Systems Security Certified Practitioner SSCP (SSCP) — Questions 901975

991 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
Multi-Selectmedium

Which TWO of the following are common techniques used in quantitative risk analysis?

Select 2 answers
A.Exposure Factor (EF)
B.Asset Value (AV)
C.Risk rating (High/Medium/Low)
D.Probability and impact matrix
E.Delphi technique
AnswersA, B

EF is a percentage used in SLE calculation.

Why this answer

Exposure Factor (EF) is a core quantitative metric representing the percentage of asset value lost when a specific threat occurs. It is used in quantitative risk analysis to calculate Single Loss Expectancy (SLE = AV × EF) and Annualized Loss Expectancy (ALE = SLE × ARO), enabling numerical risk prioritization.

Exam trap

Cisco often tests the distinction between qualitative and quantitative methods by listing qualitative tools (like risk ratings, probability-impact matrices, and Delphi) as distractors, expecting candidates to recognize that only metrics like EF, AV, SLE, and ALE are truly quantitative.

902
MCQhard

A security analyst reviews logs and finds that an attacker exploited a vulnerability in a web application to read arbitrary files from the server. The application runs on Apache with mod_php. Which of the following is the MOST likely vulnerability?

A.XML External Entity (XXE) vulnerability.
B.Remote File Inclusion (RFI) vulnerability.
C.Server-Side Request Forgery (SSRF) vulnerability.
D.Local File Inclusion (LFI) vulnerability in a PHP include statement.
AnswerD

LFI allows reading local files via path traversal.

Why this answer

The correct answer is D because the scenario describes reading arbitrary files from the server, which is the hallmark of a Local File Inclusion (LFI) vulnerability. In a PHP application using include statements, an attacker can manipulate a file path parameter (e.g., `?page=../../etc/passwd`) to include and read local files, exploiting the server's filesystem access. Apache with mod_php is particularly susceptible to LFI when user input is not sanitized before being passed to functions like `include()` or `require()`.

Exam trap

The trap here is that candidates confuse LFI with RFI because both involve file inclusion, but the key distinction is that LFI reads local files from the server, while RFI requires remote file inclusion, which is less common and often blocked by default PHP settings.

How to eliminate wrong answers

Option A is wrong because XML External Entity (XXE) exploits XML parsers to read files or perform SSRF, but the scenario does not mention XML processing or a parser; it focuses on a PHP include statement, making XXE an unlikely vector. Option B is wrong because Remote File Inclusion (RFI) involves including remote files from external servers (e.g., via HTTP), which requires `allow_url_include` to be enabled—a rare configuration—and the question specifies reading arbitrary files from the server, not remote hosts. Option C is wrong because Server-Side Request Forgery (SSRF) forces the server to make requests to internal or external resources, but it does not directly read arbitrary files via PHP include; it is more about accessing internal services or performing port scans.

903
MCQmedium

An organization uses Kerberos for single sign-on. When a user logs in, they receive a Ticket Granting Ticket (TGT). What is the primary purpose of the TGT?

A.To encrypt all network traffic
B.To obtain service tickets for accessing resources
C.To provide a digital signature for emails
D.To authenticate the user to the network
AnswerB

The TGT is presented to the TGS to get service tickets for specific services.

Why this answer

The TGT is obtained from the Authentication Server (AS) and is used to request service tickets from the Ticket Granting Server (TGS) without re-entering credentials, enabling SSO.

904
MCQmedium

An administrator wants to ensure that a Linux web server only allows the www-data user to run specific commands with elevated privileges. Which configuration file should be modified?

A./etc/sudoers
B./etc/pam.d/
C./etc/chmod.conf
D./etc/selinux/config
AnswerA

sudoers defines which users can run which commands with sudo.

Why this answer

sudoers file controls which users can run commands with sudo and limits commands. PAM handles authentication, not command authorization. SELinux policies control MAC, not sudo. chmod sets file permissions but does not grant specific command execution.

905
MCQmedium

A Windows system administrator needs to enforce a security policy that prevents users from installing unauthorized software. Which feature should be configured via Group Policy?

A.Windows Defender Firewall
B.User Account Control (UAC)
C.AppLocker
D.BitLocker Drive Encryption
AnswerC

AppLocker allows administrators to specify which applications are allowed to run.

Why this answer

AppLocker can be configured via Group Policy to allow or deny applications based on rules, preventing unauthorized software installation.

906
MCQmedium

Refer to the exhibit. During a security review, an analyst finds these firewall rules. Which recommendation should be made to reduce risk?

A.Restrict the source for rule 10 to specific administrative IPs
B.Enable logging on rule 15 as well
C.Require VPN access for all internal traffic
D.Remove rule 15 entirely
AnswerA

Limiting source reduces attack surface for SQL Server.

Why this answer

Rule 10 allows SSH (TCP/22) from any source (0.0.0.0/0) to the internal server, which exposes the management interface to the entire internet. Restricting the source to specific administrative IPs reduces the attack surface by limiting who can initiate SSH connections, mitigating brute-force and unauthorized access risks. This aligns with the principle of least privilege and is a fundamental access control recommendation.

Exam trap

The trap here is that candidates may focus on logging (option B) or overly broad solutions (option C) instead of directly addressing the most critical risk—unrestricted inbound SSH access—which is the classic 'permit any any' mistake in firewall rules.

How to eliminate wrong answers

Option B is wrong because enabling logging on rule 15 (which likely permits all outbound traffic) does not reduce risk; it only improves visibility, but the rule itself remains overly permissive and could allow malicious outbound traffic. Option C is wrong because requiring VPN for all internal traffic is excessive and unnecessary; VPN is typically used for remote access, not for internal LAN traffic, and would add latency and complexity without addressing the specific exposure of rule 10. Option D is wrong because removing rule 15 entirely might break legitimate outbound connectivity (e.g., DNS, updates) and is not the most direct fix for the inbound SSH exposure; a more targeted approach is to restrict the source of rule 10.

907
Multi-Selecteasy

Which TWO roles are typically part of an incident response team?

Select 2 answers
A.Chief Financial Officer
B.Network Administrator
C.Incident Manager
D.Forensic Analyst
E.Legal Counsel
AnswersC, D

The Incident Manager coordinates the response effort.

Why this answer

The Incident Manager (C) is the central coordinator who manages the incident response process, ensures communication among stakeholders, and makes strategic decisions during an incident. The Forensic Analyst (D) is responsible for collecting, preserving, and analyzing digital evidence in a forensically sound manner, often using tools like FTK Imager or EnCase to maintain chain of custody. Both roles are essential for a structured and legally defensible incident response.

Exam trap

The trap here is that candidates often confuse operational support roles (like Network Administrator) with core incident response team roles, or mistakenly include executive/legal positions as permanent team members rather than as external stakeholders consulted on an as-needed basis.

908
MCQmedium

Which of the following best describes the concept of accountability in access controls?

A.Users must present multiple factors to gain access
B.Users must be uniquely identified and their actions logged
C.The system must verify the user's identity before granting access
D.The resource owner can delegate access to others
AnswerB

Correct. Accountability requires unique identification and logging.

Why this answer

Accountability ensures that actions can be traced back to a specific user, typically through logging and audit trails. This relies on identification and authentication to uniquely identify users.

909
Multi-Selecthard

Which TWO of the following are examples of preventive controls for data leakage?

Select 2 answers
A.Encryption.
B.Data Loss Prevention (DLP) system.
C.Log monitoring.
D.Security awareness training.
E.User access reviews.
AnswersA, B

Encryption renders data unreadable without a key, preventing leakage.

Why this answer

Encryption is a preventive control because it renders data unreadable to unauthorized parties, thereby preventing data leakage even if the data is intercepted or accessed without authorization. By transforming plaintext into ciphertext using algorithms like AES-256, encryption ensures that only entities with the correct decryption key can access the original data, effectively blocking data exfiltration at rest or in transit.

Exam trap

The trap here is that candidates often confuse detective controls (like log monitoring) or administrative controls (like training) with preventive controls, because they seem to 'prevent' issues indirectly, but the SSCP exam strictly classifies controls by their primary function—preventive controls must actively block the threat before it occurs.

910
Multi-Selectmedium

Which TWO of the following are valid reasons to deny a change request during the CAB approval process?

Select 2 answers
A.The change is outside the approved budget
B.The change request lacks a rollback plan
C.The change has a low priority
D.The change has not been tested in a staging environment
E.The change was requested by a junior staff member
AnswersB, D

A rollback plan is required to mitigate risks in case of failure.

Why this answer

A change request must include a rollback plan to ensure that if the change fails or causes unexpected issues, the system can be safely restored to its previous state. Without a documented rollback procedure, the change introduces unacceptable operational risk, making it a valid reason for the CAB to deny approval.

Exam trap

Cisco often tests the distinction between operational risk (like missing a rollback plan or skipping staging tests) versus administrative or financial concerns (like budget or requester seniority) to see if candidates understand the CAB's technical risk assessment focus.

911
MCQeasy

Refer to the exhibit. A security analyst notices that multiple internal hosts are using the same inside global IP address but different port numbers. Which technology is being used?

A.Dynamic NAT
B.Static NAT
C.PAT (Port Address Translation)
D.Port forwarding
AnswerC

PAT allows many internal hosts to share a single public IP by differentiating via port numbers.

Why this answer

The scenario describes multiple internal hosts sharing a single inside global IP address but using different port numbers. This is the defining behavior of Port Address Translation (PAT), also known as NAT overload. PAT maps multiple private IP addresses to one public IP by differentiating sessions based on the transport-layer port number (TCP/UDP), allowing many hosts to share a single public address.

Exam trap

The trap here is that candidates often confuse PAT with Dynamic NAT, not realizing that Dynamic NAT requires a pool of public IPs and does not allow port-level multiplexing, whereas PAT is specifically designed to allow many-to-one address sharing using port differentiation.

How to eliminate wrong answers

Option A is wrong because Dynamic NAT maps private IPs to public IPs from a pool on a one-to-one basis, so multiple internal hosts cannot share the same inside global IP; each would require a unique public IP. Option B is wrong because Static NAT provides a fixed one-to-one mapping between a private IP and a public IP, which also prevents multiple hosts from using the same global address. Option D is wrong because Port forwarding is a manual configuration that directs external traffic to a specific internal host and port, not a mechanism for multiple internal hosts to share a single public IP with different source ports.

912
MCQmedium

An organization is implementing Windows Defender Application Control (WDAC) to prevent unauthorized applications from running on company workstations. Which of the following best describes the primary security benefit of this approach?

A.It prevents execution of any application not explicitly allowed
B.It encrypts application binaries at rest
C.It automatically updates applications from a trusted source
D.It ensures that all applications are digitally signed
AnswerA

Whitelisting blocks unapproved applications, which is the core security benefit of WDAC.

Why this answer

WDAC is a whitelisting technology that only allows approved applications to execute, effectively blocking malware and unauthorized software by default.

913
MCQeasy

Which authentication method uses a time-based one-time password (TOTP) generated by a hardware or software token?

A.Time-based One-Time Password (TOTP)
B.Kerberos ticket
C.Biometric fingerprint reader
D.Smart card with PKI certificate
AnswerA

Correct. TOTP generates time-limited codes.

Why this answer

TOTP (Time-based One-Time Password) is defined in RFC 6238 and generates codes based on the current time. It is commonly used with authenticator apps or hardware tokens.

914
Multi-Selecteasy

Which TWO of the following are key components of a risk assessment process?

Select 2 answers
A.Control testing
B.Asset identification
C.Vulnerability identification
D.Risk treatment selection
E.Threat identification
AnswersB, E

Assets must be identified to assess risk to them.

Why this answer

Asset identification (B) is a key component because you cannot assess risk without knowing what assets need protection. Threat identification (E) is also essential because risk is defined as the likelihood of a threat exploiting a vulnerability to cause harm to an asset. Together, asset and threat identification form the foundational inputs for calculating risk.

Exam trap

ISC2 often tests the distinction between risk assessment (identifying assets, threats, and vulnerabilities) and risk management (selecting and implementing controls), so candidates mistakenly select control testing or risk treatment selection as part of the assessment process.

915
MCQeasy

A risk manager is calculating the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $5,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?

A.$25,000
B.$1,000
C.$5,000
D.$100
AnswerB

Correct calculation.

Why this answer

The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). Here, SLE = $5,000 and ARO = 0.2, so ALE = $5,000 × 0.2 = $1,000. This represents the expected annual financial loss from the server risk.

Exam trap

The trap here is that candidates often confuse the ALE formula by dividing SLE by ARO instead of multiplying, leading to the inflated $25,000 figure in option A.

How to eliminate wrong answers

Option A is wrong because $25,000 results from dividing SLE by ARO ($5,000 / 0.2), which is a common arithmetic reversal error. Option C is wrong because $5,000 is simply the SLE value, ignoring the ARO multiplier entirely. Option D is wrong because $100 would come from multiplying SLE by ARO but misplacing a decimal (e.g., $5,000 × 0.02), indicating a calculation mistake.

916
Multi-Selecteasy

Which TWO are common methods to secure a wireless network against unauthorized access?

Select 2 answers
A.Implement WPA2-Enterprise
B.Enable SSID broadcast
C.Disable DHCP
D.Use MAC filtering
E.Deploy a wireless intrusion prevention system (WIPS)
AnswersA, E

Provides strong authentication per user.

Why this answer

WPA2-Enterprise uses IEEE 802.1X authentication with a RADIUS server, requiring unique credentials per user rather than a shared pre-shared key (PSK). This eliminates the risk of PSK compromise and provides centralized authentication, making it highly resistant to unauthorized access. It is the recommended method for securing wireless networks in enterprise environments.

Exam trap

The trap here is that candidates often mistake MAC filtering or disabling DHCP as effective security controls, when in fact they are easily bypassed and provide only a false sense of security, while the exam expects recognition of enterprise-grade authentication and active monitoring as the correct methods.

917
MCQmedium

A software development team is implementing input validation for a web application that accepts user email addresses. Which approach BEST prevents email injection attacks?

A.Whitelist allowed characters: alphanumeric, @, ., -, _
B.Blacklist known malicious email patterns
C.Set maximum email length to 100 characters
D.Rely on client-side JavaScript validation only
AnswerA

Whitelisting only safe characters prevents injection.

Why this answer

Option C is correct because whitelisting valid characters (alphanumeric, @, ., -, _) restricts input to safe characters, preventing injection of special characters used in email injection. Option A is wrong because blacklisting known malicious patterns is easily bypassed. Option B is wrong because client-side validation only is insufficient as it can be bypassed.

Option D is wrong because length limits do not prevent injection.

918
Multi-Selectmedium

A security architect is designing an access control system for a healthcare application. The system must ensure that a nurse can view patient records but cannot modify them, and that a doctor can both view and update records. Additionally, the system must prevent a single user from both ordering a medication and approving its administration. Which TWO access control principles are being applied? (Select TWO.)

Select 2 answers
A.Discretionary access control
B.Separation of duties
C.Need to know
D.Mandatory access control
E.Least privilege
AnswersB, E

Ordering and approving medications are separated to prevent fraud or error.

Why this answer

Least privilege ensures users have only the permissions needed (nurse view, doctor view/update). Separation of duties prevents a single user from performing conflicting actions (order and approve).

919
MCQeasy

Which protocol is used to provide secure remote shell access and replace Telnet?

A.SFTP
B.SSH
C.IPsec
D.HTTPS
AnswerB

SSH provides encrypted remote shell access and is the standard replacement for Telnet.

Why this answer

SSH (Secure Shell) is the correct answer because it provides encrypted remote shell access and command execution, replacing the insecure Telnet protocol which transmits data in cleartext. SSH uses public-key cryptography for authentication and symmetric encryption (e.g., AES, ChaCha20) for session confidentiality, as defined in RFC 4251.

Exam trap

Cisco often tests the distinction between SSH (remote shell) and SFTP (file transfer), leading candidates to confuse SFTP as a replacement for Telnet when it actually relies on SSH for its secure transport.

How to eliminate wrong answers

Option A (SFTP) is wrong because SFTP (SSH File Transfer Protocol) is a file transfer protocol that runs over SSH, not a remote shell access protocol; it is used for secure file operations, not interactive shell sessions. Option C (IPsec) is wrong because IPsec is a network-layer security protocol suite used for encrypting IP packets (e.g., in VPNs), not for providing remote shell access or replacing Telnet. Option D (HTTPS) is wrong because HTTPS is HTTP over TLS, designed for secure web browsing, not for remote shell access or command-line interaction.

920
Multi-Selectmedium

An organization is implementing a privileged access management (PAM) solution. Which THREE of the following are common PAM capabilities?

Select 3 answers
A.Just-in-time (JIT) provisioning of privileged access
B.Single sign-on for all applications
C.Password vaulting for storing privileged credentials securely
D.Self-service password reset for end users
E.Recording and monitoring of privileged sessions
AnswersA, C, E

JIT provisioning grants temporary elevated privileges, reducing risk.

Why this answer

PAM includes password vaulting, session recording, and just-in-time provisioning to secure privileged accounts.

921
MCQeasy

A small business uses MAC address filtering on its wireless network to prevent unauthorized access. Which attack is most likely to bypass this control?

A.Deauthentication attack
B.Man-in-the-middle attack
C.Evil twin attack
D.MAC spoofing
AnswerD

An attacker can capture a valid MAC and use it to connect.

Why this answer

MAC address filtering is a weak access control because MAC addresses are transmitted in plaintext over the air and can be easily captured using a wireless sniffer (e.g., Wireshark). An attacker can then change their network interface's MAC address to match an allowed client via MAC spoofing, thereby bypassing the filter and gaining access to the network. This attack directly defeats the filtering mechanism without needing to crack encryption keys or impersonate the access point.

Exam trap

The trap here is that candidates confuse MAC spoofing with deauthentication attacks, thinking that disconnecting a client is the primary method to bypass filtering, when in fact the attacker must spoof the allowed MAC to actually authenticate and gain network access.

How to eliminate wrong answers

Option A is wrong because a deauthentication attack disconnects clients from the access point but does not bypass MAC filtering—it only disrupts service, not authenticate the attacker. Option B is wrong because a man-in-the-middle attack intercepts traffic between two parties but requires the attacker to already be associated with the network, so it does not bypass the initial MAC filter. Option C is wrong because an evil twin attack creates a rogue access point with the same SSID to trick clients into connecting, but the attacker still needs to associate with the legitimate network or bypass its MAC filter to access internal resources.

922
MCQmedium

An incident responder needs to create a forensic image of a suspect hard drive. Which of the following steps is ESSENTIAL to ensure the integrity of the evidence?

A.Run an antivirus scan on the drive before imaging
B.Use a write blocker to prevent modification of the original drive
C.Boot the suspect system to verify it is functional
D.Perform the imaging over the network to save time
AnswerB

A write blocker ensures read-only access, preserving the integrity of the original evidence.

Why this answer

Using a write blocker is essential because it ensures that no data can be written to the suspect hard drive during the imaging process, preserving the original evidence in a forensically sound state. Without a write blocker, any operating system or imaging tool could inadvertently modify metadata (e.g., access timestamps) or the file system, which would compromise the integrity and admissibility of the evidence in legal proceedings.

Exam trap

Cisco often tests the misconception that booting the system or running software-based checks is acceptable, but the trap here is that any interaction with the original drive that could alter its state—even a read-only mount without a write blocker—can change metadata and break the chain of custody.

How to eliminate wrong answers

Option A is wrong because running an antivirus scan on the drive before imaging could modify the drive's contents (e.g., by quarantining or deleting files), which violates forensic integrity principles. Option C is wrong because booting the suspect system can alter the system state, including writing to the drive (e.g., log files, temporary files), and may trigger anti-forensic mechanisms. Option D is wrong because performing imaging over the network introduces risks of data corruption, packet loss, or interception, and does not inherently prevent writes to the original drive; a write blocker is still required for forensic soundness.

923
MCQmedium

A hospital's IT department manages a network with hundreds of medical devices, including patient monitors and infusion pumps, all connected to a separate VLAN. The security team has identified that several devices are running outdated firmware with known vulnerabilities. The vendor has not released patches for these legacy devices. The hospital cannot replace them immediately due to budget constraints. The network team proposes moving the devices to a more restrictive firewall zone and implementing intrusion detection. Which of the following additional controls should be implemented to BEST reduce the risk of a breach exploiting these devices?

A.Conduct daily vulnerability scans on the device VLAN
B.Deploy host-based intrusion prevention on each device
C.Use a web application firewall (WAF) in front of the devices
D.Implement strict network segmentation and access control lists (ACLs) to allow only necessary traffic
AnswerD

Segmentation with ACLs minimizes exposure and is feasible without modifying the devices.

Why this answer

Segmenting the devices into a separate, highly restricted network segment limits the blast radius and prevents lateral movement. Option A is already proposed; B is best practice; C is acceptable but not sufficient; D is reactive.

924
MCQhard

A medium-sized financial services company has recently deployed a new web application that processes sensitive customer data, including Social Security numbers and account balances. The security team implemented network segmentation, a web application firewall (WAF) from a reputable vendor, and quarterly vulnerability scans. The developers assert that they use parameterized queries for all database calls in the main application code. During a recent penetration test, testers successfully exploited a SQL injection vulnerability, extracting the entire customer database. Further investigation reveals that the main application indeed uses parameterized queries, but a third-party reporting module, integrated to generate compliance reports, constructs SQL queries by concatenating user-supplied date range inputs directly into SQL strings. The WAF is configured with a generic rule set and has not been tuned to the application's specific traffic patterns. What is the most effective course of action to remediate this vulnerability and prevent future occurrences?

A.Replace the third-party reporting module with an alternative that uses parameterized queries.
B.Implement strict input validation to sanitize user-supplied date inputs.
C.Increase the frequency of vulnerability scans from quarterly to monthly.
D.Configure the WAF to block SQL injection patterns with custom rules.
AnswerA

This directly removes the vulnerable coding practice (concatenation) and replaces it with a secure method, permanently fixing the SQL injection flaw.

Why this answer

The root cause is the third-party module's insecure query construction. Replacing it with a module that uses parameterized queries directly eliminates the vulnerability at its source. Input validation (A) is a defense-in-depth measure but not sufficient if concatenation is still used.

Increasing scan frequency (C) does not fix the underlying issue. Configuring the WAF (D) provides a layer of defense but can be bypassed and is not as reliable as eliminating the vulnerable code.

925
Multi-Selectmedium

A company is implementing encryption for data at rest in a file server. Which TWO of the following algorithms are suitable for this purpose? (Select TWO.)

Select 2 answers
A.3DES
B.Blowfish
C.SHA-256
D.AES-256
E.RSA-2048
AnswersB, D

Blowfish is a symmetric block cipher that can be used for data at rest, though AES is preferred.

Why this answer

Blowfish is a symmetric block cipher that supports variable key lengths (32–448 bits), making it suitable for encrypting data at rest on a file server. It is designed for fast encryption in software and has been widely used for file and disk encryption, though it is now considered less secure than modern alternatives like AES.

Exam trap

The trap here is that candidates often confuse hashing algorithms (like SHA-256) with encryption algorithms, or mistakenly think asymmetric ciphers (like RSA) are suitable for bulk data encryption, when in fact symmetric ciphers (like AES and Blowfish) are the correct choice for data at rest.

926
MCQeasy

Which of the following is the primary purpose of a configuration management database (CMDB)?

A.To provide a centralized repository of configuration items and their relationships
B.To track changes to network devices in real time
C.To automate the deployment of patches
D.To store backup copies of configuration files
AnswerA

This is the core function of a CMDB.

Why this answer

A configuration management database (CMDB) is a centralized repository that stores information about configuration items (CIs) and their relationships. Its primary purpose is to provide a single source of truth for managing IT assets, dependencies, and their interconnections, which is foundational for change management, incident management, and impact analysis.

Exam trap

Cisco often tests the distinction between a CMDB's role as a metadata repository versus operational tools that perform real-time actions, leading candidates to confuse it with change tracking or backup systems.

How to eliminate wrong answers

Option B is wrong because tracking changes to network devices in real time is a function of network monitoring tools (e.g., SNMP traps, NetFlow) or change detection systems, not the primary purpose of a CMDB. Option C is wrong because automating patch deployment is the role of patch management systems (e.g., WSUS, SCCM), while a CMDB stores CI data but does not execute deployment actions. Option D is wrong because storing backup copies of configuration files is a function of backup and version control systems (e.g., RANCID, Git), whereas a CMDB focuses on metadata and relationships, not file-level backups.

927
MCQmedium

After implementing a new IDS, the security team receives numerous alerts about legitimate traffic being flagged as malicious. This phenomenon is known as:

A.False positives
B.Noise
C.False negatives
D.True positives
AnswerA

Correct: Legitimate traffic flagged as malicious are false positives.

Why this answer

A false positive occurs when the IDS incorrectly classifies legitimate traffic as malicious, generating an alert for benign activity. This is a common issue after deploying a new IDS with default or overly sensitive signature sets, leading to alert fatigue. The core reasoning is that the IDS's detection logic (e.g., pattern matching or anomaly thresholds) misidentifies normal behavior as an attack.

Exam trap

The trap here is that candidates confuse 'false positives' with 'noise' (Option B), but noise is a broader category that includes false positives as well as other irrelevant alerts, while the question specifically describes legitimate traffic being flagged as malicious, which is the precise definition of a false positive.

How to eliminate wrong answers

Option B (Noise) is wrong because noise refers to irrelevant or low-value alerts that may be triggered by benign events, but it is not the specific term for legitimate traffic flagged as malicious—noise often includes false positives but also encompasses other non-actionable alerts. Option C (False negatives) is wrong because false negatives occur when the IDS fails to detect actual malicious traffic, not when it flags legitimate traffic. Option D (True positives) is wrong because true positives are alerts that correctly identify actual malicious activity, which is the opposite of the scenario described.

928
MCQeasy

Which type of disaster recovery test involves running the DR systems alongside production systems to verify functionality without impacting operations?

A.Tabletop exercise
B.Full interruption test
C.Parallel test
D.Simulation test
AnswerC

Correct. Parallel test runs DR and production systems simultaneously.

Why this answer

A parallel test runs the disaster recovery (DR) systems in a live, non-disruptive manner alongside the production environment. This allows the organization to validate that the DR systems can process transactions and handle workloads correctly without affecting the primary production operations, making it the correct choice for verifying functionality without impact.

Exam trap

The trap here is that candidates often confuse a parallel test with a simulation test, thinking both are 'non-disruptive,' but a simulation test does not run DR systems alongside production and typically uses synthetic data, whereas a parallel test uses real production data and systems in a concurrent, non-interfering manner.

How to eliminate wrong answers

Option A is wrong because a tabletop exercise is a discussion-based walkthrough of roles and procedures, not an actual technical test of DR systems running alongside production. Option B is wrong because a full interruption test (also called a full-scale or hot start test) involves shutting down production systems and failing over to the DR site, which directly impacts operations. Option D is wrong because a simulation test mimics a disaster scenario in a controlled environment but does not run DR systems concurrently with production systems; it often uses isolated test beds.

929
MCQeasy

An administrator notices that a terminated employee's account is still active. Which access control process was likely skipped?

A.Authorization
B.Authentication
C.Provisioning
D.Accounting
AnswerC

Provisioning includes creating and disabling accounts; the termination process should have disabled the account.

Why this answer

Provisioning is the access control process that includes creating, modifying, and disabling user accounts and their associated privileges. When a terminated employee's account remains active, the de-provisioning step—specifically account revocation—was likely skipped, leaving the account enabled and accessible.

Exam trap

The trap here is that candidates confuse provisioning with authorization or authentication, thinking that account termination is about setting permissions (authorization) rather than the account lifecycle itself.

How to eliminate wrong answers

Option A is wrong because authorization determines what an authenticated user is allowed to do (e.g., read, write), not whether the account itself exists or is active. Option B is wrong because authentication verifies a user's identity (e.g., via password or certificate), not the lifecycle management of the account. Option D is wrong because accounting tracks user actions and resource usage (e.g., via logs or RADIUS accounting), not the creation or removal of accounts.

930
Multi-Selectmedium

A security administrator is evaluating encryption protocols for email communication. Which of the following protocols can secure email in transit? (Select TWO)

Select 2 answers
A.IMAPS
B.HTTPS
C.SSH
D.SMTPS
E.SFTP
AnswersA, D

IMAPS is IMAP over TLS, used for retrieving email securely.

Why this answer

IMAPS (Internet Message Access Protocol over SSL/TLS) encrypts email retrieval by wrapping IMAP traffic in TLS, typically on port 993. This ensures that email messages and credentials are protected from eavesdropping while in transit between the client and the mail server.

Exam trap

Cisco often tests the distinction between protocols that secure email in transit (IMAPS, SMTPS) versus protocols that secure other services (HTTPS for web, SSH for remote access, SFTP for file transfer), leading candidates to confuse secure versions of unrelated protocols.

931
MCQhard

A security analyst receives a chain of custody form for a hard drive that was seized from a suspected insider threat. The form shows that the drive was handled by three individuals over two days. Which of the following is the PRIMARY reason for maintaining a chain of custody?

A.To prove that the evidence has not been tampered with and is admissible in legal proceedings
B.To determine the cost of the forensic investigation
C.To ensure the hard drive is stored in a secure location
D.To track the productivity of forensic analysts
AnswerA

Correct. Chain of custody provides a documented history to show evidence integrity.

Why this answer

The chain of custody is a documented chronological record of evidence handling, which is essential to demonstrate that the hard drive has not been altered, damaged, or substituted since seizure. Without this unbroken record, the evidence could be challenged as inadmissible in court under rules like the Federal Rules of Evidence (FRE) 901, which require authentication. This is the primary reason because legal admissibility hinges on proving integrity and continuity of custody.

Exam trap

Cisco often tests the distinction between the legal necessity of chain of custody (admissibility) versus operational tasks like storage or cost tracking, leading candidates to confuse a supporting activity (secure storage) with the primary purpose.

How to eliminate wrong answers

Option B is wrong because determining the cost of the forensic investigation is an administrative or budgeting concern, not the primary legal purpose of chain of custody. Option C is wrong because while secure storage is a component of proper evidence handling, the chain of custody specifically documents who had access and when, not just the storage location itself. Option D is wrong because tracking analyst productivity is a management metric unrelated to the forensic integrity and legal admissibility requirements that chain of custody is designed to satisfy.

932
MCQeasy

Refer to the exhibit. An IAM policy includes the following statement: 'Effect': 'Allow', 'Action': ['s3:ListBucket','s3:GetObject'], 'Resource': 'arn:aws:s3:::example-bucket/*'. What does this policy allow?

A.List objects and read objects in example-bucket
B.Full access to all S3 buckets
C.Delete objects from example-bucket
D.Write objects to example-bucket
AnswerA

ListBucket and GetObject provide list and read.

Why this answer

ListBucket allows listing objects, GetObject allows reading objects. It does not allow write or delete. The resource is specific to example-bucket.

933
MCQeasy

An analyst notices unusual outbound traffic from a workstation to an external IP on port 445. Which protocol is likely being used?

A.HTTP
B.SMB
C.FTP
D.DNS
AnswerB

SMB uses port 445 for direct TCP communication, often associated with file sharing.

Why this answer

Port 445 is the default port for Microsoft-DS (Direct Hosting of SMB over TCP/IP), which is used by the Server Message Block (SMB) protocol for file and printer sharing. Unusual outbound traffic on this port often indicates SMB activity, such as a workstation attempting to connect to a remote share or, in a security context, potential data exfiltration or lateral movement using SMB.

Exam trap

ISC2 often tests the association of well-known ports with their protocols, and the trap here is that candidates may confuse port 445 with NetBIOS (ports 137-139) or assume SMB only uses ports 137-139, forgetting that modern SMB over TCP/IP uses port 445 directly.

How to eliminate wrong answers

Option A is wrong because HTTP typically uses ports 80 (unencrypted) or 443 (TLS), not port 445. Option C is wrong because FTP uses ports 20 (data) and 21 (control), not port 445. Option D is wrong because DNS uses port 53 (UDP primarily, with TCP for zone transfers), not port 445.

934
MCQhard

During a penetration test, a security analyst captures a packet containing a gratuitous ARP reply that associates the attacker's MAC address with the default gateway's IP address. This is a classic indicator of which attack?

A.ARP spoofing
B.DHCP spoofing
C.MAC cloning
D.DNS poisoning
AnswerA

Gratuitous ARP is the key technique for ARP spoofing.

Why this answer

ARP spoofing (or ARP poisoning) sends gratuitous ARP replies to redirect traffic, enabling man-in-the-middle attacks.

935
MCQmedium

A security administrator needs to dispose of hard drives that contain sensitive data. Which method provides the highest assurance that data cannot be recovered?

A.Deleting all files and emptying the recycle bin
B.Performing a quick format of the drive
C.Physically shredding the hard drives
D.Using a degausser to erase magnetic data
AnswerC

Physical destruction provides the highest assurance of data irrecoverability.

Why this answer

Physical destruction (e.g., shredding, crushing) ensures that the storage media is no longer usable and data recovery is virtually impossible. Degaussing may destroy magnetic media but is less effective on SSDs. Overwriting requires multiple passes and may not be effective on all media types.

936
Multi-Selecthard

Which THREE of the following are types of application security testing that should be included in a secure SDLC?

Select 3 answers
A.Static application security testing (SAST)
B.Penetration testing
C.User acceptance testing (UAT)
D.Dynamic application security testing (DAST)
E.Load testing
AnswersA, B, D

Analyzes source code for vulnerabilities.

Why this answer

Options A, C, and E are correct. SAST (Static Application Security Testing) analyzes source code, DAST (Dynamic Application Security Testing) tests running applications, and penetration testing simulates real attacks. Option B is wrong because UAT is for functional validation, not security.

Option D is wrong because load testing is for performance, not security.

937
Multi-Selecthard

Which three of the following are best practices for securing a database? (Choose three.)

Select 3 answers
A.Encrypt sensitive data at rest
B.Use default passwords for database accounts
C.Implement row-level security
D.Apply the principle of least privilege for database users
E.Enable public access to the database
AnswersA, C, D

Protects data if storage is compromised.

Why this answer

Encrypting sensitive data at rest protects confidentiality. Row-level security restricts access to specific rows. Least privilege limits user permissions.

Default passwords are insecure. Public access exposes the database.

938
Multi-Selecthard

A security team is implementing User Behavior Analytics (UBA) to detect insider threats. Which THREE types of activities would most likely indicate a compromised account?

Select 3 answers
A.Accessing systems not normally used by the user
B.Downloading large volumes of data
C.Logging in during normal business hours from a known workstation
D.Printing a document
E.Accessing sensitive files after hours
AnswersA, B, E

Correct: Lateral movement often involves accessing unusual systems.

Why this answer

Accessing systems not normally used by the user (A) is a strong indicator of a compromised account because User Behavior Analytics (UBA) builds a baseline of each user's typical access patterns, including which servers, applications, or network segments they routinely interact with. A deviation from this baseline—such as authenticating to a system outside the user's job function—triggers an anomaly score, as it suggests an attacker is using stolen credentials to move laterally. This aligns with the MITRE ATT&CK technique T1078 (Valid Accounts) and is a core detection signal in UBA platforms like Splunk UBA or Microsoft Sentinel UEBA.

Exam trap

The trap here is that candidates often assume any 'sensitive file access' is automatically malicious, but UBA requires a deviation from the user's baseline—accessing sensitive files after hours (E) is anomalous only if the user never does so during normal hours, whereas accessing systems not normally used (A) is a clearer deviation from established patterns.

939
Multi-Selectmedium

Which two commands can be used to modify existing file permissions on a Linux system? (Select TWO)

Select 2 answers
A.chattr
B.setfacl
C.umask
D.chown
E.chmod
AnswersB, E

setfacl sets or modifies Access Control Lists (ACLs) that can define permissions for specific users or groups.

Why this answer

B is correct because `setfacl` is used to modify Access Control Lists (ACLs) on a file or directory, which are an extended mechanism for setting permissions beyond the standard owner/group/others model. E is correct because `chmod` is the standard command for changing the read, write, and execute permissions for the file owner, group, and others using symbolic or octal notation.

Exam trap

ISC2 often tests the distinction between commands that modify existing permissions (`chmod`, `setfacl`) versus commands that set defaults for new files (`umask`) or change file ownership (`chown`), leading candidates to mistakenly select `umask` or `chown` as tools for altering current permissions.

940
MCQmedium

An organization needs to recover data from a backup after a ransomware attack. The backup was taken 12 hours ago, and the RPO is 4 hours. What is the impact?

A.The RPO is met because data can be recovered
B.The RPO is violated because more than 4 hours of data may be lost
C.The RTO is exceeded
D.The 3-2-1 rule is violated
AnswerB

Correct. The backup frequency does not meet the RPO.

Why this answer

RPO (Recovery Point Objective) defines the maximum acceptable data loss. If the backup is 12 hours old and RPO is 4 hours, the organization has lost 8 hours of data, exceeding the objective.

941
Multi-Selectmedium

Which TWO actions are appropriate during the containment phase of incident response?

Select 2 answers
A.Restoring data from backups
B.Removing malware from the system
C.Isolating the affected system from the network
D.Blocking malicious IP addresses at the firewall
E.Analyzing the root cause of the incident
AnswersC, D

Isolation prevents spread.

Why this answer

During the containment phase of incident response, the primary goal is to stop the incident from spreading and to limit damage. Isolating the affected system from the network (Option C) immediately prevents lateral movement of the threat and further data exfiltration. Blocking malicious IP addresses at the firewall (Option D) is another containment action that cuts off communication with known command-and-control servers or attack sources, effectively containing the network-level impact.

Exam trap

ISC2 often tests the distinction between containment, eradication, and recovery phases, and the trap here is that candidates mistakenly classify malware removal or root cause analysis as containment actions, when they actually belong to later phases.

942
MCQmedium

A company uses a hub-and-spoke VPN topology with a central site and multiple branch offices. The central site's firewall is being upgraded. Which technology can provide link redundancy with automatic failover for the VPN connections?

A.STP
B.VRRP
C.OSPF
D.BGP
AnswerD

BGP can be used to manage multiple VPN paths and failover automatically.

Why this answer

BGP is correct because it supports dynamic routing and can be configured with multiple paths to provide automatic failover for VPN connections in a hub-and-spoke topology. When the central site's firewall is upgraded, BGP can reroute traffic through alternate paths without manual intervention, ensuring link redundancy. This is achieved through BGP's path selection algorithm and the ability to advertise multiple routes via different VPN tunnels.

Exam trap

The trap here is that candidates confuse VRRP (a first-hop redundancy protocol) with VPN failover, but VRRP only provides gateway redundancy at the local subnet, not dynamic routing or failover across multiple VPN tunnels between sites.

How to eliminate wrong answers

Option A is wrong because STP (Spanning Tree Protocol) is a Layer 2 protocol designed to prevent loops in Ethernet networks, not to provide link redundancy or automatic failover for VPN connections. Option B is wrong because VRRP (Virtual Router Redundancy Protocol) provides gateway redundancy at Layer 3 by allowing multiple routers to share a virtual IP, but it does not handle VPN-specific failover or dynamic routing across multiple sites. Option C is wrong because OSPF is an interior gateway protocol that can provide dynamic routing and failover within a single autonomous system, but it is not typically used for hub-and-spoke VPN redundancy across multiple branch offices without additional configuration like DMVPN, and it lacks the policy-based path control and scalability of BGP for this scenario.

943
MCQeasy

An organization wants to prevent unauthorized applications from running on Windows workstations. Which Windows feature should be used to enforce application whitelisting?

A.User Account Control (UAC)
B.Windows Firewall with Advanced Security
C.Windows Defender Application Control (WDAC)
D.Windows Defender Antivirus
AnswerC

WDAC allows only approved applications to run, providing application whitelisting.

Why this answer

Windows Defender Application Control (WDAC) and AppLocker are used for application whitelisting. WDAC provides more robust control.

944
MCQhard

An organization uses role-based access control (RBAC). A user complains that they can access a resource they were previously denied. The security administrator finds that the user's role was recently changed. What is the most likely cause?

A.The user's previous role was not properly removed.
B.The RBAC implementation has a bug that grants excessive permissions.
C.The user's new role inherits permissions from multiple roles that collectively grant access.
D.The user was directly assigned permissions to the resource.
AnswerC

In RBAC, roles can inherit permissions, leading to unintended access.

Why this answer

In RBAC, permissions are assigned to roles, not directly to users. When a user's role changes, the new role may have a different set of permissions. If the new role inherits permissions from multiple roles (e.g., through role hierarchy or composite roles), it can collectively grant access to resources that were previously denied under the old role.

This is the most likely cause because the security administrator confirmed the role change, and RBAC systems typically enforce permissions based on the current role membership.

Exam trap

The trap here is that candidates assume a role change always removes old permissions, but RBAC role hierarchies can cause permission accumulation through inheritance, leading to new access that was previously denied.

How to eliminate wrong answers

Option A is wrong because if the previous role was not properly removed, the user would still have the old role's permissions, but the complaint is about gaining access they were previously denied, not about retaining old access; role removal issues typically cause excessive permissions, not a new access pattern. Option B is wrong because a bug that grants excessive permissions would be a systemic flaw affecting multiple users or resources, not a single user's access change tied to a role change; the administrator's observation of a role change makes a bug less likely than a legitimate role-based permission change. Option D is wrong because direct permission assignments bypass RBAC and would be a separate access control mechanism; if the user had direct permissions, the role change would be irrelevant, and the administrator would likely see a direct ACE rather than a role-based grant.

945
Multi-Selectmedium

Which TWO controls are examples of physical security controls that can help prevent unauthorized access to a data center? (Select TWO.)

Select 2 answers
A.Biometric readers
B.Encryption of data at rest
C.Mantraps
D.Firewalls
E.Intrusion detection system (IDS)
AnswersA, C

Correct. Biometric readers are physical access controls.

Why this answer

Biometric readers are a physical security control that authenticates individuals based on unique biological traits (e.g., fingerprints, iris patterns). They prevent unauthorized access by ensuring only enrolled personnel can enter the data center, directly controlling physical entry points.

Exam trap

The trap here is that candidates often confuse 'physical security controls' with 'technical/administrative controls'—for example, selecting encryption or firewalls because they 'secure' the data center, but they do not prevent physical entry.

946
MCQhard

A PKI administrator is designing a key management lifecycle for a high-security environment. Which practice is most critical for ensuring long-term security of asymmetric keys?

A.Performing regular key rotation
B.Using hardware security modules (HSMs)
C.Implementing key escrow
D.Maintaining a Certificate Revocation List (CRL)
AnswerA

Regular rotation minimizes impact of key compromise.

Why this answer

Regular key rotation limits exposure in case of compromise. All other options are important but rotation is most critical for long-term security.

947
MCQmedium

A small business experienced a ransomware attack that encrypted all files on the file server. They have no backups. The attacker demands a ransom. The CEO asks for advice. Which recommendation should the incident responder give?

