators of DNS tunneling, failing to recognize that DNS tunneling is characterized by unusual DNS query patterns to suspicious domains, not by authentication or file access events.

How to eliminate wrong answers

Option B is wrong because multiple failed logins from a single IP indicate a brute-force or credential-stuffing attack, not data exfiltration via DNS tunneling. Option C is wrong because alerting on any single failed login attempt would generate excessive false positives and does not correlate with DNS tunneling behavior. Option D is wrong because after-hours file access may indicate insider threat or policy violation but is unrelated to the network-level anomaly of DNS tunneling.

846
MCQhard

Refer to the exhibit. An analyst reviews the sshd log. What should be the immediate response?

A.Block the source IP 203.0.113.5 on the firewall
B.Disable SSH service on the server
C.Inform the server administrator of the suspicious activity
D.Change the root password and disable root SSH login
AnswerD

Immediately revoke access for the compromised account and prevent further use.

Why this answer

The sshd log shows repeated failed root login attempts from IP 203.0.113.5, indicating a brute-force attack targeting the root account. The immediate response is to change the root password and disable root SSH login (e.g., set `PermitRootLogin no` in `/etc/ssh/sshd_config`), as this directly mitigates the attack vector by removing the ability to authenticate as root via SSH. This aligns with the principle of least privilege and is a standard first step in SSH security hardening.

Exam trap

The trap here is that candidates often choose to block the source IP (Option A) because it seems like a quick fix, but they overlook that the root account remains exposed and the attacker can simply switch IPs, making the password change and disabling root login the correct immediate response.

How to eliminate wrong answers

Option A is wrong because blocking the source IP 203.0.113.5 on the firewall is a reactive measure that only addresses this specific attacker; the root account remains vulnerable to future attacks from other IPs, and the underlying misconfiguration (root SSH login enabled) is not fixed. Option B is wrong because disabling the SSH service on the server would deny legitimate administrative access entirely, causing unnecessary disruption; the goal is to secure SSH, not disable it. Option C is wrong because informing the server administrator of the suspicious activity is a notification step, not an immediate response; it delays action while the attack continues, and the administrator would still need to perform the corrective steps (change password, disable root login).

847
MCQeasy

Which of the following is a secure alternative to RC4 for stream ciphers?

A.MD5
B.AES in ECB mode
C.ChaCha20
D.3DES
AnswerC

ChaCha20 is a secure stream cipher used in TLS and other protocols.

Why this answer

ChaCha20 is a modern, high-speed stream cipher designed by Daniel J. Bernstein as a secure alternative to RC4, which has known vulnerabilities such as biases in its keystream and susceptibility to attacks like the Fluhrer-Mantin-Shamir attack. ChaCha20 is standardized in RFC 8439 and is widely used in TLS 1.3 and SSH, offering strong security and performance without the weaknesses of RC4.

Exam trap

Cisco often tests the misconception that any symmetric cipher can replace RC4, but the trap here is that candidates confuse block cipher modes (like ECB) or hash functions (like MD5) with stream ciphers, failing to recognize that only a dedicated stream cipher like ChaCha20 provides the same operational paradigm as RC4.

How to eliminate wrong answers

Option A is wrong because MD5 is a cryptographic hash function, not a stream cipher, and it is broken for collision resistance. Option B is wrong because AES in ECB mode is a block cipher mode that encrypts each block independently, making it deterministic and insecure for patterns, not a stream cipher; it also lacks the keystream generation property of RC4. Option D is wrong because 3DES is a block cipher (not a stream cipher) and is deprecated due to its small 56-bit effective key size and vulnerability to meet-in-the-middle attacks.

848
MCQhard

A large data center uses a three-tier architecture with core, aggregation, and access switches. The security team detects anomalous traffic patterns: every night at 2:00 AM, a single server (IP 10.10.10.50) sends large ICMP Echo requests to multiple external IPs, followed by a flood of TCP SYN packets from those external IPs back to the server. The server is a critical database server that should not initiate outbound connections. The team suspects the server is compromised. The network team wants to contain the threat without taking the server offline immediately. Which action should they take first?

A.Apply an access control list (ACL) on the switch port to block outbound ICMP and non-essential TCP traffic from the server.
B.Add a firewall rule to block all traffic to and from the server's IP.
C.Move the server to a quarantine VLAN with no route to the internet.
D.Shut down the switch port to disconnect the server immediately.
AnswerA

This restricts the server's outbound traffic without fully disconnecting it.

Why this answer

Option A is correct because applying an ACL on the switch port to block outbound ICMP and non-essential TCP traffic from the server immediately stops the anomalous traffic (ICMP Echo requests and TCP SYN flood responses) without taking the critical database server offline. This containment approach preserves server availability for legitimate database operations while preventing further malicious outbound activity, aligning with the goal of containing the threat without immediate downtime.

Exam trap

The trap here is that candidates often choose a more drastic action like shutting down the port or blocking all traffic, failing to recognize that a granular ACL on the switch port can surgically stop the malicious traffic while keeping the server online for its primary role.

How to eliminate wrong answers

Option B is wrong because adding a firewall rule to block all traffic to and from the server's IP would completely isolate the server, taking it offline and violating the requirement to not take the server offline immediately. Option C is wrong because moving the server to a quarantine VLAN with no route to the internet would require reconfiguring the network and potentially disrupting connectivity, which is more invasive and time-consuming than a simple ACL on the switch port; it also does not address the immediate need to stop the ongoing traffic. Option D is wrong because shutting down the switch port disconnects the server entirely, taking it offline and failing the condition to contain the threat without immediate downtime.

849
Multi-Selectmedium

A system administrator is hardening a Windows server. Which two of the following are effective hardening measures? (Choose two.)

Select 2 answers
A.Disable unnecessary services
B.Set file permissions to Everyone: Full Control
C.Remove administrative shares
D.Enable guest account with strong password
E.Use Telnet for remote management
AnswersA, C

Reduces potential attack vectors.

Why this answer

Disabling unnecessary services reduces the attack surface by removing potential entry points for malware or unauthorized access. On Windows Server, services like Print Spooler or Windows Search may be disabled if not needed, as they have historically been exploited (e.g., PrintNightmare). This aligns with the principle of least functionality.

Exam trap

The trap here is that candidates may think removing administrative shares breaks legitimate management tasks, but in reality, modern tools like PowerShell Remoting or Group Policy do not rely on hidden shares, making this a safe and effective hardening step.

850
Multi-Selectmedium

An organization has detected a ransomware infection on a critical file server. The incident response team has been activated. Which TWO actions should be performed FIRST during the initial response phase?

Select 2 answers
A.Determine the type of ransomware variant
B.Immediately disconnect the file server from the network
C.Reimage the file server using a known good backup
D.Identify all affected systems and scope of infection
E.Notify law enforcement authorities
AnswersB, D

Correct: Immediate containment prevents further encryption or lateral movement.

Why this answer

Option B is correct because immediately disconnecting the file server from the network is a critical containment action that stops the ransomware from encrypting additional files on the server and prevents lateral movement to other systems. This aligns with the first priority in incident response: containment before eradication or recovery. Disconnecting at the switch port or disabling the network interface card (NIC) is preferred over a graceful shutdown to avoid triggering any persistence mechanisms.

Exam trap

ISC2 often tests the misconception that identifying the ransomware variant (Option A) is the first step, but in the SSCP framework, containment (disconnection) and scoping (identifying affected systems) are the immediate priorities during the initial response phase.

851
MCQmedium

A security analyst notices an alert indicating that a user's workstation has been connected to an unauthorized external device. Which physical security control would best help prevent such incidents?

A.Biometric readers on workstations
B.Mantrap at building entrance
C.Clean desk policy
D.CCTV monitoring
AnswerC

A clean desk policy encourages employees to secure their workstations, reducing the risk of unauthorized device connections.

Why this answer

A clean desk policy is a physical security control that requires employees to clear their workstations of sensitive documents, removable media, and devices at the end of each work session. By mandating that external devices like USB drives or peripherals be stored securely, it directly reduces the risk of unauthorized devices being connected to workstations. This policy complements technical controls like device control policies (e.g., Windows Group Policy for USB restrictions) by addressing the human factor.

Exam trap

The trap here is that candidates often confuse detective controls (CCTV) or access controls (biometrics, mantrap) with preventive controls, overlooking that a clean desk policy directly addresses the physical proximity and opportunity to connect unauthorized devices.

How to eliminate wrong answers

Option A is wrong because biometric readers on workstations authenticate users, not devices; they do not prevent connection of unauthorized external devices. Option B is wrong because a mantrap at the building entrance controls physical access to the facility, not to individual workstations or their ports. Option D is wrong because CCTV monitoring provides passive surveillance and detection after an incident, not active prevention of unauthorized device connections.

852
Multi-Selectmedium

An organization is implementing a digital signature solution to ensure non-repudiation and integrity of documents. Which three of the following are true regarding digital signatures?

Select 3 answers
A.The receiver uses the sender's private key to verify the signature.
B.The receiver verifies the signature using the sender's public key.
C.The sender encrypts the entire document with their public key to create a signature.
D.Digital signatures provide non-repudiation because the private key is kept secret by the sender.
E.The sender signs the message hash with their private key.
AnswersB, D, E

Verification involves decrypting the signature with the sender's public key and comparing the hash.

Why this answer

Digital signatures involve signing the hash of the message with the sender's private key. They provide non-repudiation because only the sender has the private key. Verification uses the sender's public key.

853
MCQmedium

A company needs to ensure that when an employee leaves the organization, their accounts are disabled promptly to prevent unauthorized access. Which approach is MOST effective for timely account deactivation?

A.Conduct quarterly access reviews to identify and disable unused accounts.
B.Require managers to report departures via a ticketing system.
C.Implement a self-service password reset system to empower users.
D.Automatically synchronize with the HR system to disable accounts upon termination.
AnswerD

Automated synchronization with HR ensures near-instant deactivation when HR records a termination, significantly reducing the window of unauthorized access.

Why this answer

Option D is correct because automatically synchronizing with the HR system ensures that account deactivation occurs immediately upon termination, eliminating human delay or error. This approach leverages identity lifecycle management (ILM) to enforce the principle of least privilege and prevent unauthorized access through orphaned accounts.

Exam trap

The trap here is that candidates may choose option B because it seems proactive, but they overlook the inherent delay and unreliability of manual reporting compared to automated synchronization, which is the only option guaranteeing timely deactivation.

How to eliminate wrong answers

Option A is wrong because quarterly reviews are too infrequent to meet the requirement for timely deactivation, leaving accounts active for up to 90 days after departure. Option B is wrong because relying on managers to report departures via a ticketing system introduces manual latency and the risk of forgotten or delayed reports, which fails to guarantee prompt deactivation. Option C is wrong because a self-service password reset system does not disable accounts; it only allows users to reset their own passwords, which is irrelevant to deactivating a terminated employee's account.

854
Multi-Selectmedium

A security analyst is investigating a potential ARP spoofing attack on a local network segment. Which TWO network security controls would be most effective in preventing or detecting such an attack at Layer 2?

Select 2 answers
A.Configure DHCP snooping on switches
B.Use IPsec transport mode between hosts
C.Implement Port Security with MAC address binding
D.Deploy a network-based IDS monitoring ARP traffic
E.Enable Dynamic ARP Inspection (DAI) on switches
AnswersC, E

Port Security limits MAC addresses per port, making it harder for an attacker to spoof multiple IPs.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets on trusted ports and drops invalid ones. Port Security with MAC address binding limits the number of MAC addresses per port, reducing the effectiveness of ARP spoofing.

855
Multi-Selecteasy

Which TWO of the following are examples of vulnerability sources? (Choose TWO.)

Select 2 answers
A.Environmental disaster
B.CVE entries
C.Intentional human attack
D.Hardware failure
E.Configuration weaknesses
AnswersB, E

CVE entries are standardized identifiers for known vulnerabilities.

Why this answer

CVE entries are a structured, publicly accessible catalog of known vulnerabilities, each assigned a unique identifier (CVE-ID) and description. They serve as a primary source for identifying specific software or hardware weaknesses that can be exploited, making them a definitive vulnerability source for risk identification and monitoring.

Exam trap

Cisco often tests the distinction between a vulnerability source (e.g., CVE, configuration weakness) and a threat (e.g., attack, disaster), causing candidates to mistakenly select threat events like environmental disasters or human attacks as vulnerability sources.

856
MCQhard

In a federated identity environment using SAML, what is the role of the Identity Provider (IdP) when a user requests access to a service provider (SP)?

A.The IdP hosts the application and enforces access control policies
B.The IdP validates the user's OTP token
C.The IdP generates a Kerberos ticket for the user
D.The IdP authenticates the user and issues a SAML assertion to the SP
AnswerD

Correct. The IdP provides authentication and assertion.

Why this answer

The IdP authenticates the user and issues a SAML assertion containing identity attributes and authorization claims. The SP trusts this assertion to grant access without re-authenticating the user.

857
MCQmedium

A security administrator is reviewing Linux audit logs to detect unauthorized file access. Which Linux component is primarily responsible for generating these security audit logs?

A.systemd-journald
B.SELinux
C.PAM
D.auditd
AnswerD

auditd is the audit daemon that logs security events.

Why this answer

auditd is the userspace component of the Linux Audit system that writes audit records to disk.

858
MCQmedium

A security team is conducting a qualitative risk assessment for a new cloud application. They want to prioritize risks based on likelihood and impact. Which method should they use to combine these factors?

A.Risk matrix (heat map)
B.SWOT analysis
C.Annualized loss expectancy (ALE)
D.Business Impact Analysis (BIA)
AnswerA

A qualitative risk matrix uses ordinal scales for likelihood and impact to produce risk ratings.

Why this answer

A risk matrix (heat map) is the correct method because it combines qualitative assessments of likelihood and impact into a single visual grid, allowing the team to prioritize risks by their position in the matrix. This approach is standard for qualitative risk assessments where numerical data is unavailable, as it maps ordinal ratings (e.g., low, medium, high) to a color-coded priority level.

Exam trap

The trap here is that candidates often confuse qualitative risk assessment with quantitative methods like ALE, assuming any combination of likelihood and impact requires numerical calculation, but the question explicitly states 'qualitative', which directly points to a risk matrix.

How to eliminate wrong answers

Option B is wrong because SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) is a strategic planning tool used to identify internal and external factors, not a method for combining likelihood and impact to prioritize risks. Option C is wrong because Annualized Loss Expectancy (ALE) is a quantitative metric (SLE × ARO) that requires numerical values for asset value and frequency, making it unsuitable for a purely qualitative assessment. Option D is wrong because Business Impact Analysis (BIA) focuses on identifying critical business functions and recovery priorities, not on combining likelihood and impact for risk prioritization.

859
MCQmedium

During a change management process, the Change Advisory Board (CAB) has approved a change to update a critical database server. After implementation, a rollback is necessary due to unforeseen performance issues. What should the change manager do next?

A.Execute the rollback plan and schedule a post-implementation review
B.Leave the server in its current state and escalate to the CAB for a decision
C.Patch the server with the latest updates to resolve the performance issue
D.Submit a new change request for the rollback and await CAB approval
AnswerA

Executing the pre-approved rollback plan is the correct immediate action, followed by a post-implementation review to learn from the failure.

Why this answer

Option A is correct because the change was already approved by the CAB, and the rollback plan is a pre-approved contingency within the original change request. Executing the rollback immediately restores service stability, and scheduling a post-implementation review (PIR) captures lessons learned and ensures compliance with the change management policy. This aligns with ITIL best practices, where rollback is part of the implementation plan and does not require a new change request.

Exam trap

The trap here is that candidates mistakenly think any rollback requires a new change request, but the rollback plan is already part of the approved change, so immediate execution is permitted without further CAB approval.

How to eliminate wrong answers

Option B is wrong because leaving the server in a degraded state violates the principle of restoring service as quickly as possible, and escalating to the CAB for a decision introduces unnecessary delay when a pre-approved rollback plan exists. Option C is wrong because patching the server with latest updates is an unapproved change that bypasses the change management process and could introduce further instability or security issues. Option D is wrong because submitting a new change request for the rollback is redundant and inefficient; the rollback plan was already approved as part of the original change, so immediate execution is authorized without additional CAB approval.

