Systems Security Certified Practitioner SSCP (SSCP) — Questions 151225

504 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
Multi-Selectmedium

Which TWO of the following are key components of a Security Information and Event Management (SIEM) system? (Select two.)

Select 2 answers
A.Vulnerability scanning
B.Centralized log collection and storage
C.Correlation and analysis engine
D.Intrusion detection system (IDS)
E.Data loss prevention (DLP)
AnswersB, C

Core function of SIEM.

Why this answer

Centralized log collection and storage is a core SIEM component because it aggregates logs from diverse sources (servers, firewalls, applications) into a single repository, enabling unified analysis and forensic investigation. Without this centralized data lake, the correlation engine would have no data to process, making the SIEM ineffective.

Exam trap

ISC2 often tests the misconception that SIEM includes active security controls like IDS or DLP, when in fact SIEM is a passive analysis and management platform that aggregates data from those tools.

152
MCQeasy

A company's incident response plan includes a step to preserve evidence. Which action BEST ensures the integrity of forensic evidence?

A.Turn off the system immediately
B.Copy files to a network share
C.Run a checksum on the live system
D.Create a forensic image with write blocker and hash
AnswerD

Forensic imaging with hashing ensures original data is unchanged.

Why this answer

Option D is correct because creating a forensic image with a write blocker ensures that the original data is not altered during acquisition, and hashing (e.g., SHA-256) provides a cryptographic integrity check that can later verify the image is an exact bit-for-bit copy. This preserves the chain of custody and admissibility of evidence in legal proceedings.

Exam trap

The trap here is that candidates confuse 'preserving evidence' with 'preserving system availability' or 'quick data capture,' leading them to choose turning off the system or copying files, which actually destroy or alter forensic integrity.

How to eliminate wrong answers

Option A is wrong because turning off the system immediately can cause loss of volatile data (e.g., RAM contents, network connections) and may trigger anti-forensic mechanisms or corrupt the file system. Option B is wrong because copying files to a network share alters file metadata (e.g., timestamps, access times) and does not capture deleted or hidden data, nor does it provide a verifiable hash of the original media. Option C is wrong because running a checksum on the live system modifies the system state (e.g., reading files changes access times) and the hash is taken from a potentially altered source, so it cannot guarantee the integrity of the original evidence.

153
MCQmedium

A company uses AWS for critical workloads. An analyst notices unauthorized API calls from an IP address outside the company. The logs show that the attacker used stolen access keys belonging to an IAM user with administrative privileges. The incident response team must contain the breach as quickly as possible. The analyst has access to the AWS Management Console and can use the CLI. The team is following the incident response plan. Which action should be taken FIRST to prevent further unauthorized actions?

A.Create a new security group to block the attacker's source IP at the network level.
B.Disable the compromised access keys using the IAM dashboard or CLI.
C.Delete the compromised IAM user immediately.
D.Rotate all IAM user access keys across the entire AWS account.
AnswerB

Correct: This directly stops the attacker's ability to authenticate with those keys.

Why this answer

The immediate priority in an access key compromise is to invalidate the stolen credentials to stop the attacker from making further API calls. Disabling the compromised access keys via the IAM dashboard or CLI (using `aws iam update-access-key --status Inactive`) is the fastest containment action that directly revokes the attacker's authentication token without disrupting other legitimate users or services.

Exam trap

ISC2 often tests the principle of least disruption during containment — candidates may choose to delete the user or block the IP, but the correct first step is to disable the specific compromised credential to stop the attack without breaking other dependencies.

How to eliminate wrong answers

Option A is wrong because creating a security group to block the attacker's source IP at the network level does not prevent the attacker from using the stolen keys from a different IP address, and AWS API calls are not filtered by security groups (which apply only to VPC network traffic, not to the AWS API endpoint). Option C is wrong because deleting the compromised IAM user immediately could cause unintended disruption to any services or automation relying on that user, and it is a more destructive action than simply disabling the keys; the incident response plan typically recommends disabling keys first to preserve the user for forensic analysis. Option D is wrong because rotating all IAM user access keys across the entire account is an overly broad and time-consuming action that could break legitimate operations and is not the first step; the priority is to contain the specific compromised keys, not to rotate every key in the account.

154
Drag & Dropmedium

Drag and drop the steps for properly disposing of a hard drive containing sensitive data into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Sanitization: backup, overwrite, verify, destroy, document.

155
MCQhard

A security analyst is investigating a potential data exfiltration incident. The logs show a large number of outbound DNS queries to a domain that resolves to an IP address in a foreign country. The queries contain encoded strings in the subdomain. Which type of attack is MOST likely occurring?

A.DNS poisoning
B.DNS amplification attack
C.DNS rebinding
D.DNS tunneling
AnswerD

DNS tunneling encodes data in DNS queries and responses for covert exfiltration.

Why this answer

DNS tunneling encodes data within DNS queries and responses to bypass network security controls. The large volume of outbound queries to a foreign IP, combined with encoded subdomain strings, is the classic signature of data exfiltration via DNS tunneling, as the protocol is often allowed through firewalls.

Exam trap

The trap here is that candidates confuse DNS tunneling with DNS amplification because both involve high query volumes, but amplification focuses on response size and reflection, not on encoding data in subdomains for exfiltration.

How to eliminate wrong answers

Option A is wrong because DNS poisoning corrupts the cache of a resolver to redirect traffic to malicious sites, not to exfiltrate data via encoded queries. Option B is wrong because a DNS amplification attack uses open resolvers to flood a victim with large responses, not to send outbound queries with encoded payloads. Option C is wrong because DNS rebinding manipulates DNS responses to bypass same-origin policy for browser-based attacks, not to exfiltrate data through subdomain strings.

156
MCQeasy

A company is implementing a new file-sharing application for employees. Which of the following is the most important security control to prevent unauthorized access to shared files?

A.Schedule regular backups.
B.Implement access control lists (ACLs) on shared folders.
C.Install antivirus software on all endpoints.
D.Enable detailed audit logging.
E.Encrypt files with AES-256.
AnswerB

ACLs enforce permissions, restricting access only to authorized users.

Why this answer

Option A is correct because access control lists (ACLs) explicitly define who can access resources. Option B (encryption) protects data at rest but does not manage permissions; C (logging) is detective; D (antivirus) prevents malware; E (backup) ensures availability, not confidentiality.

157
Multi-Selectmedium

A security analyst is reviewing the configuration of an enterprise wireless network. Which TWO of the following are best practices for securing the wireless network against unauthorized access and eavesdropping?

Select 2 answers
A.Configure a dedicated guest network on a separate VLAN
B.Activate WPS for simplified client setup
C.Enable WPA2-PSK with a complex passphrase
D.Implement WPA2-Enterprise with RADIUS authentication
E.Disable SSID broadcast to hide the network
AnswersA, D

Isolating guest traffic on a separate VLAN prevents unauthorized access to internal resources and contains potential threats.

Why this answer

WPA2-Enterprise with RADIUS provides strong per-user authentication and encryption, mitigating unauthorized access. Placing guest traffic on a separate VLAN segments network traffic and reduces exposure of internal resources. WPA2-PSK with a complex passphrase is acceptable for small networks but not enterprise-grade.

Disabling SSID broadcast is not a security control as it can be easily discovered. WPS is known to have severe vulnerabilities and should be disabled.

158
MCQhard

Refer to the exhibit. An organization's incident response policy defines these actions. In what sequence should these phases be applied?

A.Isolate, reimage, restore from backup
B.Reimage, isolate, restore
C.Restore, isolate, reimage
D.Isolate, restore, reimage
AnswerA

Containment before eradication before recovery is standard process.

Why this answer

The correct sequence is Isolate, reimage, restore from backup because containment (isolation) must occur first to prevent the incident from spreading, followed by eradication (reimaging) to remove the threat, and finally recovery (restoring from backup) to return the system to a known good state. This aligns with the NIST SP 800-61 incident response lifecycle, where containment, eradication, and recovery are performed in that order.

Exam trap

The trap here is that candidates mistakenly think restoration can occur before eradication, but in practice, restoring from backup without reimaging leaves the system vulnerable if the backup itself is compromised or if the root cause (e.g., a persistent rootkit) remains in the system firmware or boot sector.

How to eliminate wrong answers

Option B is wrong because reimaging before isolation could allow the threat to spread to other systems during the reimage process, violating the containment principle. Option C is wrong because restoring from backup before isolating and reimaging would reintroduce the threat if the backup is compromised, and the system remains vulnerable. Option D is wrong because restoring from backup before reimaging fails to eradicate the root cause; the threat may persist in the restored data or system state.

159
Drag & Dropmedium

Drag and drop the steps for conducting a security incident response under the NIST framework into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

NIST incident response follows: Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity, and Reporting.

160
MCQmedium

A company is implementing a VPN for remote employees. The security policy requires that all traffic from the remote device to the corporate network be encrypted, but internet-bound traffic should go directly to the internet. Which VPN configuration should be used?

A.Remote Desktop Gateway
B.Split tunnel VPN
C.Host-to-host VPN
D.Full tunnel VPN
AnswerB

Split tunnel allows direct internet access while encrypting corporate-bound traffic.

Why this answer

A split tunnel VPN configuration allows remote users to access the corporate network securely over an encrypted tunnel while simultaneously sending internet-bound traffic directly to the internet without passing through the corporate VPN gateway. This meets the security policy requirement because only traffic destined for the corporate network is encrypted, reducing latency and bandwidth load on the VPN concentrator.

Exam trap

ISC2 often tests the misconception that 'all traffic must be encrypted for security,' leading candidates to choose full tunnel VPN (Option D) when the question explicitly states internet-bound traffic should go directly to the internet, which split tunneling uniquely supports.

How to eliminate wrong answers

Option A is wrong because Remote Desktop Gateway is a Microsoft service that provides encrypted RDP connections to internal resources, not a VPN configuration that handles general IP traffic routing. Option C is wrong because a host-to-host VPN (e.g., IPsec transport mode) creates a direct encrypted tunnel between two specific hosts, not between a remote device and a corporate network with split routing. Option D is wrong because a full tunnel VPN sends all traffic (including internet-bound) through the corporate VPN gateway, which violates the policy that internet-bound traffic should go directly to the internet.

161
MCQmedium

A financial institution uses a risk management framework based on ISO 31000. During a quarterly risk review, the risk manager identifies that the residual risk for a critical trading application remains high despite multiple controls. The application's risk score has not decreased after implementing two-factor authentication and encryption. The risk appetite statement says 'no high residual risk for systems processing transactions over $10M.' What should the risk manager do next?

A.Reduce the risk by disabling non-essential features of the application.
B.Transfer the risk by purchasing cyber insurance.
C.Escalate to senior management for a decision on additional controls or risk acceptance.
D.Accept the risk because controls are already in place.
AnswerC

Escalation ensures that senior management, who own the risk appetite, decide on additional controls or formally accept the residual risk.

Why this answer

Option D is correct because risk management best practices require that when residual risk exceeds the risk appetite, it must be escalated to senior management for a decision. Option A is wrong because accepting the risk violates the stated risk appetite. Option B is wrong because disabling features may not reduce the risk sufficiently and could impact business operations.

Option C is wrong because transferring risk via insurance does not eliminate the residual risk; it only covers financial loss, and the risk appetite likely requires risk to be at an acceptable level regardless of insurance.

162
MCQmedium

An organization allows employees to use personal smartphones to access corporate email and data. Which control is MOST important to protect corporate data if a device is lost or stolen?

A.Require device encryption
B.Require strong passwords with complexity requirements
C.Implement remote wipe capability
D.Enforce a screen lock timeout of 1 minute
AnswerC

Allows administrator to erase corporate data remotely when device is lost.

Why this answer

Option D is correct because remote wipe can erase corporate data from a lost device. Option A is wrong because encryption protects data at rest but does not prevent access if device is unlocked. Option B is wrong because screen lock can be bypassed with brute force.

Option C is wrong because strong passwords help but if device is already compromised, remote wipe is the best response.

163
MCQhard

Refer to the exhibit. A network administrator is reviewing the VPN configuration on a site-to-site VPN hub. Which of the following is the most significant security vulnerability in this configuration?

A.The encryption algorithm AES-256 is too weak
B.The pre-shared key is applied to all potential peers due to the wildcard address
C.The hash algorithm SHA is insecure
D.The pre-shared key is too short and easily guessable
AnswerB

The wildcard peer address (0.0.0.0 0.0.0.0) means the key is shared with any device, making it a shared secret across all peers. This greatly increases the risk of unauthorized access.

Why this answer

The ISAKMP key is configured with a wildcard peer address (0.0.0.0 0.0.0.0), meaning any device can attempt to authenticate using this pre-shared key. This effectively makes the key a shared secret across all potential peers, greatly increasing the risk of unauthorized VPN connections and reducing the security of the authentication mechanism. The use of pre-shared keys is acceptable in controlled environments, but the wildcard peer setting is the critical flaw.

164
MCQeasy

After an incident, what is the primary purpose of a lessons learned meeting?

A.Update security policies
B.Assign blame
C.Improve future response
D.Document findings for litigation
AnswerC

The main goal is to identify strengths and weaknesses to enhance the IR process.

Why this answer

The primary purpose of a lessons learned meeting after an incident is to identify what worked well and what did not during the response, enabling the team to refine procedures, update playbooks, and improve future incident response effectiveness. This aligns with the continuous improvement cycle in incident management, as outlined in NIST SP 800-61 and ISO 27035, where the focus is on process enhancement rather than punitive measures.

Exam trap

The trap here is that candidates confuse the primary purpose of a lessons learned meeting (process improvement) with secondary outcomes like policy updates or legal documentation, leading them to select A or D instead of C.

How to eliminate wrong answers

Option A is wrong because updating security policies is a possible outcome of a lessons learned meeting, but it is not the primary purpose; the meeting focuses on response process improvement, and policy changes are a secondary action that may follow. Option B is wrong because assigning blame is counterproductive and explicitly discouraged in incident response frameworks; the goal is to foster a blame-free culture to encourage honest reporting and learning. Option D is wrong because documenting findings for litigation is a separate legal activity that may occur after an incident, but it is not the core objective of a lessons learned meeting, which is centered on operational improvement.

165
MCQmedium

Refer to the exhibit. The analyst sees this IDS alert. What is the most likely outcome if the target web application is vulnerable?

A.Buffer overflow and remote code execution
B.Authentication bypass or data extraction
C.Cross-site scripting (XSS) attack
D.Privilege escalation on the database server
AnswerB

The payload tries to bypass authentication by always returning true.

Why this answer

The IDS alert indicates a SQL injection attempt (e.g., '1=1' or similar pattern). If the web application is vulnerable, the attacker can manipulate SQL queries to bypass authentication (e.g., logging in without valid credentials) or extract data from the database (e.g., dumping user tables). This is the most direct outcome of a successful SQL injection.

Exam trap

ISC2 often tests the distinction between SQL injection and other web attacks (like XSS or buffer overflows), and the trap here is that candidates may confuse the outcome of SQL injection with remote code execution or privilege escalation, when the primary and most likely result is authentication bypass or data extraction.

How to eliminate wrong answers

Option A is wrong because buffer overflow and remote code execution are typically associated with memory corruption vulnerabilities (e.g., stack overflows), not SQL injection. Option C is wrong because cross-site scripting (XSS) exploits client-side script injection into web pages, not server-side SQL query manipulation. Option D is wrong because privilege escalation on the database server is a secondary effect that may follow data extraction, but the immediate and most likely outcome of a SQL injection is authentication bypass or data extraction, not direct privilege escalation.

166
MCQeasy

An organization implements a new security policy requiring all portable storage devices to be encrypted. Which of the following is the MOST effective control to enforce this policy?

A.Distribute a memo to all employees about the policy.
B.Configure Group Policy to require BitLocker encryption on removable drives.
C.Enable auditing for removable drive usage.
D.Enable BitLocker on all laptops.
AnswerB

Group Policy can enforce encryption for removable drives when supported.

Why this answer

Configuring Group Policy to require BitLocker encryption on removable drives is the most effective control because it enforces the encryption policy automatically and centrally across all domain-joined systems, preventing users from bypassing the requirement. Unlike a memo or auditing, Group Policy provides a technical enforcement mechanism that blocks unencrypted removable media from being used, ensuring compliance without relying on user discretion.

Exam trap

The trap here is that candidates often confuse 'encrypting the system drive' (Option D) with 'encrypting removable drives,' or they assume auditing (Option C) is a preventive control rather than a detective one.

How to eliminate wrong answers

Option A is wrong because distributing a memo is an administrative control that relies on user compliance and provides no technical enforcement, making it ineffective against intentional or accidental policy violations. Option C is wrong because enabling auditing for removable drive usage only logs events for review after the fact, it does not prevent unencrypted drives from being used or enforce encryption. Option D is wrong because enabling BitLocker on all laptops encrypts the system drives, not removable storage devices, and does not address the policy requirement for portable storage devices.

167
MCQhard

A company's incident response plan includes a requirement to notify law enforcement within 24 hours of certain security incidents. Which regulation most likely mandates this requirement?

A.SOX
B.PCI DSS
C.GDPR
D.HIPAA
AnswerB

PCI DSS Section 12.10.2 requires notification to law enforcement within 24 hours of a suspected breach.

Why this answer

PCI DSS Requirement 12.10.1 mandates that the incident response plan includes specific procedures to notify law enforcement within 24 hours of detecting a breach involving cardholder data. This is because PCI DSS is a contractual security standard for entities that handle payment card information, and timely law enforcement notification is critical for forensic investigation and legal compliance in payment card fraud cases.

Exam trap

The trap here is that candidates confuse the 24-hour law enforcement notification requirement with GDPR's 72-hour breach notification to the supervisory authority, or assume HIPAA's 60-day rule applies to all healthcare data incidents, when PCI DSS is the only standard with a specific 24-hour law enforcement notification mandate for payment card breaches.

How to eliminate wrong answers

Option A is wrong because SOX (Sarbanes-Oxley Act) focuses on financial reporting accuracy and internal controls for publicly traded companies, not on specific incident notification timelines to law enforcement. Option C is wrong because GDPR requires notification to the supervisory authority within 72 hours of a personal data breach, but it does not mandate law enforcement notification within 24 hours. Option D is wrong because HIPAA requires notification to affected individuals and the Department of Health and Human Services within 60 days for breaches of protected health information, not law enforcement within 24 hours.

168
MCQmedium

A security analyst sees the event log exhibit. What does this indicate?

A.A local user typed wrong password at the console
B.A remote attacker attempted to log on as Administrator
C.An attacker used a nonexistent account
D.The Administrator account is locked out
AnswerB

Logon Type 3 and source IP indicate remote attempt.

Why this answer

The event log shows multiple failed logon attempts for the built-in Administrator account from a remote IP address (e.g., 10.0.0.5) using different passwords, which is a classic brute-force attack pattern. Event ID 4625 (Windows Security Log) with Logon Type 3 (Network logon) and a non-zero workstation name or source network address confirms the attempts originated remotely, not from the console. This indicates a remote attacker is systematically trying to guess the Administrator password.

Exam trap

The trap here is that candidates confuse Logon Type 3 (network) with interactive logon (Type 2) or assume any failed logon for Administrator means a local user, but the presence of a remote IP address and Logon Type 3 specifically indicates a remote brute-force attack.

How to eliminate wrong answers

Option A is wrong because a local user typing the wrong password at the console would generate Event ID 4625 with Logon Type 2 (Interactive) and a local source (e.g., console session), not a remote IP address. Option C is wrong because the event log shows the account name 'