Systems Security Certified Practitioner SSCP (SSCP) — Questions 76150

504 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQmedium

A government contractor is required to comply with the Federal Information Security Management Act (FISMA). The security officer must implement a continuous monitoring program for all information systems. The contractor uses a mix of on-premises servers and cloud services. The contractor has a SIEM tool that collects logs from all systems. However, the SIEM generates a high number of alerts, many of which are false positives, overwhelming the security team. The team wants to improve the effectiveness of the monitoring program without increasing staff. Which of the following actions would MOST effectively address the issue?

A.Disable alerts for low-severity events
B.Hire additional security analysts to review all alerts
C.Increase the frequency of log collection to every minute
D.Tune the SIEM correlation rules and create custom filters to reduce false positive alerts
AnswerD

This directly reduces alert fatigue and improves efficiency.

Why this answer

Tuning the SIEM correlation rules to reduce false positives will make alerts more actionable and allow the team to focus on real incidents. Option B increases noise; C is expensive and time-consuming; D reduces visibility.

77
Multi-Selectmedium

A security administrator is implementing a change management process. Which TWO of the following are essential components of a change management policy? (Choose two.)

Select 2 answers
A.Vulnerability scanning results
B.A rollback plan
C.Emergency change procedures
D.Automated patch deployment schedule
E.Approval from the change advisory board (CAB)
AnswersB, E

A rollback plan ensures changes can be reversed if needed.

Why this answer

Options C and D are correct because CAB approval ensures proper review and a rollback plan provides a safety net. Option A is not essential for all changes; emergency procedures are a subset. Option B is a specific implementation, not a policy component.

Option E is part of vulnerability management, not change management.

78
MCQeasy

A remote employee needs secure access to corporate resources over the internet. Which protocol is considered best practice for site-to-site VPN?

A.IPsec with IKEv2
B.PPTP (Point-to-Point Tunneling Protocol)
C.SSL VPN (Secure Sockets Layer VPN)
D.L2TP (Layer 2 Tunneling Protocol) without IPsec
AnswerA

IPsec/IKEv2 is a secure standard for site-to-site VPNs.

Why this answer

IPsec with IKEv2 (Internet Key Exchange version 2) is the best practice for site-to-site VPNs because it provides strong authentication, encryption, and integrity checking for all traffic between two fixed endpoints. IKEv2 offers built-in mobility, faster rekeying, and resistance to Denial-of-Service attacks compared to IKEv1, making it the recommended choice for secure, persistent site-to-site connections over the internet.

Exam trap

The trap here is that candidates often confuse SSL VPN (which is for remote access) with site-to-site VPN requirements, or they mistakenly think L2TP alone provides security, when in fact L2TP must be paired with IPsec to be secure.

How to eliminate wrong answers

Option B (PPTP) is wrong because it uses MPPE encryption which is based on RC4, a stream cipher that is cryptographically broken and susceptible to dictionary attacks; PPTP also lacks strong authentication and integrity verification. Option C (SSL VPN) is wrong because it is designed for client-to-site (remote access) VPNs, not for site-to-site VPNs; SSL VPNs operate at the application layer and are not optimized for routing entire network segments between two sites. Option D (L2TP without IPsec) is wrong because L2TP provides only tunneling and no encryption or authentication by itself, leaving all traffic transmitted in cleartext and vulnerable to interception.

79
MCQeasy

A security policy requires that all access to sensitive data be logged. Which access control function does this support?

A.Authentication
B.Authorization
C.Accounting
D.Provisioning
AnswerC

Accounting tracks and logs user actions for auditing.

Why this answer

The requirement to log all access to sensitive data directly supports the Accounting (auditing) function of access controls. Accounting tracks user activities and resource usage, providing an audit trail that can be reviewed for compliance, security incidents, and policy enforcement. This is distinct from Authentication (verifying identity) and Authorization (granting permissions), which do not inherently produce logs of access events.

Exam trap

The trap here is that candidates confuse Authorization (which controls access) with Accounting (which records access), mistakenly thinking that setting permissions automatically logs access, when in fact logging requires a separate audit configuration.

How to eliminate wrong answers

Option A is wrong because Authentication is the process of verifying a user's identity (e.g., via passwords, biometrics, or certificates) and does not inherently generate logs of access to sensitive data; logging is an Accounting function. Option B is wrong because Authorization determines what an authenticated user is allowed to do (e.g., via ACLs or RBAC) but does not itself record access events; that recording is the role of Accounting. Option D is wrong because Provisioning refers to the creation, modification, or removal of user accounts and access rights (e.g., via identity management systems) and does not include logging of access to data.

80
Multi-Selectmedium

Which TWO of the following cryptographic algorithms are considered secure for modern use?

Select 2 answers
A.MD5 (Message Digest 5)
B.ChaCha20
C.AES-256 (Advanced Encryption Standard with 256-bit key)
D.RC4 (Rivest Cipher 4)
E.DES (Data Encryption Standard)
AnswersB, C

ChaCha20 is a secure stream cipher, commonly used in TLS.

Why this answer

AES-256 (option B) is a symmetric cipher with 256-bit key, considered secure. ChaCha20 (option D) is a stream cipher also considered secure. DES, RC4, and MD5 are broken or deprecated.

81
MCQmedium

Based on the exhibit, which type of attack is most likely occurring?

A.Brute force attack
B.Man-in-the-middle attack
C.Denial of service attack
D.Social engineering attack
AnswerA

Repeated failed password attempts from same IP is classic brute force.

Why this answer

A brute force attack is most likely occurring because the exhibit shows repeated login attempts with different passwords for the same username, which is the hallmark of an automated password guessing attack. The rapid succession of failed authentication events indicates a systematic trial of credentials, not a single intercepted session or resource exhaustion.

Exam trap

The trap here is that candidates may confuse a brute force attack with a denial of service attack because both can generate high volumes of traffic, but the key differentiator is the repeated authentication failure pattern versus resource exhaustion.

How to eliminate wrong answers

Option B is wrong because a man-in-the-middle attack involves intercepting and potentially altering communications between two parties, which would show evidence of ARP spoofing, SSL stripping, or session hijacking, not repeated login attempts. Option C is wrong because a denial of service attack aims to overwhelm a system with traffic or requests to cause resource exhaustion, not to guess passwords through multiple authentication failures. Option D is wrong because social engineering attacks rely on manipulating human behavior through deception or impersonation, not on automated password guessing against a system.

82
MCQhard

Based on the exhibit, what is the most critical observation?

A.A root user is opening RDP to the world.
B.A user is modifying a security group.
C.The event is from EC2 service.
D.The source IP is internal.
AnswerA

Root access combined with an open RDP rule to 0.0.0.0/0 poses a severe security risk.

Why this answer

The most critical observation is that a root user is opening RDP (TCP/3389) to the world (0.0.0.0/0). This creates an extreme security risk because it exposes the administrative interface to the entire internet, allowing any attacker to attempt brute-force or exploit RDP vulnerabilities. In AWS CloudTrail, this event indicates a direct violation of the principle of least privilege and is a common vector for compromise.

Exam trap

The trap here is that candidates focus on the user or service name (e.g., 'root user' or 'EC2') rather than the actual security impact of opening RDP to the world, which is the most critical observation in this scenario.

How to eliminate wrong answers

Option B is wrong because modifying a security group is a normal administrative action and not inherently critical; the risk depends on what is being modified (e.g., opening RDP to the world). Option C is wrong because the event originating from the EC2 service is irrelevant; the criticality is determined by the action (root user opening RDP to the world), not the source service. Option D is wrong because the source IP being internal is not the critical observation; the critical issue is the destination (0.0.0.0/0) and the user (root), not the source address.

83
MCQmedium

An administrator configures a Kerberos authentication system. After implementation, users are able to authenticate but cannot access network resources. The administrator verifies that the client time is synchronized with the KDC. What is the most likely cause?

A.The service principal name (SPN) is not registered
B.The user’s password is expired
C.The firewall blocks port 88
D.The TGT lifetime has expired
AnswerA

Without a proper SPN, the KDC cannot issue a service ticket.

Why this answer

The most likely cause is that the service principal name (SPN) is not registered. In Kerberos, the SPN uniquely identifies a network service instance and is required for the KDC to issue a service ticket. Even though users can authenticate (obtain a TGT), without a properly registered SPN, the KDC cannot grant a ticket for the target service, preventing access to network resources.

Exam trap

ISC2 often tests the distinction between authentication (TGT acquisition) and authorization (service ticket issuance), leading candidates to incorrectly focus on firewall rules or password expiration instead of the missing SPN.

How to eliminate wrong answers

Option B is wrong because an expired user password would prevent initial authentication (TGT acquisition), but the scenario states users can authenticate. Option C is wrong because port 88 is used for Kerberos authentication traffic; if it were blocked, users would not be able to authenticate at all. Option D is wrong because an expired TGT lifetime would prevent access only after the TGT expires, but users are currently able to authenticate and the issue is immediate access to network resources.

84
MCQmedium

A company deploys a new web application and wants to ensure that session tokens are not vulnerable to session hijacking. Which of the following controls is most effective?

A.Bind the session token to the user's IP address.
B.Set a short session timeout (e.g., 5 minutes).
C.Encrypt the session token using AES.
D.Regenerate the session ID after every request.
E.Set the Secure and HttpOnly flags on session cookies.
AnswerE

Secure flag forces HTTPS; HttpOnly prevents script access, mitigating XSS-based theft.

Why this answer

Option C is correct because setting the Secure and HttpOnly flags ensures cookies are only sent over HTTPS and not accessible via JavaScript, preventing interception and XSS-based theft. Option A (encrypting cookies) is redundant if HTTPS is used; B (short expiration) helps but not primary; D (using IP binding) can cause issues; E (regenerating session ID) is good after login, but not the most effective overall.

85
MCQhard

You are a security consultant for a hospital that is deploying a new IoT medical device system. The devices wirelessly transmit patient vital signs to a central server. The hospital is subject to HIPAA. The devices were developed by a startup and are not widely field-tested. The IT department wants to connect the devices to the existing network for real-time monitoring. The risk management team has identified potential threats including data interception, device tampering, and denial of service. They have no prior experience with IoT security. Which of the following risk treatment strategies is MOST appropriate given the high uncertainty?

A.Accept the risk because the devices improve patient care
B.Transfer the risk by purchasing cyber insurance
C.Avoid the risk by delaying deployment until a thorough risk assessment and independent security testing are completed
D.Mitigate the risk by segmenting the devices on a separate VLAN and encrypting all communications
AnswerC

Avoidance is justified when risks are not well understood and potential impact is high.

Why this answer

Option C is correct because the high uncertainty surrounding the startup's untested IoT devices, combined with the criticality of patient safety and HIPAA compliance, makes avoidance the most prudent strategy. Delaying deployment allows for a thorough risk assessment and independent security testing to identify vulnerabilities before exposing the hospital network to potential data interception, device tampering, or denial-of-service attacks. This approach directly addresses the risk management team's lack of IoT security experience by preventing exposure until the threat landscape is better understood.

Exam trap

The trap here is that candidates often choose mitigation (Option D) because it seems proactive and technically sound, but they overlook the principle that mitigation is only appropriate when the risk is well-understood and the controls are proven effective—neither of which applies to untested IoT devices with unknown vulnerabilities.

How to eliminate wrong answers

Option A is wrong because accepting risk without understanding the specific vulnerabilities of untested IoT devices could lead to HIPAA violations and patient harm, as the devices transmit protected health information (PHI) over wireless links susceptible to interception. Option B is wrong because cyber insurance transfers financial risk but does not reduce the likelihood or impact of a security incident; it also does not address the immediate technical threats like device tampering or denial of service that could disrupt patient monitoring. Option D is wrong because while VLAN segmentation and encryption (e.g., using TLS 1.3 or IPsec) are valid mitigation techniques, they are insufficient when the devices themselves may have undisclosed backdoors, weak cryptographic implementations, or unpatched firmware flaws that could be exploited despite network controls.

86
Multi-Selecteasy

Which TWO of the following are considered key components of a disaster recovery plan?

Select 2 answers
A.SLA (Service Level Agreement)
B.RPO (Recovery Point Objective)
C.RTO (Recovery Time Objective)
D.BCP (Business Continuity Plan)
E.MTBF (Mean Time Between Failures)
AnswersB, C

RPO defines the maximum acceptable data loss in terms of time.

Why this answer

RPO and RTO are fundamental metrics in a disaster recovery plan. RPO defines the maximum acceptable data loss measured in time, dictating the frequency of backups. RTO defines the maximum acceptable downtime after a disaster, setting the target for system restoration.

Both directly drive the technical design of replication, backup schedules, and failover procedures.

Exam trap

ISC2 often tests the distinction between DR plan components (RPO/RTO) and broader business continuity concepts (BCP) or contractual metrics (SLA), leading candidates to confuse SLA with RTO or think BCP is part of the DR plan itself.

87
MCQhard

An analyst detects outbound traffic from a workstation to a known malicious IP address. The workstation is a developer machine with local admin rights. Which containment action should be taken first?

A.Block the malicious IP on the firewall
B.Isolate the workstation from the network
C.Shut down the workstation immediately
D.Disable the user's domain account
AnswerB

Stops all malicious outbound traffic and lateral movement.

Why this answer

The first step is to isolate the workstation from the network to prevent further communication with the malicious IP and lateral movement. Option C is correct. Option A (blocking only the IP) is insufficient if the malware uses other IPs.

Option B (disabling account) does not stop network traffic. Option D (shutting down) may lose volatile evidence.

88
Multi-Selectmedium

Which TWO factors are most critical when selecting a cryptographic algorithm for a government application?

Select 2 answers
A.Speed of encryption/decryption
B.Key length
C.Algorithm popularity
D.Regulatory compliance (e.g., FIPS 140-2)
E.Ease of implementation
AnswersB, D

Key length directly affects security strength.

Why this answer

For government applications, regulatory compliance (e.g., FIPS 140-2) is critical because it mandates that cryptographic modules meet specific security standards for protecting sensitive data. Key length is equally critical because it directly determines the algorithm's resistance to brute-force attacks; insufficient key length can render encryption ineffective regardless of other factors.

Exam trap

ISC2 often tests the misconception that speed or popularity are primary selection criteria, when in fact government applications are driven by regulatory mandates and cryptographic strength (key length) as defined by standards like FIPS.

89
MCQhard

A security engineer is designing a system to store passwords securely. Which of the following is the most robust approach for password storage?

A.Hash passwords with SHA-256
B.Encode passwords with Base64
C.Encrypt passwords using AES-256 and store the key separately
D.Use bcrypt with a high cost factor
AnswerD

bcrypt is slow and includes a salt, making it resistant to brute-force and rainbow tables.

Why this answer

Bcrypt is the most robust option because it incorporates a salt to defend against rainbow table attacks and uses a configurable cost factor to deliberately slow down the hashing process, making brute-force attacks computationally expensive. Unlike general-purpose hashes like SHA-256, bcrypt is designed specifically for password storage and resists GPU-accelerated attacks by requiring significant memory and time per attempt.

Exam trap

ISC2 often tests the misconception that encryption (AES) is equivalent to hashing for password storage, but the trap is that encryption is reversible and introduces key management risks, whereas a proper password storage mechanism must be one-way and computationally expensive.

How to eliminate wrong answers

Option A is wrong because SHA-256 is a fast, general-purpose cryptographic hash that lacks a built-in salt and is vulnerable to rainbow table and brute-force attacks when used alone for password storage. Option B is wrong because Base64 is an encoding scheme, not a cryptographic operation; it provides no security and can be trivially reversed to recover the original password. Option C is wrong because encrypting passwords with AES-256 introduces key management complexity, and if the encryption key is compromised, all stored passwords can be decrypted; encryption is reversible by design, whereas password storage requires a one-way, irreversible function.

90
Multi-Selecteasy

A security engineer is designing a DMZ to host public-facing services. Which two security best practices should be applied? (Choose two.)

Select 2 answers
A.Use the same firewall rule set for DMZ and internal network
B.Place web servers on the internal network
C.Enable full mesh connectivity between DMZ hosts
D.Use a screened subnet with two firewalls
E.Allow inbound traffic from internet to DMZ on required ports only
AnswersD, E

A screened subnet (DMZ) between two firewalls provides defense in depth for public services.

Why this answer

A screened subnet with two firewalls creates a buffer zone, and allowing inbound traffic only on required ports minimizes exposure. Placing web servers on the internal network would expose them, sharing rules with the internal network increases risk, and full mesh connectivity between DMZ hosts facilitates lateral movement.

91
MCQeasy

A system administrator needs to securely transfer log files from a Linux server to a central log collector. Which protocol should be used to ensure confidentiality and integrity?

A.SSH
B.SMTP
C.NFS
D.FTP
AnswerA

SSH provides secure encrypted file transfer via SCP or SFTP.

Why this answer

SSH (Secure Shell) provides encrypted tunnels for data transfer, ensuring both confidentiality and integrity of log files in transit. It uses strong cryptographic algorithms (e.g., AES, ChaCha20) and HMAC-based integrity checks, making it the correct choice for secure file transfer over untrusted networks.

Exam trap

The trap here is that candidates often choose FTP or NFS because they are familiar file transfer protocols, overlooking that neither provides native encryption or integrity, while SSH is the only option that guarantees both through its secure channel.

How to eliminate wrong answers

Option B (SMTP) is wrong because SMTP is a mail transfer protocol that does not natively encrypt payloads or provide integrity verification; it relies on optional STARTTLS extensions for confidentiality, which are not always enforced. Option C (NFS) is wrong because NFS is a network file system protocol designed for shared access, not secure transfer; it lacks built-in encryption and integrity guarantees (unless using NFSv4 with Kerberos, which is not the default). Option D (FTP) is wrong because FTP transmits data and credentials in cleartext, offering no confidentiality or integrity; even FTPS (FTP over SSL/TLS) is not the standard FTP protocol referenced here.

92
MCQeasy

A small business needs basic protection against malware. Which solution is MOST cost-effective and provides real-time protection?

A.Schedule weekly antivirus scans
B.Deploy an endpoint protection platform (EPP)
C.Install a host-based firewall on each computer
D.Use email encryption for all communications
AnswerB

Provides real-time protection and includes multiple security layers.

Why this answer

Option C is correct because endpoint protection platforms (EPP) provide antivirus, anti-malware, and often additional features like firewall and web protection. Option A is wrong because host-based firewalls alone do not protect against malware. Option B is wrong because periodic scans miss threats between scans.

Option D is wrong because email encryption does not protect against malware delivered via other vectors.

93
Multi-Selectmedium

Which TWO of the following are best practices for securing an application programming interface (API)?

Select 2 answers
A.Implement rate limiting to control the number of requests.
B.Validate and sanitize all input to the API.
C.Return detailed error messages to help clients debug.
D.Disable encryption to improve performance.
E.Use HTTP Basic Authentication without HTTPS.
AnswersA, B

Rate limiting mitigates brute-force and DoS attacks.

Why this answer

Options A and D are correct. Rate limiting prevents abuse and DoS; input validation prevents injection attacks. Option B (exposing detailed error messages) may leak information; C (using basic authentication without HTTPS) transmits credentials in plaintext; E (disabling encryption) is insecure.

94
MCQeasy

A user reports they cannot access the internet. The network administrator verifies that the user's workstation has an IP address of 192.168.1.100/24 and a default gateway of 192.168.1.1. The administrator can ping the default gateway but cannot ping 8.8.8.8. What is the most likely cause?

A.Firewall is blocking outbound traffic to port 53
B.DNS server is down
C.The default gateway has no route to the internet
D.The workstation's subnet mask is incorrect
E.The network cable is faulty
AnswerC

Local connectivity works, external fails, indicating routing issue.

Why this answer

The administrator can ping the default gateway (192.168.1.1) but cannot ping 8.8.8.8. This indicates that Layer 2 and Layer 3 connectivity within the local subnet is working, but traffic cannot reach the internet. The most likely cause is that the default gateway does not have a route to the internet, meaning it cannot forward packets beyond its local interface to an upstream router or ISP.

Exam trap

The trap here is that candidates often confuse 'can ping the gateway' with 'gateway has internet connectivity,' but the gateway may be reachable locally while lacking an upstream route or having a misconfigured NAT policy.

How to eliminate wrong answers

Option A is wrong because port 53 is used for DNS, not for ICMP ping traffic; a firewall blocking outbound port 53 would not prevent a ping to 8.8.8.8. Option B is wrong because DNS resolution is not required to ping an IP address directly; the issue is with IP connectivity, not name resolution. Option D is wrong because the workstation's subnet mask of /24 (255.255.255.0) is correct for the 192.168.1.0/24 network, and an incorrect mask would typically cause local connectivity issues, not prevent internet access while still reaching the gateway.

Option E is wrong because a faulty network cable would prevent the workstation from communicating with the default gateway, but the administrator can successfully ping the gateway.

95
MCQhard

A company uses a Cloud Workload Protection Platform (CWPP) to secure IaaS workloads. They discover that a virtual machine (VM) is communicating with a known command-and-control server. What is the FIRST action the security team should take?

A.Immediately isolate the VM by removing it from the network
B.Run an antivirus scan on the VM to remove the malware
C.Terminate the VM and create a new one from a clean image
D.Analyze the traffic logs to determine the scope of the compromise
AnswerA

Containment is the first priority to stop active threat.

Why this answer

Option B is correct because isolating the VM stops the malicious communication and prevents further spread. Option A is wrong because the infection is already active; waiting for analysis allows more damage. Option C is wrong because terminating the VM may be too aggressive and could cause data loss without investigation.

Option D is wrong because scanning does not stop ongoing communication.

96
MCQeasy

A company is deploying a new mobile application that handles sensitive customer data. Which practice BEST ensures data confidentiality on the device?

A.Require a strong screen lock passcode.
B.Disable cloud backups for the app.
C.Encrypt all sensitive data stored on the device using a key derived from the user's passcode.
D.Use app sandboxing to isolate app data from other apps.
AnswerC

Encryption at rest ensures data is unreadable without the key.

Why this answer

Option C is correct because encrypting sensitive data with a key derived from the user's passcode ensures that even if the device is lost or stolen, the data remains unreadable without the passcode. This approach leverages the user's secret to protect confidentiality at rest, which is a fundamental principle of mobile data protection. Technologies like iOS Data Protection and Android File-Based Encryption use similar key derivation from the lock screen credential to encrypt app-specific data.

Exam trap

ISC2 often tests the distinction between access control (screen lock) and data protection (encryption), leading candidates to choose a strong passcode as the best practice for confidentiality, when encryption with a derived key is the actual requirement.

How to eliminate wrong answers

Option A is wrong because a strong screen lock passcode only prevents unauthorized access to the device interface but does not protect data if the device is compromised via other means (e.g., forensic extraction or jailbreak). Option B is wrong because disabling cloud backups prevents data from being stored off-device but does not address confidentiality of data already on the device; backups themselves can be encrypted separately. Option D is wrong because app sandboxing isolates app data from other apps to prevent unauthorized inter-app access, but it does not protect against physical device access or OS-level attacks that bypass sandboxing.

97
MCQmedium

Refer to the exhibit. A security administrator is troubleshooting connectivity to a web server. Users report they can access the website via HTTP and HTTPS, but cannot establish new SSH connections. Which of the following best explains this issue?

A.The firewall is dropping SSH connections only when they are new, but established sessions may still be allowed.
B.The firewall policy is set to ACCEPT on the INPUT chain, so SSH should work.
C.The firewall is blocking all incoming traffic on port 22.
D.The firewall is configured to drop new SSH connections, which prevents users from initiating new SSH sessions.
AnswerD

The DROP rule for tcp dpt:22 with state NEW explicitly drops new SSH connection attempts, explaining the inability to SSH.

Why this answer

The firewall rule drops all new TCP connections to port 22 (SSH) using the state NEW module. Established SSH sessions, if any, would still be allowed, but new connections are blocked. Option A is incorrect because the rule does not block all traffic on port 22, only new connections.

Option B is a partial statement but does not capture the state-based filtering. Option D is incorrect because the INPUT chain policy is ACCEPT, but the drop rule overrides for new SSH traffic.

98
MCQmedium

A military system uses mandatory access control with classifications Unclassified, Confidential, Secret, and Top Secret. A user with Secret clearance attempts to read a file labeled Top Secret. What will occur?

A.Access is denied because the subject's clearance is lower than the object's classification
B.Access is granted because the user has write permission
C.Access is granted if the user is the owner of the file
D.Access is granted because the user has a need-to-know
AnswerA

MAC enforces that a subject can only read objects with a classification equal to or lower than their clearance (no read up).

Why this answer

In a mandatory access control (MAC) system, access decisions are based on comparing the subject's clearance level with the object's classification label. Since the user has a Secret clearance and the file is classified Top Secret, the subject's clearance is lower than the object's classification, so read access is denied per the Bell-LaPadula model's Simple Security Property (no read up).

Exam trap

The trap here is that candidates often confuse mandatory access control with discretionary access control, assuming that ownership or need-to-know can override classification labels, but in MAC, clearance level is the primary and non-negotiable gate for read access.

How to eliminate wrong answers

Option B is wrong because write permission is irrelevant in a MAC read operation; the Bell-LaPadula model enforces the *-property (no write down) for write, but read access is governed solely by clearance vs. classification. Option C is wrong because MAC overrides discretionary ownership; even if the user owns the file, the system enforces the classification label, so ownership does not grant read access when clearance is insufficient. Option D is wrong because need-to-know is a separate discretionary control (e.g., via compartments or roles) and does not override the mandatory clearance requirement; without the proper clearance level, need-to-know cannot grant access.

99
MCQhard

An organization uses mandatory access control (MAC) with the Bell-LaPadula model. A subject has a clearance of 'Secret' and an object has a classification of 'Top Secret'. What is the result if the subject attempts to read the object?

A.Write denied
B.Write allowed
C.Read denied
D.Read allowed
AnswerC

The subject's clearance is lower than the object's classification, so read is denied under the simple security property.

Why this answer

In the Bell-LaPadula model, the Simple Security Property (no read up) prohibits a subject from reading an object with a higher classification. Since the subject has a clearance of 'Secret' and the object is classified as 'Top Secret', the read attempt is denied. This enforces mandatory access control (MAC) by preventing information flow from higher to lower security levels.

Exam trap

The trap here is that candidates often confuse the Bell-LaPadula model with the Biba model (which focuses on integrity) or misapply the *-property to read operations, leading them to incorrectly select 'Read allowed' or 'Write allowed' when the actual rule is 'no read up'.

How to eliminate wrong answers

Option A is wrong because the operation in question is a read, not a write, and the Bell-LaPadula model's *-property (no write down) applies to write operations, not reads. Option B is wrong because write operations are not being attempted, and even if they were, a write from a Secret subject to a Top Secret object would be allowed under the *-property (write up), but the question asks about a read. Option D is wrong because the Simple Security Property explicitly forbids reading an object with a higher classification (Top Secret) than the subject's clearance (Secret), so read allowed is incorrect.

100
MCQeasy

A company has deployed an internal public key infrastructure (PKI) using Microsoft Active Directory Certificate Services (AD CS) to issue certificates for internal web servers. The certificate policy requires RSA 2048-bit keys and SHA-256 hashing. During a routine security audit, the administrator discovers that several web server certificates issued by the internal CA are using SHA-1 signatures. The CA is configured with a default Web Server certificate template. The administrator wants to ensure that all future certificates from this CA use SHA-256 as the hash algorithm. What is the most effective and secure course of action?

A.Update the certificate template to specify SHA-256 as the hash algorithm and reissue certificates
B.Increase the CA's security level in the console and restart the service
C.Modify the CA's signing algorithm in the registry to force SHA-256
D.Revoke all SHA-1 certificates and request new ones from a public CA
AnswerA

This directly addresses the issue and ensures future certificates use SHA-256.

Why this answer

Updating the certificate template to specify SHA-256 ensures that all new requests use the correct hash algorithm. Changing the CA signing algorithm (A) does not affect templates; revoking certificates (C) is disruptive and unnecessary; setting security level (D) is vague and does not change the hash algorithm.

101
MCQmedium

An IT auditor reports that firewall logs are not being reviewed regularly. Which control should be implemented to address this finding?

A.Archive logs to a read-only medium
B.Disable logging for low-priority events
C.Increase the log retention period to 12 months
D.Deploy a Security Information and Event Management (SIEM) system
AnswerD

SIEM automates log monitoring and alerting.

Why this answer

Option B is correct because automated log analysis tools can alert on suspicious activity, reducing reliance on manual review. Option A is wrong because simply increasing log retention does not ensure review. Option C is wrong while archiving logs is good practice, it does not enforce review.

Option D is wrong because disabling log generation is counterproductive.

102
MCQmedium

Refer to the exhibit. The security analyst sees this event from a user workstation. What is the most likely conclusion?

A.A malware is spreading
B.A legitimate administrator added a user
C.A user is trying to escalate privileges
D.A failed login attempt
AnswerC

The net localgroup command is often used for privilege escalation.

Why this answer

The event shows a user account (likely a standard user) attempting to add itself to a privileged group such as the local Administrators group. This action requires administrative rights, and the attempt by a non-admin user to modify group membership is a classic privilege escalation technique. The security analyst should recognize this as an unauthorized attempt to gain higher access, not a normal administrative action.

Exam trap

ISC2 often tests the distinction between a legitimate administrative action and a privilege escalation attempt by hiding the user context — the trap here is assuming that any group addition is benign, when the key detail is that the action was performed from a non-privileged account.

How to eliminate wrong answers

Option A is wrong because the event describes a single user account modification, not the lateral movement or file propagation characteristic of malware spreading. Option B is wrong because a legitimate administrator would typically use a dedicated admin account or a tool like 'net localgroup Administrators /add' with proper elevation, not from a standard user workstation without evidence of administrative context. Option D is wrong because the event shows a successful addition of a user to a group, not a failed authentication attempt (which would generate Event ID 4625, not 4732 or similar group membership events).

103
MCQeasy

An employee reports that they cannot access a shared folder on the network. The security administrator checks the permission and finds that the user is in the correct group, but the 'Deny' entry for a different group is blocking access. What is the MOST likely cause?

A.The folder is encrypted with EFS.
B.A Deny ACE is explicitly applied to the user's group.
C.The folder has inherited permissions from the parent.
D.The user is not a member of the correct group.
AnswerB

Deny takes precedence over Allow in NTFS permissions.

Why this answer

In Windows NTFS permissions, a Deny Access Control Entry (ACE) explicitly overrides any Allow ACE, regardless of group membership order. Since the user is in the correct group but a Deny entry on a different group blocks access, the most likely cause is that a Deny ACE is explicitly applied to the user's group (or a group the user belongs to), which takes precedence over Allow permissions. This is a core principle of the Windows discretionary access control model.

Exam trap

ISC2 often tests the misconception that group membership order or inheritance determines permission precedence, when in fact an explicit Deny ACE always overrides any Allow ACE, regardless of the group hierarchy.

How to eliminate wrong answers

Option A is wrong because EFS encryption affects file content access at the file system level, not network share permissions; it does not cause a Deny ACE to block access. Option C is wrong because inherited permissions from the parent folder would not introduce a Deny ACE that overrides the user's explicit Allow unless the Deny is also inherited, but the scenario states the Deny is for a different group, not a conflict of inheritance. Option D is wrong because the user is already confirmed to be in the correct group; the issue is a conflicting Deny ACE, not group membership.

104
MCQmedium

An organization uses AWS IAM to manage access. Which best practice ensures least privilege?

A.Use a single shared admin account
B.Use root account for administrative tasks
C.Create individual users and assign only necessary permissions
D.Grant all users full access to S3 buckets
AnswerC

Individual users with minimal permissions enforce least privilege.

Why this answer

Creating individual users with only necessary permissions enforces least privilege. Using root account is dangerous. Shared accounts violate accountability.

Granting full S3 access is excessive.

105
MCQeasy

A network administrator is configuring a firewall rule to allow inbound HTTPS traffic to a web server. Which protocol and port should be allowed?

A.UDP port 80
B.UDP port 443
C.TCP port 443
D.TCP port 80
AnswerC

HTTPS uses TCP port 443 by default.

Why this answer

HTTPS (HTTP over TLS) uses TCP as its transport protocol because it requires reliable, connection-oriented delivery for secure web traffic. The default port for HTTPS is 443, as defined in RFC 2818. Therefore, allowing TCP port 443 is the correct firewall rule.

Exam trap

The trap here is that candidates often confuse HTTP (TCP 80) with HTTPS (TCP 443) or mistakenly think HTTPS can use UDP, but the SSCP exam expects you to know that standard HTTPS uses TCP port 443.

How to eliminate wrong answers

Option A is wrong because UDP port 80 is used for HTTP (not HTTPS) and UDP is not the transport protocol for standard web traffic; HTTP uses TCP. Option B is wrong because UDP port 443 is not a standard protocol; HTTPS uses TCP, not UDP, for reliable delivery. Option D is wrong because TCP port 80 is used for unencrypted HTTP traffic, not HTTPS.

106
MCQeasy

A university IT department manages a lab of 50 computers running Windows 10 that are used by students for coursework. The computers are joined to a domain and have Group Policy applied to restrict administrative access. Recently, several students were able to install unauthorized software by using the built-in Administrator account, which had the same password on all lab computers. The IT department wants to prevent this without affecting the students' ability to run required academic software. Which of the following is the most effective solution?

A.Configure the computers to only allow standard user accounts.
B.Disable the local Administrator account on all lab computers.
C.Use a tool to assign a unique, random password to the local Administrator account on each computer.
D.Implement Software Restriction Policies to block unauthorized executables.
AnswerC

Unique passwords prevent use of a known shared password across all machines.

Why this answer

Option C is correct because changing the local Administrator password to a unique, complex value for each machine prevents lateral movement and unauthorized use. Option A is incorrect because disabling the account might break functionality if it's relied upon. Option B is incorrect because while SRP helps, it does not prevent use of the Administrator account.

Option D is incorrect because standard user accounts do not have installation rights, but if students know the Admin password, they can still use it.

107
MCQeasy

A security administrator is tasked with ensuring that only authorized software can run on company workstations. Which security control should be implemented?

A.Antivirus software
B.Patch management
C.Host-based firewall
D.Application whitelisting
AnswerD

Whitelisting ensures only approved software can run, directly meeting the requirement.

Why this answer

Application whitelisting is the correct control because it explicitly defines a list of approved software that is allowed to execute on workstations. This prevents unauthorized or malicious software from running, even if it bypasses other defenses, by enforcing a default-deny policy at the operating system level (e.g., via Windows AppLocker or Software Restriction Policies). Unlike antivirus, which relies on signatures to detect known threats, whitelisting blocks unknown or unapproved executables by default.

Exam trap

The trap here is that candidates often confuse 'preventing unauthorized software' with 'detecting malware,' leading them to choose antivirus software, but the question specifically asks for a control that ensures only authorized software can run, which requires a default-deny approach like application whitelisting rather than a detection-based tool.

How to eliminate wrong answers

Option A is wrong because antivirus software uses signature-based or heuristic detection to identify known malware, but it cannot prevent execution of unauthorized or custom-coded software that is not yet in its database. Option B is wrong because patch management ensures software is up-to-date with security fixes, but it does not control which applications are allowed to run; it only addresses vulnerabilities in already-installed software. Option C is wrong because a host-based firewall controls network traffic to and from the workstation based on ports and protocols, but it does not restrict which applications can execute locally on the system.

108
MCQmedium

A company detects ransomware on a file server. The ransomware is currently encrypting files. Which containment strategy should be implemented FIRST?

A.Run antivirus to remove the ransomware
B.Notify all users to change passwords
C.Disconnect the server from the network
D.Restore files from backup
AnswerC

Network isolation prevents lateral movement and further encryption.

Why this answer

Option C is correct because the immediate priority in ransomware containment is to isolate the compromised server from the network to prevent the encryption process from spreading to other systems. Disconnecting the network cable or disabling the network interface stops the ransomware from communicating with command-and-control servers and blocks lateral movement via SMB or other protocols. This containment step must occur before any remediation like antivirus scans or file restoration.

Exam trap

The trap here is that candidates often choose to run antivirus first, thinking removal stops the attack, but the SSCP exam emphasizes that containment (stopping the spread) must precede eradication (removing the malware).

How to eliminate wrong answers

Option A is wrong because running antivirus on an actively encrypting server may trigger the ransomware to accelerate encryption or delete files, and removal does not stop the ongoing encryption process. Option B is wrong because notifying users to change passwords is a post-containment or post-incident step; it does not halt the active encryption or network propagation of the ransomware. Option D is wrong because restoring files from backup should only be performed after the ransomware is fully contained and removed; attempting restoration while the ransomware is active will result in immediate re-encryption of restored files.

109
MCQhard

Based on the exhibit, what is the most appropriate immediate action?

A.Schedule patching during the next change window in 30 days
B.Apply the vendor patch to the host as soon as possible
C.Run another vulnerability scan to confirm the finding
D.Ignore the vulnerability because it's a false positive
AnswerB

Immediate action needed to mitigate critical RCE vulnerability on critical system.

Why this answer

The exhibit shows a critical remote code execution vulnerability with a CVSS score of 9.8, which poses an immediate threat to the host. Applying the vendor patch as soon as possible is the most appropriate action because it directly eliminates the risk without delay, aligning with the principle of timely remediation for high-severity vulnerabilities.

Exam trap

The trap here is that candidates may choose to rescan or delay patching due to change management policies, failing to recognize that critical remote code execution vulnerabilities require immediate out-of-cycle patching to prevent imminent compromise.

How to eliminate wrong answers

Option A is wrong because scheduling patching in 30 days for a critical remote code execution vulnerability (CVSS 9.8) leaves the host exposed to active exploitation, which violates the immediate response required for such high-risk findings. Option C is wrong because running another vulnerability scan would only reconfirm the already validated finding, wasting time that could be used for remediation; the scan result is assumed accurate based on the exhibit. Option D is wrong because ignoring the vulnerability as a false positive is dangerous given the critical severity and known exploitability of the CVE; false positives are rare for such well-documented remote code execution vulnerabilities.

110
MCQeasy

Refer to the exhibit. An AWS S3 bucket policy is defined as shown. Which statement about this policy is TRUE?

A.The company-public bucket objects are completely private
B.The Deny statement prevents all access to both buckets
C.Any user can read objects in the company-public bucket
D.The policy applies to all buckets in the account
AnswerC

Principal '*' and Action 's3:GetObject' allows public read access.

Why this answer

Option B is correct because the first statement allows anyone to read objects in the company-public bucket. Option A is wrong because the policy does not affect other buckets. Option C is wrong because the company-public bucket is explicitly allowed for GetObject.

Option D is wrong because the Deny statement is effective, but it only denies access to company-private bucket, not company-public.

111
MCQhard

A company has a policy requiring segregation of duties (SoD) for financial transactions. Which scenario represents a violation of this principle?

A.The system administrator performs backups, and the security officer reviews audit logs
B.The finance officer approves invoices and also reconciles the bank statements
C.Two managers must each approve any expenditure over $10,000
D.The purchasing manager creates purchase orders, and the accounts payable clerk processes payments
AnswerB

This combines authorization with verification, a SoD violation.

Why this answer

Option C is correct because the same person both approves invoices and reconciles bank statements, combining authorization and review functions. Option A is wrong because separate individuals handle procurement and accounting. Option B is wrong because the separation is maintained.

Option D is wrong because two-level approval still involves separate individuals.

112
MCQhard

An organization uses a SIEM to correlate events. The SIEM receives Windows Security Event ID 4625 (failed login) and 4776 (credential validation). An analyst wants to detect a brute-force attack against a service account. Which correlation rule is most effective?

A.Alert on more than 10 failed logins from a single IP in 5 minutes
B.Alert on successful logins after multiple failures
C.Alert on multiple failed logins for the same account from different source IPs in 10 minutes
D.Alert on any Event ID 4625 or 4776 with severity high
AnswerC

Detects distributed brute force against a single account.

Why this answer

Option C is correct because a brute-force attack against a service account typically involves multiple failed login attempts from different source IPs, as attackers often distribute their attempts to evade IP-based blocking. Correlating Event ID 4625 (failed login) and 4776 (credential validation) across multiple source IPs for the same account within a short time window (e.g., 10 minutes) directly identifies this distributed brute-force pattern, which a single-IP threshold would miss.

Exam trap

The trap here is that candidates often fixate on a single IP threshold (Option A) because it seems intuitive, but the SSCP exam tests the understanding that modern brute-force attacks distribute across many IPs, making account-based correlation across source IPs the correct detection method.

How to eliminate wrong answers

Option A is wrong because alerting on more than 10 failed logins from a single IP in 5 minutes is too narrow; attackers can easily rotate IPs (e.g., using a botnet or proxy chain) to stay under the threshold, missing distributed brute-force attacks. Option B is wrong because alerting on successful logins after multiple failures is a post-compromise indicator, not a detection of the brute-force attempt itself; it may also generate false positives from legitimate password resets or user errors. Option D is wrong because setting severity high on every Event ID 4625 or 4776 would overwhelm analysts with noise from routine failed logins (e.g., mistyped passwords, expired credentials) and lacks the correlation needed to distinguish a brute-force attack from normal activity.

113
Matchingmedium

Match each vulnerability assessment tool to its use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and port discovery

Vulnerability scanning

Exploitation framework

Packet analysis

Why these pairings

These are common security testing tools.

114
MCQhard

During a risk assessment, a team identifies that the annualized loss expectancy (ALE) for a critical asset is $50,000. A proposed control costs $15,000 per year and will reduce the annualized rate of occurrence (ARO) from 5 to 1. The single loss expectancy (SLE) is unchanged at $10,000. What is the net benefit of implementing the control?

A.$40,000
B.$10,000
C.$35,000
D.$25,000
AnswerD

ALE reduction minus control cost equals net benefit.

Why this answer

The current ALE is $50,000 (ARO of 5 × SLE of $10,000). With the control, ARO drops to 1, so the new ALE is $10,000 (1 × $10,000). The reduction in ALE is $40,000.

Subtracting the annual control cost of $15,000 gives a net benefit of $25,000. This aligns with the formula: Net Benefit = (Old ALE – New ALE) – Annual Control Cost.

Exam trap

The trap here is that candidates often forget to subtract the annual control cost from the risk reduction (ALE reduction), mistakenly selecting the risk reduction amount ($40,000) as the net benefit.

How to eliminate wrong answers

Option A is wrong because $40,000 is the reduction in ALE (the risk reduction), not the net benefit after subtracting the $15,000 annual control cost. Option B is wrong because $10,000 is the new ALE after the control, not the net benefit. Option C is wrong because $35,000 would result from incorrectly subtracting the control cost from the old ALE ($50,000 – $15,000) without accounting for the reduced ALE.

115
MCQmedium

A company's log management solution is overwhelmed by high-volume logs from network devices, causing storage and analysis delays. Which strategy would best improve the efficiency of the log management process?

A.Increase the storage capacity of the log server
B.Increase the frequency of log analysis cycles
C.Implement log filtering and prioritization rules
D.Reduce the number of devices sending logs
AnswerC

Filtering reduces volume and focuses on important events.

Why this answer

Implementing log filtering and prioritization rules (Option C) directly addresses the root cause of the problem by reducing the volume of irrelevant or low-priority logs before they are stored or analyzed. This improves both storage efficiency and analysis speed, as the log management system processes only meaningful events, such as those matching security or performance thresholds, rather than being overwhelmed by high-frequency noise like repeated informational syslog messages.

Exam trap

ISC2 often tests the misconception that adding more resources (storage or processing frequency) is the solution to data overload, when in fact the correct approach is to reduce the data volume through intelligent filtering and prioritization.

How to eliminate wrong answers

Option A is wrong because simply increasing storage capacity does not solve the analysis delay; it only postpones the storage issue while the system continues to process and store the same high volume of logs, potentially worsening performance. Option B is wrong because increasing the frequency of log analysis cycles would further strain the already overwhelmed system, leading to greater delays and resource contention, not efficiency. Option D is wrong because reducing the number of devices sending logs is a drastic measure that compromises network visibility and security monitoring, and it does not address the underlying problem of inefficient log handling from the remaining devices.

116
MCQeasy

A small business wants to protect its data from ransomware. Which backup strategy provides the BEST protection against an attack where the backup files are also encrypted?

A.Daily backups to a network attached storage (NAS) device
B.Daily cloud backups with versioning
C.Weekly backups to an external hard drive connected via USB
D.Weekly backups to tape stored in a fireproof safe offline
AnswerD

Offline tapes are physically disconnected and cannot be encrypted by ransomware.

Why this answer

Option D is correct because an offline (air-gapped) backup is not accessible from the network, preventing ransomware from encrypting it. Option A is wrong because cloud backups are reachable from the network. Option B is wrong because local external drives attached to the system can be encrypted.

Option C is wrong because tape backups often remain online or on-site, but can still be vulnerable if connected.

117
MCQeasy

Refer to the exhibit. A network administrator implements this ACL on a border router. What is the effect?

A.SSH to 192.168.1.100 is permitted from any source
B.SSH is completely blocked
C.All traffic to 192.168.1.100 is permitted
D.Only SSH from external networks is blocked
AnswerA

The permit rule applies to any source destined to that host on port 22.

Why this answer

Option A is correct because the ACL explicitly permits TCP traffic sourced from any IP address destined to 192.168.1.100 on port 22, which is the default port for SSH. Since the ACL is applied inbound on the border router's external interface, it allows SSH connections from any external source to reach the internal host 192.168.1.100, while implicitly denying all other traffic.

Exam trap

ISC2 often tests the implicit deny all at the end of an ACL, leading candidates to mistakenly think that only explicitly denied traffic is blocked, when in fact all traffic not explicitly permitted is denied.

How to eliminate wrong answers

Option B is wrong because the ACL does not block SSH; it explicitly permits SSH to 192.168.1.100, so SSH is not completely blocked. Option C is wrong because the ACL only permits TCP port 22 (SSH) to 192.168.1.100; all other traffic to that IP is implicitly denied by the implicit deny all at the end of the ACL. Option D is wrong because the ACL permits SSH from any source, including external networks, so SSH from external networks is not blocked; it is allowed.

118
Multi-Selecthard

Which THREE of the following are best practices for securely managing cryptographic keys in an enterprise environment?

Select 3 answers
A.Use the same key for encryption and decryption (symmetric) and also for signing.
B.Share keys via email encrypted with the recipient's public key.
C.Implement key escrow to allow recovery of encrypted data.
D.Rotate keys on a regular schedule or upon compromise.
E.Store keys in a hardware security module (HSM).
AnswersC, D, E

Key escrow ensures that encrypted data can be recovered if keys are lost or unavailable.

Why this answer

Options A, C, and E are correct. HSMs provide tamper-resistant key storage. Key rotation limits exposure from compromised keys.

Key escrow allows recovery when keys are lost. Option B is incorrect because email is not a secure channel for key distribution. Option D is incorrect because using the same key for multiple purposes (e.g., encryption and signing) violates key separation principles.

119
MCQeasy

An organization wants to prevent unauthorized persons from entering a secure server room. Which control is the MOST effective?

A.Install a CCTV camera at the entrance
B.Require biometric authentication (fingerprint or retina scan) to unlock the door
C.Post a security guard at the entrance during business hours
D.Use a keypad with a unique code for each employee
AnswerB

Biometrics provide strong authentication specific to the individual.

Why this answer

Biometric authentication (fingerprint or retina scan) is the most effective control because it verifies the unique physiological characteristics of an individual, making it extremely difficult to bypass, share, or forge. Unlike knowledge-based (keypad code) or possession-based (key card) factors, biometrics provide strong, non-repudiable proof of identity, which is critical for high-security areas like a server room.

Exam trap

The trap here is that candidates often choose a keypad with a unique code (Option D) thinking it is 'unique per employee' and therefore secure, but they overlook that codes can be easily shared or stolen via shoulder surfing, whereas biometrics are inherently tied to the individual and cannot be transferred.

How to eliminate wrong answers

Option A is wrong because a CCTV camera is a detective control that only records events; it does not prevent unauthorized entry, as it cannot stop a person from walking through the door. Option C is wrong because a security guard is a physical control that can be effective but is limited to business hours, leaving the server room vulnerable during off-hours, and guards can be distracted or bypassed. Option D is wrong because a keypad with a unique code relies on a knowledge factor that can be shared, observed (shoulder surfing), or guessed, and codes can be forgotten or written down, compromising security.

120
MCQhard

An analyst reviews a Windows security log. Given the event, what is the MOST likely cause of the lockout?

A.The user's password was changed and they are using the old password
B.The user's cached credentials are expired
C.A remote attacker is attempting to brute-force the user's password via RDP
D.The user entered the wrong password at the physical console
AnswerC

Logon Type 10 (RemoteInteractive) is RDP, and a lockout indicates multiple failed attempts.

Why this answer

Option C is correct because Logon Type 10 (RemoteInteractive) indicates a Remote Desktop (RDP) session, and multiple failed attempts from the same source often cause lockouts due to brute-force attempts. Option A is wrong because bad password on local console would show Logon Type 2. Option B is wrong because credential caching is not directly related.

Option D is wrong while incorrect password is a reason, the logon type points to RDP, so the attack vector is more specific.

121
MCQeasy

An organization wants to ensure that only authorized devices can connect to its internal network. Which of the following should be implemented?

A.Intrusion detection system
B.Port security on switches
C.Network access control (NAC)
D.Virtual private network
AnswerC

NAC authenticates devices before network access.

Why this answer

Network Access Control (NAC) is the correct choice because it enforces security policy by evaluating the identity, posture, and compliance of devices before granting network access. NAC solutions (e.g., Cisco ISE, Aruba ClearPass) can authenticate devices via 802.1X, check for antivirus updates or patch levels, and quarantine non-compliant endpoints, ensuring only authorized and healthy devices connect to the internal network.

Exam trap

The trap here is that candidates often confuse Port Security (a Layer 2 MAC-based control) with NAC, but Port Security lacks the authentication, posture assessment, and dynamic policy enforcement that NAC provides, making it insufficient for ensuring only authorized devices connect.

How to eliminate wrong answers

Option A is wrong because an Intrusion Detection System (IDS) monitors network traffic for malicious activity but does not control which devices can connect; it only alerts on threats after they appear. Option B is wrong because Port Security on switches limits MAC addresses per port but is a Layer 2 control that can be bypassed by MAC spoofing and does not authenticate device identity or check compliance. Option D is wrong because a Virtual Private Network (VPN) encrypts traffic between remote users and the network but does not restrict which devices can connect to the internal LAN; it assumes the device is already authorized or uses separate authentication.

122
MCQeasy

An e-commerce company runs its web application on a Windows Server 2019 with IIS 10. The security team runs a vulnerability scan and discovers that the server supports TLS 1.0 and several CBC-mode cipher suites, which are prohibited by the company's security policy. The policy requires disabling all versions of TLS below 1.2 and all cipher suites that do not use GCM mode. The administrator needs to implement the required changes without affecting the application's functionality, as it still needs to support a small number of legacy clients that require TLS 1.2 but not CBC. Which action should the administrator take?

A.Upgrade the server to Windows Server 2022, which automatically disables TLS 1.0.
B.Implement a reverse proxy with strong TLS configuration and route all traffic through it.
C.Disable TLS 1.0 via the registry and configure the cipher suite order in IIS to prefer GCM-based ciphers.
D.Apply a hotfix from Microsoft that removes TLS 1.0 support.
AnswerC

This directly implements the policy and only affects prohibited protocols and ciphers.

Why this answer

Option C is correct because the administrator can disable TLS 1.0 via the Windows registry (e.g., by creating the 'Enabled' DWORD under 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' and setting it to 0) and then configure the cipher suite order in IIS using the 'SchUseStrongCrypto' registry key or the 'Cipher Suites' group policy to prioritize GCM-based ciphers (e.g., TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256). This directly enforces the policy—disabling TLS below 1.2 and non-GCM ciphers—while still allowing legacy clients that support TLS 1.2 with GCM to connect without breaking functionality.

Exam trap

The trap here is that candidates may assume a reverse proxy or an OS upgrade is required to enforce strong TLS settings, when in fact Windows Server 2019 fully supports disabling TLS 1.0 and configuring cipher suites natively through registry and IIS settings without additional hardware or software.

How to eliminate wrong answers

Option A is wrong because upgrading to Windows Server 2022 does not automatically disable TLS 1.0; it only changes default settings, and TLS 1.0 can still be enabled unless explicitly disabled via registry or group policy. Option B is wrong because implementing a reverse proxy adds unnecessary complexity and a potential single point of failure; the policy can be met directly on the IIS server without an additional component, and the question asks for an action the administrator should take, not a workaround. Option D is wrong because there is no Microsoft hotfix that removes TLS 1.0 support; TLS 1.0 is a protocol supported by the Schannel security package and is disabled only through registry configuration, not a hotfix.

123
Multi-Selectmedium

Which TWO actions are part of the containment phase of incident response?

Select 2 answers
A.Restoring from backups
B.Analyzing root cause
C.Applying temporary patches
D.Isolating affected systems
E.Preserving evidence
AnswersC, D

Temporary patches can contain the vulnerability while permanent fixes are developed.

Why this answer

During the containment phase of incident response, the immediate priority is to stop the incident from spreading or causing further damage. Applying temporary patches (C) can quickly close a vulnerability that is being exploited, while isolating affected systems (D) prevents lateral movement and further compromise. Both actions are short-term measures to contain the threat before eradication and recovery begin.

Exam trap

ISC2 often tests the distinction between containment actions (immediate stop-gap measures) and recovery or analysis actions, so candidates mistakenly select 'restoring from backups' or 'analyzing root cause' as containment steps.

124
Multi-Selectmedium

Which THREE of the following are valid methods for authenticating users in a web application? (Choose three.)

Select 3 answers
A.IP address whitelisting
B.SAML
C.OAuth 2.0
D.HTTP Basic Authentication
E.LDAP
AnswersB, C, D

SAML enables single sign-on across domains.

Why this answer

SAML (Security Assertion Markup Language) is a valid method for authenticating users in a web application because it is an XML-based open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). It enables single sign-on (SSO) by allowing the SP to trust the IdP's assertion of the user's identity, making it a widely adopted federated authentication protocol.

Exam trap

ISC2 often tests the distinction between authentication and authorization or access control, leading candidates to mistakenly select IP whitelisting (a network-layer access control) as an authentication method, or LDAP (a directory protocol) as a direct authentication protocol rather than a backend service.

125
MCQhard

A large e-commerce company has a disaster recovery (DR) plan that requires Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour for its customer database. The database runs on a clustered SQL server with synchronous replication to a standby server in a different data center. During a recent test, the IT team found that failover took 3 hours, but due to a replication lag of 45 minutes, some transactions were lost. The team needs to meet both RTO and RPO. Which of the following changes should the team implement FIRST?

A.Implement asynchronous replication to a third site
B.Increase the bandwidth between data centers
C.Shorten the synchronization interval from 45 minutes to 15 minutes
D.Automate the failover process with orchestration scripts to reduce manual steps
AnswerD

Automation can significantly cut failover time from 3 hours to under 4 hours, meeting RTO.

Why this answer

Reducing failover time is the priority to meet RTO; even if RPO is met, the business needs the system up. Option A addresses replication lag but not RTO; B addresses RTO directly; C may increase complexity; D is for RPO.

126
MCQeasy

A security analyst is reviewing vulnerability scan results and finds a critical vulnerability on a web server. The patch is available but requires a reboot. What should the analyst do first?

A.Apply the patch immediately to reduce risk
B.Assess the exploitability and impact to determine remediation priority
C.Re-scan the server to confirm the vulnerability
D.Ignore the vulnerability because the patch is available
AnswerB

Risk assessment ensures proper prioritization.

Why this answer

Option B is correct because the first step in vulnerability management is to assess the exploitability and business impact of the vulnerability before taking action. Even though a patch is available, the analyst must determine if the vulnerability is actively exploitable in the current environment and what the potential impact would be, as a reboot may cause service disruption. This aligns with the risk-based prioritization approach required by frameworks like NIST SP 800-40 and the SSCP's focus on balancing security with operational continuity.

Exam trap

ISC2 often tests the misconception that a critical vulnerability must be patched immediately regardless of operational impact, tempting candidates to choose 'apply the patch immediately' without considering the risk assessment and change management steps required by the SSCP's risk identification domain.

How to eliminate wrong answers

Option A is wrong because applying the patch immediately without assessing impact could cause unnecessary downtime or break dependencies, especially if the web server hosts critical applications; patching should follow a change management process. Option C is wrong because re-scanning to confirm the vulnerability is redundant—the scan already identified it, and the priority is to evaluate risk, not re-validate the scanner's findings. Option D is wrong because ignoring a critical vulnerability simply because a patch exists is negligent; the patch's availability is a reason to act, not to ignore, but action must be prioritized based on risk.

127
MCQeasy

A small business uses a single Windows Server 2016 machine that also acts as a domain controller, file server, and runs a custom application for inventory management. The server recently exhibited slow performance and frequent crashes. The system administrator runs antivirus and finds no malware. The event log shows several 'Event ID 7000' errors from the Service Control Manager, indicating certain services failed to start. The administrator also notices that the server has not been restarted in 180 days and has several pending updates. What is the most likely cause of the performance issues?

A.A rootkit infection that the antivirus failed to detect.
B.The server has not been restarted for an extended period and has pending updates.
C.A heavily fragmented hard drive.
D.A memory leak in the custom application.
AnswerB

Lack of restarts can lead to resource exhaustion, and pending updates may address performance bugs.

Why this answer

Option D is correct because pending updates often include bug fixes and performance improvements; the lack of restarts may lead to memory leaks or resource exhaustion. Option A is incorrect because there is no indication of resource exhaustion from a specific service. Option B is incorrect because the antivirus found no malware.

Option C is incorrect because a fragmented hard drive would not cause service start failures.

128
MCQmedium

A security analyst reviews the TLS configuration of a web server and notices that the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA is enabled. The analyst recommends disabling RSA key exchange and enabling ECDHE. Which security property does ECDHE provide that RSA key exchange lacks?

A.ECDHE provides perfect forward secrecy.
B.ECDHE is faster than RSA key exchange.
C.ECDHE is required by PCI DSS for all web transactions.
D.ECDHE uses smaller key sizes for equivalent security.
AnswerA

This ensures that compromise of the server's long-term key does not expose past session keys.

Why this answer

ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) provides Perfect Forward Secrecy (PFS), meaning that if the server's long-term private key is compromised, past session keys cannot be derived. RSA key exchange does not provide PFS because the session key is encrypted with the server's static RSA public key; if the private key is later exposed, all recorded sessions can be decrypted.

Exam trap

The trap here is that candidates confuse the general benefits of elliptic curve cryptography (smaller keys, speed) with the specific security property of Perfect Forward Secrecy, which is the unique advantage of ephemeral Diffie-Hellman over static RSA key exchange.

How to eliminate wrong answers

Option B is wrong because ECDHE is not inherently faster than RSA key exchange; while ECDHE can have lower computational overhead in some contexts, performance depends on implementation and key sizes, and speed is not the primary security property. Option C is wrong because PCI DSS does not require ECDHE specifically; it requires the use of strong cryptography and may recommend PFS, but it does not mandate ECDHE for all web transactions. Option D is wrong because while ECDHE does use smaller key sizes for equivalent security compared to RSA, this is a property of elliptic curve cryptography in general, not the specific security property that RSA key exchange lacks—the key distinction is PFS.

129
Multi-Selecteasy

Which TWO of the following are key components of the risk identification process?

Select 2 answers
A.Identifying assets and their value
B.Prioritizing risks based on impact
C.Selecting risk treatment options
D.Identifying threats and vulnerabilities
E.Calculating the annualized loss expectancy
AnswersA, D

Assets are the foundation for understanding what is at risk.

Why this answer

Option A is correct because identifying assets and their value is a foundational step in the risk identification process. Without knowing what assets exist and their relative importance, you cannot determine which threats and vulnerabilities pose the greatest risk. This step ensures that risk assessment efforts are focused on the most critical resources.

Exam trap

ISC2 often tests the distinction between risk identification and risk analysis, so candidates mistakenly select options like prioritizing risks (B) or calculating ALE (E) as part of identification, when they actually belong to later stages of the risk management process.

130
Multi-Selectmedium

Which THREE are effective controls against internal network threats?

Select 3 answers
A.Network segmentation
B.Employee security awareness training
C.Intrusion detection system (IDS)
D.Single sign-on (SSO)
E.Data loss prevention (DLP)
AnswersA, B, E

Isolates sensitive systems to contain breaches.

Why this answer

Network segmentation (A) is effective because it divides the network into isolated segments, limiting lateral movement of threats. By using VLANs or firewalls, an attacker who compromises one segment cannot easily access other critical systems, reducing the blast radius of an internal breach.

Exam trap

ISC2 often tests the distinction between detection and prevention, so candidates mistakenly choose IDS (C) as a control against internal threats, but it only detects, not blocks, unlike network segmentation or DLP which actively prevent or contain threats.

131
MCQhard

During a code review, you discover that an application stores passwords in plaintext. What is the most secure remediation?

A.Hash passwords with MD5
B.Use bcrypt with a unique salt per password
C.Use AES encryption of passwords
D.Store passwords in a database with restricted access
AnswerB

Bcrypt is slow and salted, making brute force impractical.

Why this answer

Bcrypt with a unique salt is designed for password storage; it is slow and resistant to brute force. MD5 is fast and weak. AES encryption is reversible if the key is compromised.

Database access control does not protect if the database is breached.

132
MCQhard

An organization has suffered a sophisticated attack where the attacker compromised a domain controller and used it to move laterally to several file servers. The incident response team has isolated the domain controller and some file servers, but they suspect that the attacker may have created hidden accounts and modified permissions to maintain access. The team needs to ensure that the attacker's access is entirely removed before restoring operations. The organization has a large number of users and complex Active Directory structure. The incident response plan outlines containment, eradication, recovery, and post-incident analysis. The team has forensic imaging of the domain controller and file servers. What is the MOST comprehensive approach to eradicate the attacker's presence?

A.Reset all domain user passwords and force a password change at next logon.
B.Use a tool to scan for hidden accounts and reset permissions on all file servers.
C.Perform a forensic analysis of the domain controller to identify all backdoors, hidden accounts, and unauthorized permission changes.
D.Rebuild the domain controller from a known good backup and reset all service account passwords.
AnswerC

Correct: Forensic analysis provides a complete picture of the attacker's actions and allows targeted eradication.

Why this answer

Option C is correct because the most comprehensive approach to eradicate an attacker's presence after a domain controller compromise is to perform a forensic analysis of the domain controller. This analysis can identify all backdoors, hidden accounts (e.g., accounts with the 'ACCOUNTDISABLE' flag removed or created via 'net user' with hidden attributes), unauthorized permission changes (e.g., modified ACLs on AD objects), and other persistence mechanisms like scheduled tasks or service principal name (SPN) modifications. Without this deep analysis, the attacker's access may persist even after password resets or server rebuilds.

Exam trap

The trap here is that candidates often choose password resets or backup restoration as a quick fix, but fail to recognize that sophisticated attackers implant multiple persistence mechanisms (e.g., hidden accounts, modified ACLs, domain-level backdoors) that survive these actions without a comprehensive forensic analysis.

How to eliminate wrong answers

Option A is wrong because resetting all domain user passwords and forcing a password change at next logon does not remove hidden accounts, backdoors, or unauthorized permission changes; the attacker could still use hidden accounts or modified ACLs to regain access. Option B is wrong because scanning for hidden accounts and resetting permissions on file servers only addresses lateral movement targets, not the root compromise on the domain controller; the attacker could still leverage domain-level persistence (e.g., Golden Ticket, DCSync rights) to re-compromise the environment. Option D is wrong because rebuilding the domain controller from a known good backup may reintroduce the same vulnerabilities if the backup is from after the compromise, and resetting only service account passwords does not address hidden user accounts or modified permissions on the domain controller or file servers.

133
MCQeasy

A small business with 20 employees uses a legacy customer relationship management (CRM) application that supports only RC4 encryption for data transmission between the client and server. The company must comply with a new industry regulation that mandates the use of strong encryption (e.g., AES or TLS 1.2+). The IT manager has attempted to upgrade the CRM application, but the vendor has discontinued support and no updates are available. The company cannot afford to replace the CRM immediately, but must achieve compliance within 60 days. The network consists of a single Windows Server 2016 running the CRM server application and 20 Windows 10 workstations. All systems are on a flat internal network. The IT manager proposes several options. Which action is the most appropriate to achieve compliance?

A.Replace the legacy CRM application with a modern web-based CRM that supports TLS 1.2.
B.Continue using RC4 and accept the risk, since the network is isolated.
C.Place a reverse proxy in front of the CRM server that terminates TLS and forwards requests to the server using RC4.
D.Deploy a VPN tunnel between each workstation and the server to encapsulate the RC4 traffic.
AnswerA

Replacing the application ensures strong encryption is used and achieves compliance.

Why this answer

Option A is correct because replacing the legacy CRM with a modern web-based CRM that supports TLS 1.2 directly satisfies the regulation's requirement for strong encryption (AES or TLS 1.2+). This is the only option that eliminates the use of RC4 entirely and achieves compliance within the 60-day timeframe, as the company cannot upgrade the unsupported legacy application.

Exam trap

The trap here is that candidates may think a VPN or reverse proxy 'wraps' the weak encryption to achieve compliance, but the regulation requires the application itself to use strong encryption, not just the network tunnel.

How to eliminate wrong answers

Option B is wrong because accepting the risk of using RC4 violates the mandatory regulation, regardless of network isolation; compliance is not optional and RC4 is considered weak due to known vulnerabilities (e.g., biases in its keystream). Option C is wrong because placing a reverse proxy that terminates TLS but forwards requests to the server using RC4 still exposes the internal traffic to RC4 encryption, which does not meet the regulation's requirement for strong encryption end-to-end. Option D is wrong because deploying a VPN tunnel encapsulates the RC4 traffic but does not replace it; the CRM application still uses RC4 for its own data transmission, and the regulation mandates strong encryption for the application layer, not just the transport layer.

134
MCQhard

A company runs containerized applications in a Kubernetes cluster. They need to ensure that containers run with the least privilege and cannot escalate privileges. Which configuration change is MOST effective?

A.Set the container to run as non-root user
B.Drop all Linux capabilities from the container
C.Mount the container root filesystem as read-only
D.Enable SELinux enforcing mode on the host
AnswerC

Prevents writing to the container's filesystem, limiting impact of a compromise.

Why this answer

Option D is correct because setting a read-only root filesystem prevents container from writing to its own filesystem, limiting damage from compromise. Option A is wrong because running as non-root is important but does not prevent privilege escalation if capabilities allow. Option B is wrong because dropping all capabilities reduces risk but does not prevent writes to root filesystem.

Option C is wrong because SELinux enforcing mode adds a layer but is not directly about privilege escalation in containers.

135
MCQeasy

You are the security analyst at a mid-sized retail company with 500 employees. The company recently experienced a ransomware attack that encrypted files on a file server. The infection was traced to a phishing email opened by an employee in accounting. The company has antivirus software, a firewall, and daily backups. After the incident, management wants to improve risk identification to prevent future attacks. Which of the following is the MOST effective first step to improve risk identification?

A.Implement a data loss prevention (DLP) solution to monitor email traffic
B.Conduct a risk assessment that includes threat modeling and vulnerability scanning
C.Deploy a SIEM system to aggregate logs from all systems
D.Review the logs of the compromised file server for forensic details
AnswerB

A comprehensive risk assessment identifies all relevant risks.

Why this answer

Option B is correct because performing a comprehensive risk assessment focusing on people, process, and technology will identify gaps like phishing training gaps, technical controls, etc. Option A only addresses one attack vector; C is reactive; D is a control but not a direct identification step.

136
MCQmedium

Refer to the exhibit. A user reports being unable to remote desktop (RDP) into a Windows server. Given the event log, what is the most likely cause?

A.The user does not have the 'Allow log on through Remote Desktop Services' user right
B.The user account is locked out
C.The server is not a member of the domain
D.The user's Kerberos ticket has expired
AnswerA

The failure reason clearly states the logon type is not granted; this user right is required for RDP access.

Why this answer

The event log shows an 'An account failed to log on' event (ID 4625) with a failure reason indicating 'The user has not been granted the requested logon type at this machine.' For Remote Desktop connections, the required logon type is 'Remote Interactive' (logon type 10). This specific error means the user lacks the 'Allow log on through Remote Desktop Services' user right, which is assigned via Local Security Policy or Group Policy. Without this right, the RDP session is denied at the authentication stage, even if the username and password are correct.

Exam trap

The trap here is that candidates often assume RDP failures are due to network issues, firewall rules, or account lockouts, when the event log's specific failure reason (logon type denial) directly points to a missing user right assignment.

How to eliminate wrong answers

Option B is wrong because a locked-out account would produce a different failure reason, such as 'Account locked out' (sub-status 0xC0000234), not a logon type denial. Option C is wrong because domain membership is not required for RDP; a standalone server can accept RDP connections if the user has local credentials and the appropriate user right. Option D is wrong because an expired Kerberos ticket would cause a specific Kerberos-related error (e.g., 0xC0000381 or 0xC000006D), not a logon type restriction, and Windows would typically fall back to NTLM if Kerberos fails.

137
MCQhard

You are the incident response lead for a medium-sized financial services company. The company uses a hybrid infrastructure with on-premises servers (Active Directory, file shares, and a SQL database) and cloud services (Office 365, Azure VMs). At 2:00 PM on a Tuesday, the helpdesk receives multiple calls that users cannot access the file shares. Simultaneously, the SOC alerts on unusual outbound traffic from the domain controller (DC) to an external IP on port 443. The DC is also running a scheduled antivirus scan. The file server (FS) shows no signs of compromise but is responding slowly. The backup system reports that last night's backup of the DC failed due to a 'volume shadow copy error'. The backup of the FS succeeded. You need to take immediate action. What should you do FIRST?

A.Run a full malware scan on the domain controller.
B.Restore the file server from last night's backup.
C.Isolate the domain controller from the network.
D.Disable the domain controller's antivirus to improve performance.
AnswerC

Immediate containment stops the attack and preserves evidence.

Why this answer

The domain controller (DC) is showing signs of active compromise: unusual outbound traffic on port 443 (likely C2 communication) and a failed backup due to a volume shadow copy error (indicating attempted destruction of forensic evidence). Isolating the DC first stops the attacker's command-and-control channel and prevents lateral movement, which is the highest priority in incident response. Running a scan or restoring other systems before containment risks allowing the attacker to spread or destroy more data.

Exam trap

The trap here is that candidates see a failed backup and slow file server and jump to recovery actions (restore or scan), failing to recognize that the DC's outbound traffic and VSS error are the highest-priority indicators of an active breach requiring immediate containment.

How to eliminate wrong answers

Option A is wrong because running a full malware scan on a potentially compromised DC while it is still connected to the network could alert the attacker, trigger destructive actions, or allow the scan to be tampered with; containment must precede any scanning. Option B is wrong because restoring the file server from backup does not address the active threat on the DC, and the file server shows no signs of compromise—restoring it prematurely could reintroduce a vulnerability if the DC is later used to reinfect it. Option D is wrong because disabling the antivirus on the DC would remove a critical defense layer, potentially allowing the attacker to operate unimpeded; the antivirus scan is not the cause of the performance issue—the compromise is.

138
Drag & Dropmedium

Drag and drop the steps for setting up a certificate authority (CA) in Windows Server into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Windows CA setup: install role, configure CA type, set storage, install, test.

139
MCQeasy

A company implements a policy that requires all employees to change their passwords every 60 days. Which of the following is the PRIMARY security benefit of this requirement?

A.Ensuring compliance with data privacy laws.
B.Reducing the risk of password reuse across multiple sites.
C.Limiting the window of opportunity for a compromised password.
D.Simplifying the account lockout process.
AnswerC

The shorter the validity, the less time an attacker has.

Why this answer

Password expiration policies limit the exposure window for compromised credentials. If an attacker obtains a password, the 60-day rotation ensures that the stolen credential becomes invalid after that period, reducing the time an attacker can maintain unauthorized access. This is a fundamental security control to mitigate the risk of undetected credential theft.

Exam trap

ISC2 often tests the distinction between a primary security benefit and a secondary compliance or administrative convenience; the trap here is that candidates see 'compliance' (Option A) and assume it is the main goal, but the actual security rationale is limiting the window of opportunity for a compromised password.

How to eliminate wrong answers

Option A is wrong because while password policies may help meet certain regulatory requirements (e.g., PCI DSS, HIPAA), the primary security benefit is not compliance itself—compliance is a secondary outcome, not the core security goal. Option B is wrong because password expiration does not directly prevent password reuse across different sites; that is addressed by password managers, unique password requirements, or blocklists, not rotation frequency. Option D is wrong because password expiration has no direct relationship with the account lockout process; lockout is triggered by failed login attempts, not password age.

140
Multi-Selectmedium

Which TWO of the following are key components of an organization's security policy framework? (Choose two.)

Select 2 answers
A.Standard operating procedures
B.Intrusion detection system
C.Access control lists
D.Security awareness training
E.Firewall rules
AnswersA, D

Standard operating procedures define how policies are implemented.

Why this answer

Standard operating procedures (SOPs) are a key component of an organization's security policy framework because they provide detailed, step-by-step instructions for implementing security controls and responding to incidents. SOPs operationalize high-level policies into actionable tasks, ensuring consistency and compliance across the organization. They are formal documents that define the 'how' of security operations, such as patch management or user account provisioning.

Exam trap

ISC2 often tests the distinction between policy framework documents (e.g., SOPs, policies) and technical controls (e.g., IDS, ACLs, firewall rules), leading candidates to confuse operational tools with governance components.

141
MCQmedium

A government agency requires all employees to use smart cards for network access. The security team notices a pattern of failed authentication attempts from a specific building after hours. The attempts occur every night at 2:00 AM for about 10 minutes. The building has a badge reader at the entrance. The team suspects an attacker is trying to brute-force smart card PINs. However, the building's door logs show no entry at that time. Which of the following should the security team do FIRST to identify the risk?

A.Correlate the authentication logs with physical access logs to see if any employee was present
B.Immediately isolate the building's network segment
C.Change all smart card PINs for that building's employees
D.Notify law enforcement about a potential cyberattack
AnswerA

Identifies whether the attempts are from legitimate users or external attacks.

Why this answer

Option B is correct because correlating network logs with physical access logs can confirm if the attempts are from inside or outside. Option A is too slow; C assumes outcome; D is premature.

142
MCQeasy

A security administrator needs to store sensitive customer data in a database. To protect the data at rest, which encryption method should be used?

A.RSA-2048
B.Blowfish in CTR mode
C.AES-256 in CBC mode
D.DES in ECB mode
AnswerC

AES-256 in CBC mode is a strong symmetric encryption suitable for data at rest.

Why this answer

AES-256 in CBC mode is the correct choice because it is a strong, widely accepted symmetric encryption algorithm that provides confidentiality for data at rest. AES-256 uses a 256-bit key, making it resistant to brute-force attacks, and CBC mode adds an initialization vector (IV) to ensure that identical plaintext blocks produce different ciphertext, preventing pattern leakage. This combination is recommended by standards such as NIST SP 800-38A for protecting sensitive stored data.

Exam trap

The trap here is that candidates often confuse asymmetric encryption (RSA) with symmetric encryption for data at rest, or they overlook the weaknesses of legacy algorithms like DES and Blowfish, assuming any encryption is sufficient without considering key size and mode of operation.

How to eliminate wrong answers

Option A is wrong because RSA-2048 is an asymmetric encryption algorithm used for key exchange and digital signatures, not for encrypting large volumes of data at rest; it is computationally expensive and impractical for database encryption. Option B is wrong because Blowfish in CTR mode is a legacy cipher with a 64-bit block size, which is vulnerable to birthday attacks and not recommended for modern data-at-rest protection; CTR mode also turns the cipher into a stream cipher, which can introduce risks if the IV is reused. Option D is wrong because DES in ECB mode uses a 56-bit key that is easily brute-forced with modern hardware, and ECB mode encrypts identical plaintext blocks into identical ciphertext blocks, revealing patterns in the data.

143
MCQmedium

In a forensic investigation, a hash of a suspect file is computed. Which of the following is the primary purpose of hashing in this context?

A.To compress the file
B.To decrypt the file
C.To identify the file owner
D.To verify file integrity
AnswerD

Hashing creates a unique fingerprint to detect changes.

Why this answer

In forensic investigations, hashing (using algorithms like SHA-256 or MD5) produces a unique fixed-size digest of the file's contents. The primary purpose is to verify file integrity by comparing the hash before and after analysis, ensuring the evidence has not been altered. This provides a cryptographic chain of custody, as any change to the file results in a completely different hash value.

Exam trap

ISC2 often tests the misconception that hashing is used for encryption or compression, leading candidates to confuse its integrity-checking role with data transformation or security functions.

How to eliminate wrong answers

Option A is wrong because hashing is not a compression algorithm; compression (e.g., ZIP, gzip) reduces file size for storage or transmission, while hashing produces a fixed-length digest regardless of file size and does not reduce the original data. Option B is wrong because hashing is a one-way function that cannot decrypt data; decryption requires a reversible cipher and a key, whereas hashing is irreversible by design. Option C is wrong because hashing identifies the file's content integrity, not the owner; file ownership is determined by metadata (e.g., NTFS security identifiers or Unix UID/GID) or digital signatures, not by a hash of the file's data.

144
MCQhard

Refer to the exhibit. A security analyst reviews the log and determines that the system was under a brute force attack. However, the analyst notices that the attack stopped after 5 minutes, and the IP address was not blocked. Which of the following is the MOST likely reason the attack stopped?

A.The SSH server's MaxAuthTries limit was exceeded.
B.The system's account lockout policy prevented further attempts.
C.The attacker achieved successful login.
D.The system's firewall dropped the traffic.
AnswerA

MaxAuthTries causes the connection to close after a set number of failures.

Why this answer

The SSH server's MaxAuthTries limit (default 6 in OpenSSH) causes the server to terminate the connection after a threshold of failed authentication attempts. This stops the attack on that specific TCP session, but does not block the IP address, which explains why the attack ceased after 5 minutes without any persistent block.

Exam trap

The trap here is confusing session-level authentication limits (MaxAuthTries) with persistent account lockout policies or firewall blocks, leading candidates to incorrectly choose account lockout or firewall options.

How to eliminate wrong answers

Option B is wrong because account lockout policies are typically enforced at the OS or PAM level, not by the SSH server itself, and would require a persistent block on the user account, not just a session termination. Option C is wrong because a successful login would show a successful authentication event in the log, not a cessation of attempts without any success record. Option D is wrong because if the firewall dropped the traffic, the IP address would be blocked and no further attempts would appear in the log, but the analyst noted the IP was not blocked.

145
MCQmedium

A developer wants to ensure that a web application is protected against cross-site request forgery (CSRF). Which mitigation technique is most commonly recommended?

A.Implement a Content Security Policy (CSP).
B.Enable HTTP Strict Transport Security (HSTS).
C.Sanitize all user input.
D.Use anti-CSRF tokens in forms.
E.Implement Cross-Origin Resource Sharing (CORS) headers.
AnswerD

Anti-CSRF tokens are validated by the server to ensure request legitimacy.

Why this answer

Option C is correct because anti-CSRF tokens are unique per session and validated on state-changing requests, ensuring the request originated from the legitimate site. Option A (CORS) controls cross-origin reads; B (input validation) is for injection; D (HSTS) enforces HTTPS; E (Content Security Policy) mitigates XSS, not CSRF.

146
MCQeasy

An organization wants to ensure that a software update has not been tampered with during download. Which cryptographic technique should be used?

A.Compute a SHA-256 hash of the update
B.Sign the update with the developer's private key
C.Encrypt the update with AES
D.Append a MAC (Message Authentication Code)
AnswerB

A digital signature ensures integrity and authenticates the developer.

Why this answer

Signing the update with the developer's private key provides both integrity and authenticity. When the user verifies the signature using the developer's public key, they can confirm that the update has not been tampered with and that it originated from the claimed developer. This is the standard approach for ensuring trust in software distribution, as used in code signing certificates (e.g., Authenticode, GPG).

Exam trap

The trap here is that candidates confuse integrity-only mechanisms (hash, MAC) with the combined integrity and authenticity provided by digital signatures, or they mistakenly think encryption (AES) prevents tampering when it only provides confidentiality.

How to eliminate wrong answers

Option A is wrong because computing a SHA-256 hash alone provides integrity but no authentication; an attacker could replace both the update and its hash, and the user would have no way to detect the substitution. Option C is wrong because encrypting the update with AES ensures confidentiality but does not prevent tampering; an attacker could modify the ciphertext, and decryption would produce garbage, but the user would not know if the original plaintext was altered. Option D is wrong because appending a MAC (Message Authentication Code) provides integrity and authenticity only if both parties share a secret key; in a public download scenario, the user cannot verify the MAC without the shared secret, making it impractical for verifying the update's origin.

147
MCQeasy

A security analyst notices repeated failed login attempts from a single IP address on the VPN gateway. The analyst adjusts the threshold for account lockout and enables geo-ip blocking. This activity is part of which risk management process?

A.Risk identification
B.Risk assessment
C.Risk reporting
D.Risk monitoring
AnswerD

Adjusting controls based on observed events is a core risk monitoring activity.

Why this answer

Option D is correct because the analyst is actively monitoring the VPN gateway for security events (failed logins) and then adjusting controls (lockout threshold, geo-IP blocking) in response to observed threats. This continuous observation and adjustment is the essence of risk monitoring, which is the ongoing process of tracking identified risks and evaluating the effectiveness of controls. The actions taken are not about identifying new risks, assessing their likelihood/impact, or formally reporting them, but rather about reacting to real-time data to maintain an acceptable risk posture.

Exam trap

The trap here is that candidates confuse 'monitoring' (ongoing observation and adjustment) with 'risk assessment' (quantitative/qualitative analysis), because adjusting thresholds feels like evaluating risk, but the question explicitly describes a reactive, operational action rather than a formal assessment process.

How to eliminate wrong answers

Option A is wrong because risk identification is the initial step of discovering and documenting potential risks (e.g., 'failed logins could indicate a brute-force attack'), but the analyst has already identified the risk and is now adjusting controls based on observed events. Option B is wrong because risk assessment involves evaluating the likelihood and impact of a risk (e.g., calculating the annualized loss expectancy), not implementing or tuning technical controls like lockout thresholds or geo-IP blocking. Option C is wrong because risk reporting is the formal communication of risk findings to stakeholders (e.g., via a risk register or executive summary), not the real-time operational adjustment of security configurations.

148
MCQmedium

A network administrator configured the above port security on an access port connected to a VoIP phone and a PC. A third device is connected to the phone's passthrough port. What will happen when the third device attempts to communicate?

A.The third device will be allowed to communicate because the phone's MAC is not counted.
B.The third device's traffic will be dropped, and a syslog message will be generated.
C.The port will be error-disabled.
D.The port will remain up but all traffic will be dropped.
AnswerB

'Restrict' drops excess traffic and logs the violation.

Why this answer

The port security configuration on the access port has a maximum MAC address count that includes the VoIP phone's MAC address. When a third device connects to the phone's passthrough port, it introduces an additional MAC address, exceeding the configured limit. The switch will then drop traffic from the third device and generate a syslog message, as the default violation mode is 'restrict' (or 'protect' depending on the configuration), which does not error-disable the port but discards offending frames and logs the event.

Exam trap

ISC2 often tests the misconception that the VoIP phone's MAC address is not counted toward port security limits, leading candidates to incorrectly choose that the third device is allowed, when in fact the phone's MAC is always counted unless a specific 'voice VLAN' exception is configured (which is not the case here).

How to eliminate wrong answers

Option A is wrong because the VoIP phone's MAC address is indeed counted toward the port security limit, as the phone is a network device with its own MAC; the statement that it is not counted is a common misconception. Option C is wrong because the default violation mode for port security is 'restrict' or 'protect', not 'shutdown'; 'shutdown' would error-disable the port, but the question implies a violation mode that drops traffic without disabling the port (as indicated by the correct answer generating a syslog message). Option D is wrong because while the port remains up, not all traffic is dropped; only traffic from the third device (the violating MAC) is dropped, while traffic from the phone and PC continues normally.

149
MCQhard

Based on the exhibit, which of the following best describes the firewall configuration?

A.The firewall allows only loopback traffic.
B.The firewall allows all traffic from the internal subnet.
C.The firewall allows SSH, HTTP, and HTTPS from the internal subnet and drops all other traffic.
D.The firewall allows all traffic from external sources.
AnswerC

The rules show ACCEPT for ports 22, 80, 443 from 10.0.0.0/24, and a final DROP all.

Why this answer

The exhibit shows an access control list (ACL) that explicitly permits TCP traffic on ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) from the internal subnet (e.g., 192.168.1.0/24) to any destination, followed by an implicit deny all rule. This configuration allows only SSH, HTTP, and HTTPS from the internal subnet and drops all other traffic, matching option C.

Exam trap

The trap here is that candidates often overlook the implicit deny at the end of an ACL, assuming that only the listed permits exist and that all other traffic is allowed by default, rather than understanding that any traffic not explicitly permitted is dropped.

How to eliminate wrong answers

Option A is wrong because loopback traffic (127.0.0.0/8) is not explicitly permitted or denied in the ACL; the ACL focuses on the internal subnet, not loopback. Option B is wrong because the ACL does not allow all traffic from the internal subnet; it specifically permits only SSH, HTTP, and HTTPS, and denies everything else via the implicit deny. Option D is wrong because the ACL does not allow any traffic from external sources; it only permits traffic from the internal subnet, and external traffic would be subject to the implicit deny unless explicitly permitted.

150
Multi-Selecteasy

Which THREE of the following are data loss prevention (DLP) controls that can be implemented to protect sensitive data?

Select 3 answers
A.Require strong passwords for all user accounts
B.Encrypt sensitive data both at rest and in transit
C.Deploy endpoint DLP agents to monitor and block unauthorized data transfers
D.Classify data based on sensitivity and apply appropriate labels
E.Implement network firewalls to block all outbound traffic
AnswersB, C, D

Encryption renders data unreadable if leaked.

Why this answer

Options A, D, and E are correct. Data classification labels guide handling, encryption protects data in transit/rest, and endpoint DLP agents can block unauthorized transfers. Option B is wrong because firewalls control network traffic but do not inspect data content.

Option C is wrong because strong passwords are authentication, not data loss prevention.

Page 1

Page 2 of 7

Page 3

All pages