860
Multi-Selecthard

An organization is designing an access control policy for a new system. Which THREE of the following are fundamental principles that should be incorporated? (Choose THREE.)

Select 3 answers
A.Fail-open
B.Least privilege
C.Need-to-know
D.Separation of duties
E.Defense in depth
AnswersB, C, D

Users get minimum necessary permissions.

Why this answer

Least privilege, separation of duties, and need-to-know are core access control principles. Defense in depth is a security strategy, not a principle of access control itself.

861
MCQhard

A company implements a new policy requiring all privileged access requests to be approved by a manager. However, after deployment, analysts report that they cannot perform emergency changes outside business hours. What is the best solution?

A.Extend manager on-call hours to cover all times.
B.Implement a break-glass procedure for emergency access.
C.Remove the approval requirement for privileged access.
D.Require analysts to call a manager for approval each time.
AnswerB

Break-glass allows temporary privileged access with post-event review, balancing security and availability.

Why this answer

Option B is correct because a break-glass procedure provides a predefined, auditable method for granting emergency privileged access without requiring real-time manager approval. This balances security with operational continuity, allowing analysts to perform critical changes outside business hours while maintaining accountability through post-event review and logging.

Exam trap

The trap here is that candidates may choose option A (extending on-call hours) thinking it solves the availability issue, but they fail to recognize that it does not address the fundamental need for immediate, unattended access during emergencies, which is the core purpose of a break-glass procedure.

How to eliminate wrong answers

Option A is wrong because extending manager on-call hours does not eliminate the approval bottleneck; it only shifts the coverage window, potentially leading to delays or burnout without a guaranteed response. Option C is wrong because removing the approval requirement for privileged access eliminates necessary oversight, violating the principle of least privilege and increasing the risk of unauthorized changes. Option D is wrong because requiring analysts to call a manager for approval each time outside business hours creates a single point of failure and introduces unacceptable delays for emergency changes, undermining operational resilience.

862
MCQeasy

A small company uses a single firewall at the network perimeter. The security team receives alerts from an IDS but cannot correlate them with firewall logs because logs are stored on separate servers with different timestamps. The CEO wants to reduce false positives and improve incident response. What should the security team do first?

A.Increase the IDS sensitivity to catch more threats.
B.Replace the IDS with a next-generation firewall.
C.Implement a SIEM to aggregate and correlate logs from multiple sources.
D.Manually align timestamps on each server daily.
AnswerC

A SIEM centralizes logs and normalizes timestamps, enabling correlation and reducing false positives.

Why this answer

A SIEM (Security Information and Event Management) system aggregates logs from multiple sources, normalizes timestamps, and correlates events to reduce false positives and improve incident response. This directly addresses the core problem of disparate log sources with unsynchronized timestamps, enabling effective correlation between IDS alerts and firewall logs without replacing existing infrastructure.

Exam trap

The trap here is that candidates may think a next-generation firewall (NGFW) replaces the need for log correlation, but NGFWs still generate logs that require aggregation and correlation with other sources to reduce false positives and enable effective incident response.

How to eliminate wrong answers

Option A is wrong because increasing IDS sensitivity would generate more alerts, exacerbating the false positive problem and making correlation harder without fixing the timestamp mismatch. Option B is wrong because replacing the IDS with a next-generation firewall (NGFW) does not solve the log correlation issue; NGFWs still generate logs that need to be correlated with other sources, and the underlying timestamp synchronization problem remains. Option D is wrong because manually aligning timestamps daily is impractical, error-prone, and does not scale; it also fails to provide automated correlation or reduce false positives in real time.

863
MCQhard

A security analyst discovers that an internal host is sending traffic to an external IP address known to be a command-and-control server. The analyst wants to block only that specific traffic without affecting other traffic. Which firewall rule should be implemented?

A.Deny all traffic from the internal host.
B.Deny all traffic to the external IP.
C.Deny traffic on the specific port used.
D.Deny traffic from the internal host to the external IP.
AnswerD

This provides a targeted block without affecting other traffic.

Why this answer

Option D is correct because it creates a specific deny rule that matches only the source IP of the internal host and the destination IP of the command-and-control server, blocking that exact traffic flow while allowing all other traffic to and from both hosts. This is the most precise and least disruptive approach, adhering to the principle of least privilege in firewall rule design.

Exam trap

The trap here is that candidates often choose a broad deny rule (like denying all traffic to the external IP) because they focus on the malicious destination, forgetting that such a rule would block all traffic to that IP from any source, potentially impacting other hosts or services.

How to eliminate wrong answers

Option A is wrong because denying all traffic from the internal host would block all outbound communications from that host, including legitimate traffic to other destinations, causing unnecessary disruption. Option B is wrong because denying all traffic to the external IP would block all inbound and outbound traffic to that IP from any host, potentially affecting other internal hosts that may need to communicate with that IP for legitimate reasons (though unlikely in this scenario, it is overly broad). Option C is wrong because denying traffic on the specific port used would block all traffic on that port to any destination, not just the command-and-control server, which could disrupt other services using the same port.

864
Multi-Selectmedium

Which TWO of the following are key components of the 3-2-1 backup rule? (Select TWO)

Select 2 answers
A.One copy in the cloud
B.Daily full backups
C.All copies on the same media
D.Two different media types
E.Three copies of the data
AnswersD, E

The '2' in 3-2-1: use two different media types (e.g., disk and tape).

Why this answer

The 3-2-1 backup rule requires three copies of the data (one primary and two backups), stored on two different media types (e.g., disk and tape, or local disk and cloud storage), with one copy kept offsite. Option D is correct because using two different media types ensures that a failure or vulnerability affecting one medium (e.g., ransomware encrypting a disk array) does not compromise the other copy. This diversity is a core principle of the rule, reducing the risk of simultaneous data loss.

Exam trap

Cisco often tests the misconception that the '2' in 3-2-1 refers to two copies of the data rather than two different media types, leading candidates to incorrectly select options like 'All copies on the same media' or to overlook the requirement for media diversity.

865
MCQmedium

An organization uses a SIEM to alert when a server's configuration changes from its hardened baseline. This is an example of:

A.Deviation detection
B.Patch management
C.Vulnerability scanning
D.Asset management
AnswerA

Correct. Monitoring for changes from baseline is deviation detection.

Why this answer

SIEM alerts on configuration changes from baseline are a form of deviation detection, which is part of configuration management.

866
Multi-Selectmedium

Which TWO of the following are key components of a security awareness program?

Select 2 answers
A.User training on password policies
B.Regular phishing simulations
C.Incident response drills
D.Quarterly vulnerability scans
E.Annual penetration testing
AnswersA, B

Training users on strong password creation and management is a core awareness component.

Why this answer

A security awareness program focuses on educating users about security policies and threats. Phishing simulations test user vigilance, and password policy training reinforces good practices. Vulnerability scans and penetration tests are technical controls, not awareness components.

Incident response drills involve technical teams, not general user awareness.

867
MCQmedium

An organization decides to implement CIS Benchmarks on all Windows servers. They choose Level 1 settings. What does Level 1 represent?

A.Maximum security with high operational impact
B.Equivalent to DISA STIGs
C.Only applicable to critical systems
D.Basic security hygiene with minimal impact
AnswerD

Level 1 is intended to be broadly applicable with low disruption.

Why this answer

CIS Benchmarks define Level 1 as a set of configuration settings intended to provide basic security hygiene with minimal impact on business operations. These settings are designed to be easily implemented without causing significant performance degradation or service disruption, making them suitable for most systems. Level 1 focuses on essential security controls that address common vulnerabilities while maintaining system usability.

Exam trap

The trap here is that candidates often confuse Level 1 with 'maximum security' or assume it is only for critical systems, when in fact Level 1 is the baseline recommended for all systems to achieve a practical security posture without disrupting operations.

How to eliminate wrong answers

Option A is wrong because Level 1 is not about maximum security; maximum security with high operational impact is characteristic of Level 2 settings, which may disable features or enforce stricter policies that can affect performance. Option B is wrong because CIS Benchmarks and DISA STIGs are separate frameworks; while they may overlap in some controls, STIGs are typically more restrictive and aligned with U.S. Department of Defense requirements, not equivalent to CIS Level 1.

Option C is wrong because Level 1 is explicitly designed for general-purpose systems, not only critical systems; critical systems often require Level 2 or additional custom hardening.

868
MCQmedium

A security analyst receives an alert that a user account has been locked out multiple times within 10 minutes. The analyst checks the account and finds it is a service account used for automated backups. What is the most likely cause?

A.The service account's certificate has expired.
B.A brute force attack is targeting the service account.
C.The account password has expired and needs to be reset.
D.The service is using cached credentials that are out of sync with the domain controller.
AnswerD

Service accounts often cache credentials; if the password changes or becomes out of sync, repeated lockouts occur.

Why this answer

Service accounts used for automated backups typically run as services that cache their credentials locally. When the password is changed on the domain controller, the cached credentials in the service's logon session become out of sync. The service repeatedly attempts to authenticate with the stale cached password, causing rapid lockout events within a short window.

Exam trap

The trap here is that candidates confuse a service account lockout with a brute force attack, but the pattern of rapid lockouts from the same source with no external IP variation points to cached credential mismatch, not an active attack.

How to eliminate wrong answers

Option A is wrong because certificate expiration would cause authentication failures, but not repeated lockouts; the service would fail to authenticate silently without triggering account lockout policy. Option B is wrong because a brute force attack would show multiple failed attempts from different IPs or sources, not a single service account locking out repeatedly from the same host. Option C is wrong because password expiration prevents the account from logging in at all, but the service would not repeatedly attempt authentication; it would fail once and stop, not generate multiple lockouts.

869
MCQmedium

An organization uses a PKI with a root CA that issues certificates to intermediate CAs, which then issue end-entity certificates. A client receives an end-entity certificate signed by an intermediate CA. During validation, which certificates are required to build the chain of trust?

A.Only the root CA certificate
B.End-entity certificate, intermediate CA certificate, and root CA certificate
C.Only the end-entity certificate and the root CA certificate
D.Only the end-entity certificate and the intermediate CA certificate
AnswerB

All three are required to validate the chain from end-entity to the trusted root.

Why this answer

In a PKI hierarchy, the chain of trust requires each certificate in the path to be validated up to a trusted root. The client must have the end-entity certificate, the intermediate CA certificate (to verify the end-entity's signature), and the root CA certificate (to verify the intermediate CA's signature). Without the intermediate CA certificate, the client cannot cryptographically link the end-entity to the root, breaking the chain.

Exam trap

The trap here is that candidates often assume the root CA directly signs all certificates, forgetting that intermediate CAs are used in practice, so they incorrectly select Option C or D, missing the need for the full chain.

How to eliminate wrong answers

Option A is wrong because the root CA certificate alone cannot verify the end-entity certificate's signature, which was issued by the intermediate CA, not the root. Option C is wrong because omitting the intermediate CA certificate leaves a gap in the chain; the client cannot validate the intermediate CA's signature on the end-entity certificate. Option D is wrong because without the root CA certificate, the client cannot verify the intermediate CA certificate's signature, so the chain of trust cannot be anchored to a trusted root.

870
Multi-Selectmedium

An organization uses Linux servers and wants to implement mandatory access control (MAC) to enhance security. Which TWO technologies can be used? (Select TWO.)

Select 2 answers
A.SELinux
B.iptables
C.AppArmor
D.auditd
E.PAM (Pluggable Authentication Modules)
AnswersA, C

SELinux enforces MAC policies based on labels.

Why this answer

SELinux and AppArmor are Linux security modules that provide MAC. iptables is a firewall, not MAC. PAM is for authentication. auditd is for auditing.

871
MCQhard

A Windows workstation is unable to authenticate to a Kerberos-based application. The time on the workstation is 5 minutes ahead of the domain controller. What is the impact?

A.The user would be prompted for credentials but authentication would proceed
B.Authentication will fail because the time difference exceeds the default Kerberos clock skew limit
C.Only NTLM authentication would be affected
D.No impact; Kerberos can tolerate up to 10 minutes of skew
AnswerB

Kerberos allows a maximum skew of 5 minutes by default; a 5-minute difference may cause rejection or succeed only if within tolerance.

Why this answer

Kerberos authentication relies on timestamps to prevent replay attacks. The default maximum clock skew allowed between a client and a domain controller is 5 minutes (as defined in RFC 4120). Since the workstation is exactly 5 minutes ahead, it meets the threshold, but any additional delay or network latency can cause the timestamp to exceed the limit, resulting in authentication failure.

Therefore, the user will be unable to authenticate.

Exam trap

The trap here is that candidates often assume the default clock skew is 10 minutes (as in some older implementations) or that a 5-minute difference is acceptable, but the SSCP exam expects you to know the exact default value of 5 minutes and that reaching that limit causes authentication to fail.

How to eliminate wrong answers

Option A is wrong because Kerberos does not prompt for credentials and proceed when the clock skew exceeds the limit; it returns a KRB_AP_ERR_SKEW error and authentication fails. Option C is wrong because the question specifies a Kerberos-based application, and NTLM is a separate protocol that is not directly affected by Kerberos clock skew; the impact is on Kerberos, not NTLM. Option D is wrong because the default Kerberos clock skew limit is 5 minutes, not 10 minutes; a skew of exactly 5 minutes is at the boundary and typically causes failure, especially with real-world network delays.

872
MCQmedium

During a forensic investigation, an examiner creates a bit-for-bit copy of a hard drive using a write blocker. What is the purpose of using a write blocker?

A.To prevent modification of the original evidence
B.To encrypt the data during transfer
C.To speed up the imaging process
D.To verify the hash of the original drive
AnswerA

Write blockers ensure that the original drive remains unchanged.

Why this answer

A write blocker is a hardware or software device that intercepts and blocks any write commands from the forensic workstation to the source drive, ensuring that the original evidence remains unaltered during acquisition. This is critical for maintaining the integrity and admissibility of digital evidence in legal proceedings, as any modification could compromise the chain of custody and forensic soundness.

Exam trap

Cisco often tests the misconception that write blockers are used for encryption or speed optimization, but the core purpose is strictly write prevention to preserve evidence integrity.

How to eliminate wrong answers

Option B is wrong because write blockers do not encrypt data; encryption is a separate process typically handled by forensic tools or software after acquisition, and a write blocker's sole function is to prevent writes. Option C is wrong because write blockers do not speed up imaging; in fact, they may introduce a slight overhead due to command filtering, and imaging speed is primarily determined by the drive interface and the imaging tool. Option D is wrong because verifying the hash of the original drive is a post-imaging step performed by the examiner using hashing algorithms like SHA-256 or MD5, not a function of the write blocker itself.

873
MCQmedium

A system administrator receives a report that a critical server is running low on disk space. After investigation, it is determined that the log files are not being rotated properly. Which of the following is the BEST solution to prevent this issue in the future?

A.Configure log rotation based on size and age.
B.Increase the maximum log file size.
C.Redirect logs to a different partition.
D.Enable compression on the log folder.
AnswerA

Log rotation automatically archives and deletes old logs.

Why this answer

Option A is correct because implementing log rotation policies ensures logs are archived and space is managed. Option B only adjusts size limit but doesn't rotate. Option C is for applications, not system logs.

Option D does not reduce space usage.

874
MCQmedium

A security team discovers that an employee's credentials were used to access the HR database from an unrecognized IP address in a foreign country. The employee is currently in the office. Which risk identification technique is most directly responsible for detecting this anomaly?

A.User and entity behavior analytics (UEBA)
B.Manual log review
C.Vulnerability scanning
D.Threat intelligence feeds
AnswerA

UEBA detects deviations from normal behavior, such as login from unusual location.

Why this answer

UEBA is the correct answer because it uses machine learning and statistical models to establish a baseline of normal user behavior (e.g., typical login times, geolocations, and access patterns). When the employee's credentials are used from a foreign IP address while the employee is physically in the office, UEBA detects this as an anomalous deviation from the baseline, triggering an alert. This technique is specifically designed for real-time anomaly detection in user and entity activities, making it the most direct method for identifying this type of credential misuse.

Exam trap

The trap here is that candidates may confuse threat intelligence feeds (Option D) with anomaly detection, assuming that an unrecognized foreign IP would be flagged by a threat feed, but UEBA is the only technique that directly detects behavioral anomalies without relying on known-bad indicators.

How to eliminate wrong answers

Option B (Manual log review) is wrong because it is a reactive, labor-intensive process that relies on human analysts to sift through logs after an incident, making it inefficient for real-time anomaly detection; it would not directly detect the anomaly without prior suspicion or automated correlation. Option C (Vulnerability scanning) is wrong because it focuses on identifying known security weaknesses in systems (e.g., unpatched software, misconfigurations) rather than monitoring user behavior or detecting anomalous access patterns. Option D (Threat intelligence feeds) is wrong because they provide information about known malicious IPs, domains, or indicators of compromise (IOCs) from external sources, but they do not establish a baseline of normal user behavior; an unrecognized IP from a foreign country may not be in any threat feed, so the anomaly would be missed without behavioral analysis.

875
MCQeasy

During a qualitative risk analysis, an organization rates the likelihood of a flood as 'Low' and the impact as 'High'. Using a standard 3x3 risk matrix, what is the overall risk rating?

A.High
B.Critical
C.Medium
D.Low
AnswerC

Low likelihood and High impact map to Medium risk in most qualitative matrices.

Why this answer

In a standard 3x3 risk matrix, the overall risk rating is derived by combining the likelihood and impact ratings. With likelihood rated as 'Low' and impact as 'High', the intersection in the matrix typically yields a 'Medium' risk rating. This is because the matrix is designed to balance low probability events with high consequences, resulting in a moderate overall risk level.

Exam trap

The trap here is that candidates may incorrectly assume that a 'High' impact automatically results in a 'High' overall risk, ignoring the moderating effect of a 'Low' likelihood in a standard 3x3 matrix.

How to eliminate wrong answers

Option A is wrong because 'High' would require both likelihood and impact to be rated as 'High', or at least one to be 'High' with the other 'Medium' in some matrices, but here likelihood is 'Low'. Option B is wrong because 'Critical' is not a standard rating in a 3x3 risk matrix; such matrices typically use Low, Medium, and High. Option D is wrong because 'Low' would require both likelihood and impact to be 'Low', or likelihood 'Low' with impact 'Low' or 'Medium', but impact is 'High', which elevates the risk above 'Low'.

876
MCQmedium

An analyst detects suspicious outbound traffic from a server to a known command-and-control IP address. According to NIST SP 800-61, which phase of the incident response lifecycle does this activity fall under?

A.Post-Incident Activity
B.Preparation
C.Containment, Eradication, and Recovery
D.Detection and Analysis
AnswerD

This is the phase where incidents are identified and analyzed.

Why this answer

The detection of suspicious outbound traffic to a known command-and-control IP address is a clear indicator of a potential security incident. According to NIST SP 800-61, this activity falls under the 'Detection and Analysis' phase, which involves identifying and validating that an incident has occurred through monitoring, alerting, and analysis of security events.

Exam trap

Cisco often tests the distinction between 'Detection and Analysis' and 'Containment, Eradication, and Recovery' by presenting a detection event and expecting candidates to recognize that containment actions are separate and occur later in the lifecycle.

How to eliminate wrong answers

Option A is wrong because 'Post-Incident Activity' occurs after the incident has been contained and eradicated, focusing on lessons learned and reporting, not on initial detection. Option B is wrong because 'Preparation' involves establishing policies, tools, and training before an incident occurs, not detecting active malicious traffic. Option C is wrong because 'Containment, Eradication, and Recovery' are actions taken after detection to stop the spread, remove the threat, and restore systems, not the initial identification of suspicious traffic.

877
MCQhard

A company's IDS generated an alert for a suspicious outbound connection to a known C2 server. The incident team discovers the host has been communicating for 2 weeks. Which containment strategy is most appropriate?

A.Perform memory forensics before disconnecting
B.Block the C2 IP at the perimeter
C.Shut down the host
D.Disconnect the host from the network immediately
AnswerA

Memory capture preserves evidence of running processes and network connections.

Why this answer

Performing memory forensics before disconnecting (A) is the most appropriate containment strategy because the host has been compromised for two weeks, meaning the attacker may have deployed rootkits, injected malicious code into system processes, or established persistence mechanisms that reside only in volatile memory. Disconnecting or shutting down the host immediately would destroy this volatile evidence, hindering the incident response team's ability to identify the full scope of the compromise, including the specific malware variant, C2 communication methods, and any lateral movement artifacts. Memory forensics allows the team to capture running processes, network connections, and loaded kernel modules, which are critical for understanding the attacker's tactics and preventing future incidents.

Exam trap

The trap here is that candidates often choose immediate disconnection (D) or IP blocking (B) as a quick containment action, failing to recognize that preserving volatile evidence is a higher priority in a long-term compromise to ensure a complete forensic analysis and effective remediation.

How to eliminate wrong answers

Option B is wrong because simply blocking the C2 IP at the perimeter is a reactive network-level control that does not address the already compromised host; the attacker may have multiple fallback C2 domains or IPs, and the host could still be used for lateral movement or data exfiltration via other channels. Option C is wrong because shutting down the host destroys volatile memory evidence and may trigger anti-forensic mechanisms that wipe logs or encrypt data, while also potentially alerting the attacker that their presence is known. Option D is wrong because disconnecting the host immediately without first performing memory forensics loses critical volatile data such as active network connections, encryption keys in memory, and running malicious processes, which are essential for a thorough investigation and attribution.

878
MCQeasy

Which metric is used to measure the potential loss from a single occurrence of a risk?

A.Exposure Factor (EF)
B.Annualized Loss Expectancy (ALE)
C.Annualized Rate of Occurrence (ARO)
D.Single Loss Expectancy (SLE)
AnswerD

SLE is the monetary loss from a single occurrence.

Why this answer

The Single Loss Expectancy (SLE) is the metric used to measure the potential loss from a single occurrence of a risk. It is calculated as Asset Value (AV) multiplied by the Exposure Factor (EF), providing a dollar value for one incident. This directly answers the question of loss per single event.

Exam trap

ISC2 often tests the distinction between SLE and ALE, trapping candidates who confuse a single-event loss with an annualized figure, especially when the question explicitly asks for 'single occurrence' but the answer options include ALE as a distractor.

How to eliminate wrong answers

Option A is wrong because Exposure Factor (EF) is a percentage representing the proportion of asset value lost per incident, not a direct monetary loss measure. Option B is wrong because Annualized Loss Expectancy (ALE) measures the expected loss per year, calculated as SLE × ARO, not per single occurrence. Option C is wrong because Annualized Rate of Occurrence (ARO) is a frequency metric (events per year), not a loss measurement.

879
MCQhard

A security administrator is prioritizing patches for a vulnerability with a CVSS score of 9.8 that is being actively exploited in the wild. The affected server has a low criticality classification. What should the administrator do?

A.Apply the patch immediately without change management
B.Ignore the patch because the server is low criticality
C.Wait for the next scheduled patch cycle
D.Prioritize patching via the change management process
AnswerD

Correct. The high severity and exploitation warrant prioritization even for low criticality assets.

Why this answer

Even though the asset criticality is low, the high CVSS score and active exploitation increase the risk. The patch should be prioritized and deployed through the change management process.

880
Multi-Selecteasy

Which TWO metrics are commonly tracked to measure the effectiveness of the incident response process? (Select TWO)

Select 2 answers
A.MTTD (Mean Time to Detect)
B.SLA (Service Level Agreement) compliance percentage
C.MTBF (Mean Time Between Failures)
D.MTTR (Mean Time to Respond)
E.Number of firewall rules
AnswersA, D

Correct. Measures detection speed.

Why this answer

MTTD (Mean Time to Detect) measures the average time from when an incident occurs until it is detected, directly reflecting the speed of detection capabilities. MTTR (Mean Time to Respond) measures the average time from detection to containment or remediation, indicating the efficiency of the response process. Both are key performance indicators (KPIs) for incident response effectiveness as defined in NIST SP 800-61 and industry frameworks.

Exam trap

Cisco often tests the distinction between operational metrics (MTTD, MTTR) and reliability metrics (MTBF) or configuration counts, so candidates mistakenly select MTBF or firewall rules because they sound technical but are irrelevant to incident response effectiveness.

881
Multi-Selectmedium

During the preparation phase of incident response, which TWO components are essential for an effective incident response plan? (Select TWO)

Select 2 answers
A.A list of approved vendors for hardware replacement
B.A list of all employee passwords
C.A communication plan with contact information for key stakeholders
D.Network topology diagrams
E.Detailed recovery procedures for each critical system
AnswersC, E

Essential for alerting and escalating incidents.

Why this answer

Option C is correct because a communication plan with contact information for key stakeholders ensures that the right people can be reached quickly during an incident, which is critical for coordination and decision-making. Option E is correct because detailed recovery procedures for each critical system provide step-by-step instructions to restore operations, minimizing downtime and ensuring consistency in response efforts.

Exam trap

The trap here is that candidates may confuse operational logistics (like vendor lists or network diagrams) with the core structural components of an incident response plan, which must prioritize communication and recovery to enable a coordinated and effective response.

882
Multi-Selecthard

Which THREE are appropriate controls to prevent unauthorized access to a data center? (Choose three.)

Select 3 answers
A.Biometric scanner
B.Firewall
C.Mantrap
D.Security guards
E.Encryption
AnswersA, C, D

Biometric scanner authenticates individuals for physical access.

Why this answer

A biometric scanner is a physical access control that authenticates individuals based on unique physiological characteristics (e.g., fingerprints, iris patterns). It directly prevents unauthorized entry by verifying identity at the data center perimeter, making it an appropriate control for physical security.

Exam trap

ISC2 often tests the distinction between physical access controls (e.g., biometrics, mantrap, guards) and logical/technical controls (e.g., firewall, encryption), leading candidates to mistakenly select network or data protection mechanisms for a physical security question.

883
MCQeasy

During the preparation phase of the incident response lifecycle, which of the following is the MOST important component to establish?

A.Communication plan
B.Incident response plan
C.Incident response team
D.Forensic analysis tools
AnswerB

A plan provides the framework for the entire incident response process.

Why this answer

The incident response plan is the foundational document that outlines the entire process, including roles, procedures, and escalation paths. Without a formal, approved plan, other components like the communication plan, team, or tools lack the necessary structure and authority to function effectively during an incident.

Exam trap

Cisco often tests the misconception that the incident response team is the most important component, but without a formal plan, the team lacks defined roles, authority, and procedures to act effectively.

How to eliminate wrong answers

Option A is wrong because a communication plan is a subset of the incident response plan; it cannot be established effectively without the overarching plan defining who communicates what and when. Option C is wrong because the incident response team is a resource that is assembled and trained based on the plan's requirements, not the primary component to establish first. Option D is wrong because forensic analysis tools are tactical resources selected after the plan defines the investigation procedures and legal requirements, not the most important preparatory component.

884
MCQhard

An incident responder is handling a malware outbreak. The malware has been identified as a fileless threat that persists via registry run keys. Which eradication step is most appropriate?

A.Disable the affected user accounts.
B.Reimage all affected systems.
C.Remove the malicious registry entries and restart the systems.
D.Run an antivirus scan on the systems.
AnswerC

Correct. Removing persistence mechanisms is key to eradication.

Why this answer

Option C is correct because fileless malware that persists via registry run keys can be eradicated by removing the malicious registry entries and restarting the systems. This breaks the persistence mechanism without requiring full reimaging, as the malware does not write files to disk and relies on registry-based auto-start locations (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) to execute after reboot.

Exam trap

The trap here is that candidates often choose reimaging (Option B) as a 'safe' default, failing to recognize that fileless malware with only registry persistence can be fully remediated by removing the registry entry and rebooting, without the operational cost of reimaging.

How to eliminate wrong answers

Option A is wrong because disabling affected user accounts does not remove the registry run key entries; the malware would still execute under other user contexts or system accounts, and it does not address the persistence mechanism. Option B is wrong because reimaging all affected systems is an overly aggressive and unnecessary step for fileless malware that only persists via registry keys; it wastes resources and downtime when a targeted registry cleanup and reboot suffices. Option D is wrong because running an antivirus scan is ineffective against fileless malware that has no file on disk to detect; traditional signature-based AV scans often miss registry-resident threats, and the scan does not remove the registry persistence entry.

885
MCQmedium

A web application processes user-supplied data in SQL queries. Which practice best prevents SQL injection?

A.Parameterized queries
B.Escaping all user input
C.Using stored procedures exclusively
D.Input length validation
AnswerA

Parameterized queries ensure user input is treated as data, not code.

Why this answer

Parameterized queries (also known as prepared statements) separate SQL logic from user data by using placeholders (e.g., `?` in MySQLi or `:name` in PDO). The database engine treats the user input strictly as data, never as executable SQL code, which inherently prevents SQL injection regardless of the input content.

Exam trap

ISC2 often tests the misconception that stored procedures are inherently safe, but the trap is that they only prevent injection if they avoid dynamic SQL construction within the procedure body.

How to eliminate wrong answers

Option B is wrong because escaping all user input is error-prone and context-dependent; for example, escaping for MySQL with `mysql_real_escape_string()` can still be bypassed if the character set is mismatched (e.g., GBK encoding leading to multibyte injection). Option C is wrong because stored procedures alone do not prevent SQL injection if dynamic SQL is constructed within the procedure using concatenated user input (e.g., `EXEC('SELECT * FROM Users WHERE id = ' + @input)`). Option D is wrong because input length validation only restricts the size of input, not its malicious content; a short SQL injection payload like `' OR 1=1 --` can easily pass length checks.

886
MCQmedium

An IT administrator needs to deprovision a user who has been terminated. Which of the following actions should be performed first to ensure security?

A.Remove the user from all groups
B.Delete the user account
C.Disable the user account
D.Change the user's password
AnswerC

Disabling immediately revokes access while retaining the account for investigation.

Why this answer

Immediately disabling the account prevents any further access. Evidence preservation can be done afterward, and deletion should be delayed until necessary.

887
MCQmedium

A security team is conducting a penetration test. In which phase would they attempt to exploit vulnerabilities found during scanning?

A.Maintaining access.
B.Scanning.
C.Reconnaissance.
D.Gaining access.
AnswerD

This phase uses exploits to achieve initial access based on scan results.

Why this answer

The gaining access phase is where the penetration tester actively exploits vulnerabilities discovered during scanning to obtain unauthorized entry into the system. This phase involves using tools like Metasploit or custom exploits to leverage specific weaknesses, such as unpatched software or misconfigured services, to achieve initial foothold. It directly follows the scanning phase and precedes maintaining access, making D the correct choice.

Exam trap

The trap here is confusing the scanning phase with the gaining access phase, as candidates often think vulnerability scanning includes exploitation, but scanning only identifies potential weaknesses without actively compromising the system.

How to eliminate wrong answers

Option A is wrong because maintaining access occurs after gaining access, focusing on persistence mechanisms like backdoors or rootkits, not the initial exploitation of vulnerabilities. Option B is wrong because scanning is the phase where vulnerabilities are identified through port scans (e.g., Nmap) and service enumeration, but exploitation is not performed here. Option C is wrong because reconnaissance is the initial information-gathering phase (e.g., OSINT, DNS lookups) that precedes scanning and does not involve active exploitation of vulnerabilities.

888
MCQhard

During a security audit, it is discovered that network devices are using Telnet for management. Which of the following is the most secure replacement to ensure encrypted remote access?

A.SNMPv3 with authentication and encryption
B.SSH with public key authentication
C.HTTPS with self-signed certificate
D.SSH with password authentication
AnswerB

Public key authentication is more secure and supports encryption.

Why this answer

SSH (Secure Shell) provides encrypted remote access and authentication, replacing the insecure Telnet protocol. Public key authentication adds a second factor (the private key) and is resistant to brute-force password attacks, making it the most secure option for managing network devices.

Exam trap

The trap here is that candidates often confuse SNMPv3's encryption capabilities with remote shell access, or they assume that any encrypted protocol (like HTTPS) is a direct replacement for Telnet, ignoring that SSH is the standard for secure command-line management.

How to eliminate wrong answers

Option A is wrong because SNMPv3 is designed for network management monitoring and trap notifications, not for interactive remote shell access or device configuration. Option C is wrong because HTTPS with a self-signed certificate encrypts the session but does not provide a trusted identity verification and is typically used for web-based management interfaces, not for command-line remote access. Option D is wrong because SSH with password authentication still relies on a shared secret that can be guessed, intercepted via keylogging, or compromised in transit if weak ciphers are used, whereas public key authentication eliminates password transmission.

889
MCQmedium

A company uses an identity management system that requires users to authenticate using a smart card and a PIN. This is an example of:

A.Single sign-on (SSO)
B.Biometric authentication
C.Two-factor authentication
D.Multi-factor authentication
AnswerC

Smart card (possession) and PIN (knowledge) constitute two-factor authentication.

Why this answer

Two-factor authentication (2FA) requires two distinct factors from different categories: something you have (the smart card) and something you know (the PIN). This combination provides stronger assurance than a single factor because an attacker would need both physical possession of the card and knowledge of the PIN to authenticate.

Exam trap

The trap here is that candidates often confuse multi-factor authentication (MFA) with two-factor authentication (2FA), but the SSCP exam expects you to recognize that when exactly two distinct factors are used, 'two-factor authentication' is the precise and correct term, not the broader 'multi-factor authentication'.

How to eliminate wrong answers

Option A is wrong because single sign-on (SSO) allows a user to authenticate once and access multiple systems without re-entering credentials; it does not inherently involve multiple authentication factors. Option B is wrong because biometric authentication relies on something you are (e.g., fingerprint, iris scan), not a smart card and PIN combination. Option D is wrong because multi-factor authentication (MFA) requires two or more factors, but the question specifically describes exactly two factors (smart card and PIN), making two-factor authentication the more precise term; MFA is a broader category that includes 2FA, but 2FA is the correct specific answer here.

890
MCQeasy

A small medical office has 10 employees who use laptops to access electronic health records (EHR) via a web application hosted at a colocation facility. The office currently uses a consumer-grade wireless router with WPA2-PSK for internet access. The EHR vendor requires all connections to be encrypted with TLS 1.2 and recommends using a VPN for remote access. The office manager wants to ensure secure connections from the office to the EHR system, while keeping costs low. The network consultant proposes several options. Which option best balances security and cost?

A.Upgrade the wireless router to one that supports WPA3-Enterprise.
B.Install a dedicated SSL VPN appliance at the office for clientless access.
C.Configure an IPsec site-to-site VPN between the office router and the colocation firewall.
D.Use only HTTPS with TLS 1.2 and disable HTTP access on the EHR server.
AnswerC

IPsec VPN provides end-to-end encryption and is cost-effective with existing hardware.

Why this answer

Option C is correct because an IPsec site-to-site VPN creates an encrypted tunnel between the office router and the colocation firewall, securing all EHR traffic without requiring per-user software or high ongoing costs. This directly satisfies the EHR vendor's VPN recommendation while using existing infrastructure (the office router and colocation firewall) and avoiding the expense of a dedicated appliance or complex client management.

Exam trap

The trap here is that candidates often focus on securing the wireless link (WPA3) or the application layer (HTTPS), forgetting that the EHR vendor explicitly requires a VPN to protect data across the untrusted internet path, not just at the endpoints.

How to eliminate wrong answers

Option A is wrong because upgrading to WPA3-Enterprise only secures the wireless link within the office, not the traffic between the office and the colocation facility; the EHR vendor requires encryption for the entire path, and WPA3 does not address internet transit. Option B is wrong because installing a dedicated SSL VPN appliance at the office adds significant hardware and licensing costs, which contradicts the office manager's goal of keeping costs low; clientless access is also unnecessary since employees use laptops that can run a VPN client. Option D is wrong because using only HTTPS with TLS 1.2 protects the web application session but does not encrypt traffic between the office network and the colocation facility at the network layer; it leaves the connection vulnerable to LAN-side attacks and does not meet the vendor's VPN recommendation.

891
MCQhard

A mid-sized company has deployed a web application that handles sensitive customer data. The application uses TLS to encrypt data in transit. Recently, the company received a penetration test report indicating that an attacker could potentially downgrade the TLS connection to an older, weaker version (e.g., TLS 1.0) by performing a man-in-the-middle attack. The application server runs on Windows Server 2022 with IIS 10. The security team wants to disable all versions of TLS below 1.2 on the server. However, after making registry changes to disable TLS 1.0 and 1.1, some legacy clients that only support TLS 1.0 are unable to connect. The business requires that these legacy clients still be able to access the application securely, but the security team insists on disabling weak protocols. The server currently has a valid certificate from a public CA. Which of the following is the most appropriate course of action?

A.Switch the application to use a VPN instead of TLS for legacy client access.
B.Upgrade all legacy clients to support TLS 1.2 or later immediately.
C.Deploy a TLS-terminating reverse proxy that supports both strong and legacy TLS, placing it in front of the web server.
D.Re-enable TLS 1.0 and 1.1 on the server, as the business requirement outweighs security concerns.
AnswerC

The proxy can negotiate strong TLS with the server and weaker TLS with legacy clients, isolating the server from weak protocols.

Why this answer

Option C is correct because deploying a TLS-terminating reverse proxy allows the server to enforce TLS 1.2+ on the backend while the proxy handles legacy TLS 1.0 connections from older clients. This satisfies both the security requirement to disable weak protocols on the origin server and the business need to support legacy clients, without exposing the server to downgrade attacks. The proxy can be configured with separate TLS policies per listener, ensuring that only the proxy accepts weaker TLS versions while the IIS server remains locked down.

Exam trap

The trap here is that candidates may think re-enabling weak protocols (Option D) is the only way to support legacy clients, or that upgrading clients (Option B) is always feasible, but the exam expects you to recognize that a reverse proxy provides a secure, practical compromise without weakening the server's security posture.

How to eliminate wrong answers

Option A is wrong because switching to a VPN does not address the TLS downgrade vulnerability; it adds complexity and does not solve the legacy client compatibility issue at the application layer. Option B is wrong because upgrading all legacy clients immediately is often impractical or impossible due to business constraints, and the question explicitly states that the business requires these clients to still access the application. Option D is wrong because re-enabling TLS 1.0 and 1.1 on the server directly contradicts the security team's goal of disabling weak protocols and leaves the server vulnerable to downgrade attacks, which is not a balanced approach.

892
MCQhard

During a code review, a developer identifies that a web application directly concatenates user input into SQL queries without sanitization. This vulnerability is classified under which OWASP Top 10 category?

A.Cross-Site Scripting (XSS)
B.Security Misconfiguration
C.Broken Access Control
D.Injection
AnswerD

SQL injection is a type of injection attack, which is the correct OWASP category.

Why this answer

SQL injection occurs when untrusted data is sent to an interpreter as part of a command. It is a classic injection flaw, which is the top category in OWASP.

893
Multi-Selecteasy

Which TWO of the following are examples of multifactor authentication? (Choose two.)

Select 2 answers
A.Smart card and PIN
B.SMS code and password
C.Password and security question
D.Voice recognition and iris scan
E.Fingerprint and smart card
AnswersA, E

Smart card (something you have) and PIN (something you know) are two different factors.

Why this answer

Multifactor authentication (MFA) requires at least two distinct factors from different categories: something you know, something you have, and something you are. A smart card is 'something you have,' and a PIN is 'something you know,' so combining them satisfies MFA requirements. This is a classic example used in access control systems like Common Access Cards (CAC) or Personal Identity Verification (PIV) cards.

Exam trap

The trap here is that candidates often confuse 'something you have' (like a smart card) with 'something you know' (like a PIN) and incorrectly think that two different instances of the same factor (e.g., password and security question) count as MFA, or they mistakenly treat an SMS code as a possession factor when it is actually a knowledge-based OTP delivered via a possession channel.

894
MCQmedium

During a security awareness training session, an employee reports receiving an email that appears to be from the CEO requesting an urgent wire transfer. The email has a suspicious domain and poor grammar. Which type of attack is this an example of?

A.Smishing
B.Phishing
C.Spear phishing
D.Whaling
AnswerB

The email is a classic phishing attempt: it impersonates a trusted entity (CEO) and requests sensitive action (wire transfer).

Why this answer

This is a classic example of phishing, a broad category of social engineering attacks where attackers send deceptive emails to trick recipients into revealing sensitive information or performing actions like wire transfers. The email's suspicious domain and poor grammar are telltale signs of a generic phishing attempt, as it is not specifically tailored to the employee or the CEO's identity.

Exam trap

The trap here is confusing the broad category of phishing with its subtypes: candidates often pick 'spear phishing' or 'whaling' because the email targets a specific role (CEO), but the lack of personalization and generic red flags make it a standard phishing attack, not a targeted one.

How to eliminate wrong answers

Option A is wrong because smishing (SMS phishing) uses text messages, not email, as the attack vector. Option C is wrong because spear phishing involves targeted, personalized emails that often include specific details about the recipient or organization, whereas this email lacks such customization and uses generic red flags. Option D is wrong because whaling targets high-profile executives (e.g., the CEO or CFO) directly, but here the email impersonates the CEO, not targets them, and the attack is not specifically aimed at a senior executive.

895
MCQmedium

You work for a financial services firm that must comply with GDPR and PCI DSS. The company uses a cloud-based CRM to store customer data. The security team recently discovered that the CRM vendor had a data breach that exposed the company's customer records. An investigation shows that the breach occurred because the vendor did not have multi-factor authentication (MFA) enabled for administrative accounts. The contract with the vendor states that the vendor is responsible for security of their platform. However, your company had not conducted a risk assessment of the vendor before signing the contract. Management wants to improve risk identification for third-party relationships. Which of the following is the BEST long-term solution?

A.Implement a third-party risk management program with periodic security assessments and contractual security requirements
B.Demand that the vendor reimburse the company for breach costs
C.Cancel the contract with the vendor and move to a private cloud solution
D.Require all vendors to provide SOC 2 reports
AnswerA

A program ensures ongoing risk identification and mitigation.

Why this answer

Option A is correct because a third-party risk management (TPRM) program with periodic security assessments and contractual security requirements directly addresses the root cause: the lack of pre-contract risk identification and ongoing vendor oversight. By embedding MFA requirements into contracts and performing regular assessments (e.g., reviewing SOC 2 reports, conducting penetration tests), the company can proactively enforce security controls like MFA for administrative accounts, preventing future breaches. This is a sustainable, long-term solution that aligns with GDPR and PCI DSS due diligence obligations.

Exam trap

The trap here is that candidates may choose Option D (SOC 2 reports) as a quick fix, mistakenly believing a single compliance report guarantees security, when in fact SOC 2 is a point-in-time audit that does not enforce ongoing contractual obligations or address specific risks like MFA configuration.

How to eliminate wrong answers

Option B is wrong because demanding reimbursement is a reactive, financial remedy that does not prevent future breaches; it fails to address the systemic lack of risk identification and vendor oversight. Option C is wrong because canceling the contract and moving to a private cloud solution is an extreme, short-term reaction that ignores the need for a scalable, ongoing vendor risk management process; it also may not be feasible or cost-effective for all third-party relationships. Option D is wrong because requiring SOC 2 reports alone is insufficient; while SOC 2 provides a snapshot of controls, it does not ensure continuous compliance or contractual enforcement of specific security measures like MFA, and it does not replace the need for periodic assessments tailored to the company's risk appetite.

896
Multi-Selectmedium

Which TWO of the following are characteristics of a Smurf attack? (Select TWO)

Select 2 answers
A.Requires fragmented packets
B.Uses ICMP echo requests
C.Exploits TCP SYN handshake
D.Targets DNS resolvers
E.Amplifies traffic by using broadcast addresses
AnswersB, E

Smurf attack uses ICMP echo request (ping) packets.

Why this answer

Smurf attacks send ICMP echo requests to a broadcast address with a spoofed source IP, causing all hosts to reply to the victim, leading to amplification.

897
MCQmedium

Which of the following tools would best help a security team detect misconfigurations in a cloud environment, such as open storage buckets or overly permissive IAM roles?

A.Cloud Security Posture Management (CSPM)
B.Web Application Firewall (WAF)
C.Cloud Workload Protection Platform (CWPP)
D.Event Viewer
AnswerA

CSPM automates the detection and remediation of cloud misconfigurations.

Why this answer

CSPM tools are specifically designed to identify cloud misconfigurations, including storage bucket permissions and IAM roles, and often provide remediation guidance.

898
MCQhard

A DevOps team implements a CI/CD pipeline for a web application. Which security control is BEST to ensure that only properly reviewed code reaches production?

A.Run static application security testing (SAST) in the pipeline
B.Require a manual approval gate before deployment
C.Run automated unit tests and integration tests
D.Implement code signing for all artifacts
AnswerB

Ensures human review of code changes, catching issues automation might miss.

Why this answer

Option B is correct because requiring manual approval in the pipeline ensures a human has reviewed the code before it proceeds. Option A is wrong because automated tests are important but may miss logic flaws. Option C is wrong because code signing ensures integrity but not review.

Option D is wrong because static analysis is automated and may produce false positives; it does not replace human review.

899
MCQmedium

A company wants to enforce network access control (NAC) for both wired and wireless devices. Which protocol is used for this purpose?

A.802.1X
B.SNMP (Simple Network Management Protocol)
C.EAP (Extensible Authentication Protocol)
D.PAP (Password Authentication Protocol)
AnswerA

802.1X provides port-based authentication for NAC.

Why this answer

802.1X is the IEEE standard for port-based network access control (NAC) that authenticates devices before granting access to both wired and wireless networks. It operates at the data link layer and uses an authentication server (e.g., RADIUS) to validate credentials, ensuring only authorized devices connect to the network.

Exam trap

The trap here is confusing EAP (a framework) with 802.1X (the protocol that enforces NAC), leading candidates to pick EAP because it is directly involved in authentication, but it does not control network access itself.

How to eliminate wrong answers

Option B (SNMP) is wrong because it is a management protocol for monitoring and configuring network devices, not for enforcing access control or authentication. Option C (EAP) is wrong because it is an authentication framework used within 802.1X, not a standalone NAC protocol; it provides the transport for authentication methods but does not enforce port-based access control. Option D (PAP) is wrong because it is a simple, unencrypted password authentication protocol used in PPP, not designed for network access control in modern wired/wireless environments.

900
MCQhard

A company's security policy requires that all servers be hardened according to CIS Level 1 benchmarks. During an audit, it is discovered that a server has password complexity settings that exceed Level 1 requirements. Which of the following is the most appropriate action?

A.Report the non-compliance to management for remediation
B.Implement Level 2 benchmarks to be consistent
C.Immediately revert to Level 1 settings to ensure compliance
D.Document the deviation and accept the stronger configuration
AnswerD

Correct: Stronger settings are acceptable but should be documented for audit purposes.

Why this answer

Option D is correct because exceeding CIS Level 1 password complexity requirements represents a stronger security posture, not a violation. CIS benchmarks define Level 1 as a minimum baseline of essential security controls, and deviations that improve security are acceptable as long as they are documented and formally accepted by management. The key principle is that compliance is measured against the minimum baseline, and stronger configurations are permitted with proper risk acceptance.

Exam trap

The trap here is that candidates mistakenly treat any deviation from a baseline as non-compliance, failing to recognize that exceeding the minimum requirements is acceptable and should be documented rather than reverted or escalated.

How to eliminate wrong answers

Option A is wrong because reporting non-compliance implies a violation, but exceeding Level 1 requirements is not a compliance failure—it is a stronger configuration that should be documented, not escalated as a finding. Option B is wrong because implementing Level 2 benchmarks is unnecessary and could introduce operational overhead or compatibility issues; the policy explicitly requires Level 1, and Level 2 is a separate, more restrictive set of controls not mandated here. Option C is wrong because immediately reverting to Level 1 settings would weaken security without justification, violating the principle of least privilege and potentially exposing the system to password-based attacks.

Page 11

Page 12 of 14

Page 13
Systems Security Certified Practitioner SSCP SSCP Questions 826–900 | Page 12/14 | Courseiva