Systems Security Certified Practitioner SSCP (SSCP) — Questions 976991

991 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQhard

Refer to the exhibit. A firewall log shows repeated outbound connection attempts from an internal workstation (192.168.1.50) to an external IP (203.0.113.50) on TCP port 445. What is the most likely cause?

A.A worm or malware exploiting SMB
B.A misconfigured DNS client
C.A user browsing the web
D.A legitimate file share connection
AnswerA

Outbound SMB traffic to external IP suggests propagation.

Why this answer

Port 445 is SMB. Outbound SMB attempts often indicate a worm or malware trying to propagate. Web browsing uses 80/443.

File sharing is typically internal. DNS uses 53.

977
MCQhard

A healthcare organization must comply with HIPAA and requires that access to electronic protected health information (ePHI) be logged and audited. They consider using an identity management system that supports single sign-on (SSO). What is the PRIMARY security concern with SSO in this environment?

A.Single credential compromise leads to broad access
B.Increased complexity of password policies
C.Lack of detailed audit logs for each application
D.User inconvenience due to multiple logins
AnswerA

SSO means one password grants access to all systems.

Why this answer

In a healthcare environment subject to HIPAA, the primary security concern with SSO is that a single compromised credential (e.g., a password or smart card PIN) grants an attacker immediate access to all applications and ePHI systems that the user is authorized to use. This creates a single point of failure, dramatically increasing the blast radius of a credential theft incident. Unlike separate per-application credentials, SSO eliminates the need for repeated authentication, so an attacker who obtains the SSO token or password can move laterally across the entire application portfolio without additional authentication barriers.

Exam trap

ISC2 often tests the misconception that SSO inherently reduces audit capabilities, when in fact the primary risk is the amplified impact of a single credential compromise — candidates may incorrectly choose 'lack of detailed audit logs' because they assume SSO bypasses application-level logging, but proper SSO implementations log at the IdP and can integrate with SIEM systems.

How to eliminate wrong answers

Option B is wrong because SSO typically reduces the number of passwords a user must remember, which can simplify password policies rather than increase their complexity; the real concern is not policy complexity but the amplified risk from a single credential compromise. Option C is wrong because modern SSO systems (e.g., SAML 2.0, OAuth 2.0, OpenID Connect) can and do generate detailed audit logs at the identity provider (IdP) level, often including timestamp, user ID, application accessed, and session duration — the lack of logs is not an inherent SSO limitation. Option D is wrong because SSO is designed to eliminate multiple logins, providing user convenience; the question asks for the primary security concern, not a usability issue.

978
MCQeasy

During a quantitative risk analysis, the asset value is $500,000, the exposure factor is 40%, and the annual rate of occurrence is 0.5. What is the annualized loss expectancy (ALE)?

A.$200,000
B.$500,000
C.$100,000
D.$250,000
AnswerC

Correctly calculated as AV * EF * ARO.

Why this answer

The annualized loss expectancy (ALE) is calculated as single loss expectancy (SLE) multiplied by the annual rate of occurrence (ARO). SLE is asset value ($500,000) times exposure factor (40%) = $200,000. ALE = $200,000 × 0.5 = $100,000.

This is the standard quantitative risk analysis formula per NIST SP 800-30.

Exam trap

ISC2 often tests the distinction between SLE and ALE, trapping candidates who compute the SLE ($200,000) and stop there, forgetting to multiply by the ARO (0.5) to get the annualized value.

How to eliminate wrong answers

Option A is wrong because $200,000 is the single loss expectancy (SLE), not the annualized loss expectancy (ALE); it fails to multiply by the annual rate of occurrence (0.5). Option B is wrong because $500,000 is the full asset value, ignoring both the exposure factor (40%) and the annual rate of occurrence (0.5). Option D is wrong because $250,000 would result from multiplying the asset value by the annual rate of occurrence (0.5) but ignoring the exposure factor (40%), or from incorrectly halving the SLE instead of multiplying by 0.5.

979
MCQhard

Your organization has a mixed environment of Windows and Linux servers. You receive an alert from the EDR that a Linux server is beaconing to a suspicious IP. The server runs a critical application that cannot be taken offline. The security team needs to investigate while maintaining availability. You have access to a jump box with network monitoring tools. Which course of action is most appropriate?

A.Immediately disconnect the server from the network to stop beaconing
B.Block the suspicious IP at the firewall and continue monitoring
C.Use packet capture on the server's network segment to analyze traffic, then use EDR to isolate the process
D.Reimage the server from a known good backup
AnswerC

This allows investigation and containment without taking the server offline.

Why this answer

Option C is correct because it allows the security team to investigate the beaconing activity without disrupting the critical application's availability. Using packet capture on the server's network segment enables analysis of the outbound traffic to the suspicious IP, while EDR can isolate the specific malicious process without taking the entire server offline. This approach balances the need for containment with the requirement to maintain service continuity.

Exam trap

The trap here is that candidates may choose immediate disconnection (Option A) as a reflexive containment action, failing to recognize that the question explicitly requires maintaining availability for a critical application that cannot be taken offline.

How to eliminate wrong answers

Option A is wrong because immediately disconnecting the server from the network would cause a denial of service to the critical application, violating the requirement to maintain availability. Option B is wrong because blocking the suspicious IP at the firewall only addresses the network-level symptom; it does not identify or contain the underlying malicious process on the server, which could continue to beacon to other IPs or perform other harmful actions. Option D is wrong because reimaging the server from a known good backup is a drastic, disruptive step that would take the server offline and destroy potential forensic evidence, contradicting the need to investigate while maintaining availability.

980
Multi-Selecthard

During a ransomware incident, the incident response team needs to recover encrypted servers. Which THREE steps are essential for successful recovery? (Select THREE)

Select 3 answers
A.Restore data from the most recent clean backup
B.Pay the ransom to obtain the decryption key
C.Patch the vulnerability that allowed the ransomware to enter
D.Delete all user accounts and recreate them
E.Scan restored systems to ensure eradication of malware
AnswersA, C, E

Correct. Provides a known-good state.

Why this answer

Option A is correct because restoring from the most recent clean backup is the primary recovery method for ransomware incidents. It ensures that encrypted data can be recovered without paying the ransom, provided the backup was taken before the infection and is stored offline or immutable to prevent encryption. This aligns with the 3-2-1 backup strategy (three copies, two media types, one offsite) and is a core step in the NIST SP 800-61 incident response process.

Exam trap

Cisco often tests the misconception that paying the ransom is a valid recovery step, but the SSCP exam emphasizes that payment should never be recommended due to lack of guarantee and ethical concerns.

981
MCQeasy

A system administrator needs to implement a control that ensures users can only access files necessary for their job functions. Which principle is being applied?

A.Need-to-know
B.Separation of duties
C.Job rotation
D.Least privilege
AnswerD

Least privilege ensures users have only the permissions necessary to perform their job.

Why this answer

The principle of least privilege ensures that users are granted only the permissions necessary to perform their job functions, minimizing the attack surface and potential damage from accidental or malicious actions. In this scenario, restricting file access to only what is needed for job duties directly implements least privilege, as it limits access rights to the minimum required. This is distinct from need-to-know, which focuses on information disclosure rather than access permissions.

Exam trap

The trap here is that candidates often confuse 'need-to-know' with 'least privilege' because both involve limiting access, but need-to-know is specifically about information confidentiality (e.g., classified data), while least privilege is a broader principle covering all access rights and permissions.

How to eliminate wrong answers

Option A is wrong because need-to-know is a subset of least privilege that specifically controls access to sensitive information based on a user's requirement to know that information to perform their duties, but the question broadly addresses file access necessary for job functions, which is the core of least privilege. Option B is wrong because separation of duties divides critical tasks among multiple users to prevent fraud or error, not to limit individual file access to job-necessary files. Option C is wrong because job rotation is a security practice that moves users between roles to reduce monotony and detect irregularities, not a principle for restricting file access based on job functions.

982
MCQhard

A financial firm has deployed network-based IDS/IPS sensors at key points to detect and prevent intrusions. During a recent security audit, it was discovered that an attacker exfiltrated sensitive data using DNS over HTTPS (DoH) queries. The IDS/IPS did not generate any alerts. The firm's network policy allows all outbound HTTPS traffic to any destination. To prevent such exfiltration in the future, what is the most effective corrective action?

A.Deploy TLS termination at the network perimeter
B.Enable deep packet inspection on all encrypted traffic
C.Implement a DNS sinkhole and block non-corporate DNS servers
D.Configure the IDS/IPS to inspect DNS traffic on standard port 53 only
AnswerA

Terminating TLS allows the IDS/IPS to inspect decrypted traffic, including DoH, before re-encrypting it for transit.

Why this answer

Deploying TLS termination at the network perimeter allows the organization to decrypt inbound and outbound HTTPS traffic, inspect the plaintext content, and re-encrypt it before forwarding. This enables the IDS/IPS to detect malicious payloads, such as DNS over HTTPS (DoH) queries, that would otherwise be hidden inside encrypted tunnels. Since the firm's policy allows all outbound HTTPS, TLS termination is the most effective way to regain visibility into that traffic without blocking it outright.

Exam trap

The trap here is that candidates often assume deep packet inspection (DPI) can magically inspect encrypted traffic, but DPI requires decryption first, which is exactly what TLS termination provides.

How to eliminate wrong answers

Option B is wrong because enabling deep packet inspection on all encrypted traffic is not possible without first decrypting that traffic; DPI cannot inspect encrypted payloads unless TLS termination or similar decryption is performed. Option C is wrong because a DNS sinkhole and blocking non-corporate DNS servers only affect traditional DNS (port 53/UDP), but DoH operates over HTTPS (port 443) and bypasses standard DNS controls entirely. Option D is wrong because configuring the IDS/IPS to inspect DNS traffic on standard port 53 only will miss DoH traffic, which uses port 443 and is encrypted, so no alerts would be generated.

983
MCQmedium

A security team is collecting evidence from a compromised server. They need to create a forensic image. Which of the following is the CORRECT procedure to ensure data integrity?

A.Use a write blocker to create a bit-for-bit copy, then compute MD5 hash of the original and the copy to verify they match
B.Take a photo of the screen and document file timestamps manually
C.Create a compressed image file using software without a write blocker
D.Boot the system and run a backup utility to copy files to an external drive
AnswerA

Correct. This preserves integrity and verifies that the copy is exact.

Why this answer

Option A is correct because forensic imaging requires a write blocker to prevent any modification to the original evidence, and a bit-for-bit copy preserves all data, including slack space and deleted files. Computing an MD5 hash of both the original and the copy verifies integrity by ensuring the hashes match, confirming no data alteration occurred during acquisition.

Exam trap

The trap here is that candidates may think a simple backup or file copy is sufficient for forensic evidence, but the SSCP exam emphasizes that only a write-blocked bit-for-bit copy with hash verification ensures data integrity and admissibility.

How to eliminate wrong answers

Option B is wrong because taking a photo and manually documenting timestamps does not create a forensic image; it only captures superficial information and fails to preserve the full data for analysis. Option C is wrong because creating a compressed image without a write blocker risks altering the original drive's data due to write operations, compromising evidence integrity. Option D is wrong because booting the system and running a backup utility modifies the system state (e.g., writes to swap, logs, or file access times) and does not produce a bit-for-bit copy, violating forensic best practices.

984
MCQmedium

An application security team is reviewing code for vulnerabilities. They find that user input is directly concatenated into an SQL query without sanitization. This is an example of which OWASP Top 10 vulnerability?

A.Injection
B.Cross-Site Scripting (XSS)
C.Security Misconfiguration
D.Broken Access Control
AnswerA

SQL injection occurs when untrusted data is sent to an interpreter as part of a command or query.

Why this answer

Concatenating user input into SQL queries allows injection attacks. Injection is a top vulnerability.

985
MCQeasy

A security analyst notices an increase in failed login attempts from a single IP address. What is the best immediate action?

A.Run an antivirus scan.
B.Disable the user accounts.
C.Block the IP at the firewall.
D.Check the SIEM for correlated events.
AnswerD

The SIEM can correlate multiple events to determine if the IP is part of a larger attack or a false positive.

Why this answer

Checking the SIEM for correlated events (Option D) is the best immediate action because it allows the analyst to gather context around the failed login attempts—such as whether they target multiple accounts, originate from a known malicious IP, or coincide with other suspicious activity—before taking a potentially disruptive or irreversible step. This aligns with the incident response principle of 'verify before you act,' ensuring the response is proportional and informed by correlated data from multiple sources.

Exam trap

The trap here is that candidates often choose 'Block the IP at the firewall' (Option C) as the fastest immediate action, but the SSCP exam emphasizes that the first step in incident response is to gather and correlate evidence to confirm the threat before taking potentially disruptive actions.

How to eliminate wrong answers

Option A is wrong because running an antivirus scan addresses malware on endpoints, but failed login attempts from a single IP are a network-level authentication anomaly, not a sign of local infection. Option B is wrong because disabling user accounts is premature and disruptive; the failed attempts may target non-existent accounts or be a brute-force attack against a single service, and disabling accounts without investigation could lock out legitimate users. Option C is wrong because blocking the IP at the firewall is a reactive measure that could block a legitimate user (e.g., a misconfigured proxy or NAT) and does not provide the forensic context needed to understand the attack pattern or verify the threat.

986
MCQhard

A security analyst reviews the firewall log exhibit. Which type of activity is indicated?

A.Brute force attack against RDP service
B.Port scan of the internal network
C.Data exfiltration to an external server
D.Normal administrative remote access
AnswerA

Repeated connections to RDP port suggest password guessing.

Why this answer

The firewall log shows repeated failed RDP (TCP/3389) connection attempts from a single external IP to a single internal IP within a short time window. This pattern of multiple authentication failures against the same service is characteristic of a brute force attack, where an attacker systematically tries common passwords to gain unauthorized access to the RDP service.

Exam trap

ISC2 often tests the distinction between a brute force attack (repeated attempts to the same service) and a port scan (attempts to multiple services), so candidates mistakenly choose 'port scan' when they see many entries, even though all entries target the same port.