A.Contact law enforcement and attempt decryption from public tools
B.Wipe the server and restore from the cloud sync if available
C.Pay the ransom immediately to regain access
D.Reinstall the OS and rebuild data from manual copies
AnswerA

Law enforcement can provide guidance, and free decryption tools may be available for some ransomware strains.

Why this answer

Option C is correct because contacting law enforcement and attempting decryption using public tools is the most responsible action. Paying the ransom (A) is discouraged and does not guarantee recovery. Wiping the server (B) and rebuilding from cloud sync would lose all data if no sync exists.

Reinstalling and rebuilding manually (D) is extremely time-consuming and likely impossible without backups.

948
MCQeasy

Which access control model allows the owner of a resource to determine who can access it and what privileges they have?

A.Mandatory Access Control (MAC)
B.Attribute-Based Access Control (ABAC)
C.Discretionary Access Control (DAC)
D.Role-Based Access Control (RBAC)
AnswerC

DAC enables owners to grant access to others.

Why this answer

DAC (Discretionary Access Control) lets the owner control access permissions. Other models have different control mechanisms.

949
MCQmedium

A security engineer is designing a system that requires non-repudiation of data origin. Which cryptographic technique should be used?

A.Keyed hash (HMAC)
B.Digital signature using RSA or ECDSA
C.Hash function only
D.Symmetric encryption with a shared key
AnswerB

Digital signatures bind the identity of the signer to the data, providing non-repudiation.

Why this answer

Digital signatures using RSA or ECDSA provide non-repudiation of data origin because they bind the signer's identity to the data through a private key that only the signer possesses. The recipient can verify the signature with the corresponding public key, and the signer cannot later deny having signed the data, as the private key is uniquely under their control. This meets the legal and technical requirement for non-repudiation, unlike symmetric or hash-only methods.

Exam trap

The trap here is that candidates confuse integrity (provided by HMAC or hash) with non-repudiation, or assume a shared secret (HMAC or symmetric encryption) can prove origin, but only asymmetric digital signatures satisfy the legal requirement of non-repudiation.

How to eliminate wrong answers

Option A is wrong because a keyed hash (HMAC) uses a shared secret key between sender and receiver, which cannot prove which party generated the MAC, thus failing to provide non-repudiation. Option C is wrong because a hash function alone provides integrity but no authentication or proof of origin, as anyone can compute the same hash. Option D is wrong because symmetric encryption with a shared key does not provide non-repudiation; both parties possess the same key, so the sender can deny creating the ciphertext.

950
MCQmedium

A database audit log shows that a user ran a query retrieving all customer records. The user's job role only requires access to view their own assigned customers. Which access control concept has been violated?

A.Job rotation
B.Need-to-know
C.Separation of duties
D.Least privilege
AnswerB

Need-to-know restricts access to data required for job functions; the user accessed data outside their need.

Why this answer

The need-to-know principle restricts data access to only the information necessary for a user to perform their job duties. In this case, the user retrieved all customer records, but their role only requires access to their own assigned customers, meaning they accessed data beyond what is necessary. This directly violates the need-to-know concept, which is a subset of access control that limits access to specific data elements rather than entire datasets.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'need-to-know,' but least privilege governs the level of permissions (e.g., read vs. write), while need-to-know governs the scope of data accessible (e.g., which specific records), and the question specifically describes a scope violation, not a permission level violation.

How to eliminate wrong answers

Option A is wrong because job rotation is a security practice where users periodically change roles to reduce fraud risk and detect malicious activity, not an access control principle that limits data access. Option C is wrong because separation of duties ensures that no single individual has complete control over a critical process by dividing tasks among multiple users, which is unrelated to a user accessing more data than their role requires. Option D is wrong because least privilege limits a user's permissions to the minimum necessary to perform their job, but the violation here is specifically about accessing data beyond what is needed for their role, which is the definition of need-to-know; least privilege focuses on the level of access (e.g., read vs. write), while need-to-know focuses on the scope of data (e.g., which records).

951
Multi-Selecteasy

A company is implementing an access control system for a high-security environment. Which TWO of the following are characteristics of Mandatory Access Control (MAC)?

Select 2 answers
A.Permissions are assigned to roles.
B.Access rules are defined by the system, not users.
C.Users can grant access to other users.
D.Subjects and objects have security labels.
E.Access is based on the owner's discretion.
AnswersB, D

MAC policies are centrally enforced.

Why this answer

MAC uses labels for subjects and objects, and access decisions are based on clearance and classification. Users cannot change permissions.

952
MCQhard

A security administrator is configuring Windows Firewall with Advanced Security for a web server. The requirement is to allow inbound HTTPS traffic but block all other inbound traffic. Which of the following rule configurations best meets this requirement?

A.Create an inbound block rule for all ports and then exclude HTTPS
B.Create an inbound allow rule for HTTPS and set the firewall default action to block
C.Create an outbound allow rule for HTTPS only
D.Create an inbound allow rule for HTTPS and create a block rule for all other ports
AnswerD

This explicitly allows HTTPS and blocks everything else, meeting the requirement.

Why this answer

A specific allow rule for HTTPS (port 443) combined with a default block rule ensures only HTTPS is allowed. The default block rule enforces the principle of least privilege.

953
MCQeasy

A company wants to implement a policy where no single individual can approve a purchase order and also receive the goods. Which access control principle does this enforce?

A.Rotation of duties
B.Separation of duties
C.Need to know
D.Least privilege
AnswerB

This principle splits critical functions among different individuals.

Why this answer

This policy enforces separation of duties by ensuring that no single individual has the authority to both approve a purchase order and receive the goods. This control prevents fraud and errors by requiring two different people to complete related but conflicting tasks, which is a fundamental access control principle in financial and operational systems.

Exam trap

The trap here is that candidates often confuse separation of duties with least privilege, but least privilege focuses on minimizing permissions per role, whereas separation of duties mandates that conflicting tasks be split across multiple roles to prevent fraud or error.

How to eliminate wrong answers

Option A is wrong because rotation of duties involves periodically moving personnel between different roles to reduce the risk of collusion or skill stagnation, not preventing a single person from performing two conflicting tasks. Option C is wrong because need to know restricts access to information based on job requirements, not the segregation of conflicting operational steps. Option D is wrong because least privilege limits users to the minimum permissions necessary for their job functions, but does not specifically address the requirement that two separate individuals must handle approval and receipt of goods.

954
MCQmedium

A company deploys a web application that processes credit card payments. The development team uses parameterized queries for all database interactions. However, during a penetration test, the tester successfully injects malicious code into a search field and retrieves sensitive customer data. Which of the following is the most likely cause?

A.The application uses dynamic SQL despite parameterized queries for some fields.
B.The web server is misconfigured to allow directory traversal.
C.The database server has weak permissions allowing direct query execution.
D.The search field output is not sanitized, allowing stored XSS.
AnswerA

Dynamic SQL in the search field bypasses the parameterized queries used elsewhere, allowing injection.

Why this answer

Option A is correct because the use of parameterized queries prevents SQL injection, but if dynamic SQL is constructed elsewhere in the application (e.g., for the search field), it can still be vulnerable. Option B is incorrect because XSS affects client-side execution, not direct data retrieval from the database. Option C is incorrect because direct query execution would require explicit permissions beyond the application's context.

Option D is incorrect because directory traversal exploits file system access, not database query injection.

955
Multi-Selecteasy

During a security assessment, a penetration tester successfully performs a DHCP starvation attack followed by a DHCP spoofing attack. Which TWO outcomes are the most likely consequences of this combined attack?

Select 2 answers
A.Clients' default gateway and DNS servers are set to attacker-controlled addresses
B.Clients receive IP addresses from a rogue DHCP server
C.The attacker can perform ARP spoofing on the network
D.The attacker gains administrative access to domain controllers
E.All network traffic is encrypted using TLS
AnswersA, B

The rogue DHCP server can provide malicious gateway and DNS, allowing traffic interception.

Why this answer

DHCP starvation exhausts the IP pool, forcing clients to accept offers from a rogue DHCP server. The rogue server provides malicious gateway and DNS, enabling traffic interception and redirection.

956
MCQhard

An organization implements a Privileged Access Management (PAM) solution. Which capability best describes granting temporary administrative rights just when needed?

A.Session recording
B.Just-in-time provisioning
C.Password vaulting
D.Role mining
AnswerB

JIT provisioning grants privileged access for a limited time and automatically revokes it.

Why this answer

Just-in-time (JIT) provisioning provides temporary elevated privileges that expire after use, reducing the attack surface.

957
MCQhard

During a security assessment, an analyst finds that multiple snapshots of a critical virtual machine are stored on the hypervisor host. Some snapshots are several months old. Which risk is MOST likely?

A.VM escape via snapshot file corruption
B.Unauthorized access to snapshot data
C.Reintroduction of unpatched vulnerabilities
D.Hypervisor memory exhaustion
AnswerC

Old snapshots lack security patches.

Why this answer

Snapshots may contain outdated, unpatched software, reintroducing vulnerabilities when reverted.

958
MCQmedium

Refer to the exhibit. A user at IP 10.0.0.1 reports that they cannot access a web server at 203.0.113.5 on port 443. What is the most likely cause?

A.The firewall only permits inbound traffic to specific IPs.
B.The firewall rule order is incorrect.
C.The firewall blocks all outbound traffic.
D.The firewall does not have a rule permitting outbound traffic.
AnswerD

Without an explicit permit for outbound traffic, the implicit deny blocks it.

Why this answer

Option D is correct because the user at 10.0.0.1 cannot reach 203.0.113.5:443, which indicates that outbound traffic to that destination is not permitted. Firewalls by default block all traffic unless explicitly allowed; if no rule permits outbound HTTPS (TCP/443) traffic, the connection will be dropped. The symptom (inability to access an external web server) points to a missing outbound rule, not an inbound rule issue.

Exam trap

The trap here is that candidates often focus on inbound rules when a user cannot reach an external server, forgetting that outbound traffic must also be explicitly permitted by the firewall's egress policy.

How to eliminate wrong answers

Option A is wrong because the problem is outbound from 10.0.0.1 to 203.0.113.5; inbound rules control traffic coming into the network, not traffic leaving it. Option B is wrong because rule order matters only when multiple rules conflict or overlap; here, there is no indication of any rule at all for outbound traffic, so order is irrelevant. Option C is wrong because if the firewall blocked all outbound traffic, no user could reach any external resource, but the question specifies only this user and this destination are affected, implying a selective block or missing rule.

959
MCQhard

A security administrator is configuring a firewall to allow outbound web traffic from internal users. The firewall must inspect the application layer data to block malicious URLs. Which type of firewall should be used?

A.Application proxy firewall
B.Stateless packet filter
C.Stateful firewall
D.Network Access Control (NAC) system
AnswerA

Application proxies terminate connections and inspect application layer traffic.

Why this answer

An application proxy firewall can examine application layer content, such as HTTP requests, to enforce URL filtering.

960
MCQmedium

A company has segmented its network into VLANs for different departments: HR, Finance, and IT. The router interconnecting the VLANs has ACLs configured to block traffic from HR to Finance. However, IT has noticed that traffic from HR VLAN is reaching the Finance VLAN. The network uses managed switches with 802.1Q trunking. All access ports are configured as untagged members of their respective VLANs. What is the most likely cause of this unauthorized traffic flow?

A.DHCP snooping disabled
B.VLAN hopping attack via double tagging
C.Default gateway misconfiguration
D.STP misconfiguration
AnswerB

Double tagging can allow an attacker to send frames to a VLAN other than the source VLAN, potentially bypassing ACLs.

Why this answer

The most likely cause is a VLAN hopping attack via double tagging. In this attack, an attacker on the HR VLAN sends a frame with two 802.1Q tags: the outer tag matches the native VLAN of the trunk (often VLAN 1), and the inner tag is the target VLAN (Finance). When the switch receives the frame on an access port, it strips the outer tag (as it is the native VLAN) and forwards the frame with the inner tag over the trunk, allowing the traffic to bypass the ACLs and reach the Finance VLAN.

Exam trap

ISC2 often tests the distinction between VLAN hopping via double tagging versus switch spoofing; the trap here is that candidates may confuse this with a simple ACL misconfiguration or assume the router is the only point of control, overlooking that the attack occurs at Layer 2 before the router even sees the traffic.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is a security feature that prevents rogue DHCP servers and does not control inter-VLAN traffic flow or prevent VLAN hopping. Option C is wrong because a default gateway misconfiguration would cause traffic to be sent to the wrong router or not routed at all, but it would not allow traffic to bypass ACLs and reach a different VLAN; the router still enforces ACLs on routed traffic. Option D is wrong because STP misconfiguration can cause loops or broadcast storms but does not enable an attacker to inject frames into a different VLAN or bypass ACLs.

961
MCQmedium

A security team detects lateral movement within the network. Which containment strategy should be applied first to limit the spread of the threat?

A.Disable user accounts associated with compromised systems.
B.Isolate the affected systems by disconnecting them from the network.
C.Block the attacker's IP addresses at the perimeter firewall.
D.Reimage all compromised systems immediately.
AnswerB

Correct. Network isolation prevents the attacker from moving to other systems.

Why this answer

Isolating affected systems by disconnecting them from the network is the immediate priority because it physically or logically severs the attacker's ability to propagate laterally via SMB, RDP, or other network protocols. This containment step stops the spread without destroying forensic evidence, which would be lost if systems were reimaged or powered off prematurely.

Exam trap

Cisco often tests the misconception that blocking external IPs or disabling accounts is sufficient for containment, when in fact internal lateral movement requires immediate network-level isolation of the compromised host.

How to eliminate wrong answers

Option A is wrong because disabling user accounts does not stop an attacker who has already established remote access via a service account, kernel-level backdoor, or cached credentials; the compromised system remains on the network and can still be used for lateral movement. Option C is wrong because blocking IP addresses at the perimeter firewall is ineffective against internal lateral movement, which occurs on the LAN and does not traverse the perimeter; the attacker can also easily change IP addresses or use internal routing to bypass the block. Option D is wrong because reimaging destroys volatile evidence (e.g., memory dumps, active network connections) and takes too long, allowing the attacker to continue spreading while the system is being rebuilt; containment must precede eradication.

962
MCQhard

During a security audit, it is discovered that a developer has direct access to production databases. The policy requires that changes be reviewed and deployed by a separate team. Which control is being violated?

A.Need-to-know
B.Job rotation
C.Least privilege
D.Separation of duties
AnswerD

The developer should not have direct production access; changes should go through a separate deployment team.

Why this answer

The scenario describes a direct violation of separation of duties (SoD), a core access control principle that requires critical tasks to be divided among multiple individuals to prevent fraud or error. In this case, the developer both writes code and has direct access to production databases, bypassing the required review and deployment by a separate team. SoD ensures no single person has end-to-end control over a sensitive process, which is essential for maintaining integrity and accountability in production environments.

Exam trap

The trap here is that candidates confuse 'least privilege' with 'separation of duties' because both limit access, but least privilege focuses on the amount of access while separation of duties focuses on the division of conflicting responsibilities.

How to eliminate wrong answers

Option A is wrong because need-to-know restricts access to only the information necessary for a user's job role, but the violation here is about the process of change management, not about the developer having access to specific data they don't need. Option B is wrong because job rotation is a control that periodically moves employees between roles to reduce risk of collusion or monotony, but the issue is not about rotating roles; it's about the developer performing both development and production deployment tasks. Option C is wrong because least privilege limits users to the minimum permissions required for their duties, but the developer may have exactly the permissions needed for their job; the violation is that they are performing two conflicting duties (development and production deployment) that should be separated.

963
MCQhard

During a security audit, a penetration tester successfully extracts the PMKID from a wireless beacon. What information can be derived from this attack?

A.The PMK (pairwise master key) directly
B.The ability to crack the passphrase offline
C.The encryption keys used in the session
D.The PSK (pre-shared key) directly
AnswerB

The PMKID can be used to verify passphrase guesses offline.

Why this answer

The PMKID attack allows offline brute-forcing of the WPA2-PSK passphrase by computing the PMKID locally and comparing it to the captured value.

964
MCQmedium

A security analyst notices a large number of failed login attempts from a single IP address targeting multiple user accounts within a short time frame. Which type of detection method in a SIEM would most effectively identify this pattern?

A.Signature-based detection
B.Heuristic detection
C.Anomaly-based detection
D.Rule-based detection
AnswerC

Anomaly-based detection identifies deviations from a baseline, such as unusual login failure rates.

Why this answer

Anomaly-based detection establishes a baseline of normal user behavior and flags deviations, such as a sudden spike in failed logins from a single IP across multiple accounts. This pattern—a brute-force attack—does not match a known signature, so anomaly detection is the most effective SIEM method for identifying it.

Exam trap

Cisco often tests the distinction between anomaly-based and rule-based detection, where candidates mistakenly choose rule-based because it can be configured with a threshold, but the question emphasizes 'most effectively identify this pattern'—anomaly detection adapts to baseline changes without manual rule tuning.

How to eliminate wrong answers

Option A is wrong because signature-based detection relies on predefined patterns (e.g., known malware hashes or attack strings) and cannot identify novel or pattern-based attacks like a brute-force login attempt unless a specific signature for that exact IP and time window exists. Option B is wrong because heuristic detection uses generalized rules or algorithms to infer malicious intent (e.g., scoring behaviors), but it is typically applied to file or process analysis, not to aggregate login patterns across multiple accounts from a single source. Option D is wrong because rule-based detection uses static, manually defined conditions (e.g., 'alert if >5 failures in 1 minute'), which can detect this pattern but lacks the adaptive baseline learning of anomaly detection; it is less effective at reducing false positives in dynamic environments.

965
MCQmedium

Refer to the exhibit. A security incident responder sees this alert in the SIEM. What should the responder do first?

A.Check if the source IP is a legitimate internal scanner.
B.Block the source IP at the firewall.
C.Update the firewall signature database.
D.Reboot the internal host 192.168.1.10.
AnswerA

Verifying the source prevents unnecessary action against authorized scanning.

Why this answer

The correct first step is to verify whether the source IP (10.0.0.5) is a legitimate internal scanner (e.g., authorized vulnerability scanner). Option A (blocking) might disrupt legitimate scanning. Option C (rebooting host) is premature.

Option D (updating signatures) does not address the immediate alert.

966
MCQhard

A company uses a SIEM to monitor security events. Recently, they are experiencing false positives from a new IDS rule. Which approach would best reduce false positives while maintaining detection?

A.Disable the rule.
B.Increase the log review frequency.
C.Whitelist false positive sources.
D.Adjust the rule threshold.
AnswerD

Fine-tuning the threshold balances false positive reduction with detection capability.

Why this answer

Adjusting the rule threshold (Option D) is the best approach because it fine-tunes the sensitivity of the IDS rule to reduce false positives without completely disabling detection. By raising the threshold (e.g., increasing the number of matching packets or the time window), the SIEM will only generate an alert when the rule's criteria are met more persistently, filtering out noise while still capturing genuine threats. This maintains the rule's detection capability for actual attacks that exceed the adjusted threshold.

Exam trap

The trap here is that candidates often choose to whitelist false positive sources (Option C) because it seems like a quick fix, but this approach can inadvertently suppress alerts for real attacks from those same sources, whereas threshold tuning preserves detection capability.

How to eliminate wrong answers

Option A is wrong because disabling the rule eliminates detection entirely, which could allow real attacks to go unnoticed and violates the principle of maintaining detection. Option B is wrong because increasing log review frequency does not reduce false positives; it only increases the volume of alerts to review, potentially overwhelming analysts and not addressing the root cause of the false positives. Option C is wrong because whitelisting false positive sources only suppresses alerts from those specific sources, which can mask legitimate attacks originating from the same sources and does not address the underlying rule sensitivity issue.

967
Multi-Selecthard

A security architect is designing an access control system for a healthcare application that requires fine-grained access decisions based on user role, location, time of day, and patient consent. Which TWO access control models are best suited for this requirement?

Select 2 answers
A.Role-Based Access Control (RBAC) with constraints
B.Discretionary Access Control (DAC)
C.Non-Discretionary Access Control
D.Mandatory Access Control (MAC)
E.Attribute-Based Access Control (ABAC)
AnswersA, E

RBAC can incorporate constraints like time and location via role activation conditions.

Why this answer

ABAC (Attribute-Based Access Control) is designed for fine-grained policies using multiple attributes. RBAC can also be extended with constraints (e.g., time-of-day, location) to achieve similar results, though ABAC is more flexible. MAC is too rigid, DAC is too coarse, and non-discretionary is a broad term.

968
MCQmedium

Which federated identity protocol uses XML-based assertions and provides single sign-on across different security domains?

A.Kerberos
B.OAuth 2.0
C.OpenID Connect
D.SAML
AnswerD

SAML is XML-based for federated SSO.

Why this answer

SAML uses XML assertions to exchange authentication and authorization data between an identity provider and a service provider.

969
MCQeasy

A critical vulnerability is discovered in an application currently in use. What should be done first?

A.Notify users to stop using the application
B.Disable the application until patch is ready
C.Deploy the patch immediately to all systems
D.Test the patch in a non-production environment
AnswerD

Testing verifies patch stability before production rollout.

Why this answer

Testing the patch in a non-production environment ensures it does not break functionality before deployment. Immediate deployment risks downtime. Disabling the application or notifying users are reactive steps, not the first.

970
MCQhard

During incident analysis, a forensic examiner finds that the system logs were cleared using a command that writes null bytes. Which artifact is most likely preserved?

A.Event logs from other systems
B.Prefetch files
C.Registry keys
D.Volume shadow copies
AnswerD

Volume Shadow Copies can provide historical snapshots that may contain the original log data.

Why this answer

Volume shadow copies (VSS) are snapshots of the file system at a point in time, stored separately from the active logs. Even if an attacker clears logs by writing null bytes (e.g., using `fsutil` or `wevtutil cl`), VSS may retain a previous version of the logs, making them a critical artifact for forensic recovery.

Exam trap

ISC2 often tests the misconception that cleared logs are permanently lost, but VSS provides a forensic backup that persists independently of active log deletion.

How to eliminate wrong answers

Option A is wrong because event logs from other systems are not directly preserved on the compromised system; they reside on separate hosts and are not affected by local log-clearing commands. Option B is wrong because Prefetch files track application execution, not system event logs, and are not a direct source of cleared log data. Option C is wrong because registry keys store configuration and system state, but they do not contain the actual event log entries that were cleared.

971
MCQhard

During an application security review, a penetration tester discovers that a web application allows users to view other users' profiles by changing an ID parameter in the URL (e.g., /profile?id=123). Which OWASP Top 10 vulnerability does this represent?

A.Broken Authentication
B.Security Misconfiguration
C.Insecure Direct Object References (IDOR)
D.Injection
AnswerC

IDOR allows unauthorized access by manipulating object IDs.

Why this answer

Insecure Direct Object References (IDOR) occur when an application exposes internal object references without proper access control checks. Injection involves sending malicious data. Broken Authentication relates to authentication flaws.

Security Misconfiguration involves improper setup.

972
Multi-Selecteasy

A security manager is evaluating log sources for a SIEM implementation. Which THREE of the following are considered log types that should be included?

Select 3 answers
A.Security logs
B.System logs
C.Network logs
D.Physical access logs
E.Application logs
AnswersA, B, E

Log security events like logins.

Why this answer

Security logs (A) are correct because they record authentication events, privilege use, and policy violations, which are essential for detecting unauthorized access and compliance auditing in a SIEM. These logs typically come from operating systems, firewalls, and IDS/IPS, providing critical data for incident detection and forensic analysis.

Exam trap

The trap here is that candidates may think 'network logs' are a standard log type, but the SSCP exam expects you to recognize that network logs are a subset of security or system logs, not a separate primary log type, and that physical access logs are not part of the core IT log sources for a SIEM.

973
MCQeasy

An organization wants to perform a risk analysis for a new cloud application. Which quantitative metric is most commonly used to calculate risk?

A.Control effectiveness.
B.Threat likelihood.
C.Residual risk.
D.Annualized Loss Expectancy (ALE).
AnswerD

ALE provides a monetary value for risk, enabling comparison and prioritization.

Why this answer

Annualized Loss Expectancy (ALE) is the most commonly used quantitative metric for calculating risk because it combines the expected financial loss from a single event (Single Loss Expectancy) with the annual frequency of that event (Annualized Rate of Occurrence). This produces a dollar-value risk figure that organizations can directly compare against security control costs and budget decisions for a cloud application.

Exam trap

The trap here is that candidates confuse 'threat likelihood' (a qualitative input) with the complete quantitative risk metric, failing to recognize that ALE incorporates both likelihood and impact into a single financial figure.

How to eliminate wrong answers

Option A is wrong because control effectiveness is a qualitative or semi-quantitative measure of how well a safeguard reduces risk, not a direct quantitative risk metric. Option B is wrong because threat likelihood is only one component of risk calculation (used in ARO), not a complete risk metric itself. Option C is wrong because residual risk is the risk remaining after controls are applied, which is an output of risk analysis, not the primary quantitative metric used to calculate initial risk.

974
MCQeasy

Which of the following network protocols operates on TCP port 22 and provides secure remote administration of network devices?

A.SSH
B.Telnet
C.RDP
D.FTP
AnswerA

SSH provides secure, encrypted remote access.

Why this answer

SSH (Secure Shell) uses TCP port 22 for encrypted remote administration, replacing insecure Telnet.

975
Multi-Selecthard

A security analyst is reviewing OWASP Top 10 vulnerabilities in a web application. Which TWO are injection-related attacks? (Select TWO.)

Select 2 answers
A.Security Misconfiguration
B.Cross-Site Scripting (XSS)
C.Cross-Site Request Forgery (CSRF)
D.Insecure Direct Object References (IDOR)
E.SQL injection
AnswersB, E

XSS injects malicious scripts into web pages.

Why this answer

SQL injection is a classic injection; Cross-Site Scripting (XSS) is also a form of injection (script injection).

Page 12

Page 13 of 14

Page 14