How to eliminate wrong answers

Option B is wrong because a port scan would show connection attempts to multiple different ports (e.g., 22, 80, 443, 3389) across one or more target IPs, not repeated attempts to a single port (3389) on a single IP. Option C is wrong because data exfiltration typically involves outbound data transfers to an external server, often using protocols like HTTP/S, FTP, or DNS tunneling, not repeated failed inbound authentication attempts. Option D is wrong because normal administrative remote access would show successful RDP logins (e.g., TCP SYN-ACK followed by session establishment), not a high volume of failed authentication events.

987
MCQmedium

A company is deploying virtual machines (VMs) in a private cloud environment. To prevent VM escape attacks, which of the following is the most critical security control?

A.Using a separate management network for the hypervisor
B.Regularly patching the hypervisor software
C.Disabling unnecessary VM guest tools
D.Implementing a host-based firewall on each VM
AnswerB

Hypervisor vulnerabilities are a common vector for VM escape; patching reduces this risk significantly.

Why this answer

VM escape attacks exploit vulnerabilities in the hypervisor to break out of a VM. Keeping the hypervisor patched is the primary defense against known vulnerabilities.

988
MCQmedium

A security analyst is reviewing an OWASP Top 10 vulnerability report. Which vulnerability involves an attacker accessing unauthorized data by modifying URLs or API parameters?

A.Insecure Direct Object References (IDOR)
B.Cross-Site Scripting (XSS)
C.Injection
D.Security Misconfiguration
AnswerA

IDOR allows unauthorized access by manipulating object references.

Why this answer

Insecure Direct Object References (IDOR) occur when an application exposes internal object references without proper authorization checks, allowing attackers to manipulate parameters to access other objects.

989
MCQmedium

A company is concerned about VM sprawl in its data center. Which of the following is the most effective mitigation strategy?

A.Enable host-based firewalls on each VM
B.Implement a CMDB with lifecycle management policies
C.Apply patches to the hypervisor regularly
D.Use a centralized snapshot management system
AnswerB

CMDB tracks VM inventory and enforces lifecycle processes.

Why this answer

VM sprawl refers to unmanaged VMs accumulating. A Configuration Management Database (CMDB) with lifecycle management tracks VMs from creation to decommission. Hypervisor patching prevents escapes.

Snapshots are for recovery. Host-based firewalls protect individual VMs but do not manage sprawl.

990
Multi-Selectmedium

A security analyst is reviewing logs for signs of data exfiltration. Which TWO log sources would provide the most relevant evidence? (Choose TWO.)

Select 2 answers
A.Application logs
B.File server audit logs
C.System logs
D.Firewall logs
E.DNS logs
AnswersB, D

File server audit logs track file access, copies, and movements, which are key for detecting exfiltration.

Why this answer

File server audit logs track access to files, including reads, copies, and modifications, which directly indicate data exfiltration attempts. Firewall logs record outbound connections, destination IPs, and data volumes, revealing unauthorized data transfers to external hosts. Together, they provide both the source and destination evidence needed to confirm exfiltration.

Exam trap

Cisco often tests the misconception that DNS logs alone can detect exfiltration, but DNS queries only show domain lookups, not the actual data transfer, and attackers can use DNS tunneling to hide data in queries, making firewall logs essential for spotting anomalous outbound traffic patterns.

991
MCQeasy

A security analyst is recommending a symmetric encryption algorithm for a new application that requires both confidentiality and authentication. Which algorithm and mode combination should they select?

A.3DES-CBC
B.AES-ECB
C.RC4
D.AES-GCM
AnswerD

GCM mode combines encryption and authentication, making it ideal for this requirement.

Why this answer

AES-GCM (Galois/Counter Mode) is a symmetric encryption algorithm that provides both confidentiality and authentication in a single, efficient operation. It combines AES encryption in counter mode with a Galois field-based message authentication code (GMAC), making it ideal for applications requiring both security properties.

Exam trap

The trap here is that candidates often confuse CBC mode with providing authentication (since it uses an IV), but CBC only offers confidentiality; GCM is the correct choice for combined confidentiality and authentication in symmetric encryption.

How to eliminate wrong answers

Option A is wrong because 3DES-CBC provides only confidentiality, not authentication; CBC mode requires a separate MAC (e.g., HMAC) to ensure integrity and authenticity, and 3DES is deprecated due to its 64-bit block size and slow performance. Option B is wrong because AES-ECB is deterministic and does not provide authentication; it encrypts identical plaintext blocks into identical ciphertext blocks, leaking patterns and lacking any integrity check. Option C is wrong because RC4 is a stream cipher that provides only confidentiality, not authentication, and is considered broken due to biases in its output (e.g., RC4 biases in TLS), making it unsuitable for secure applications.

Page 13

Page 14 of 14

Systems Security Certified Practitioner SSCP SSCP Questions 976–991 | Page 14/14 | Courseiva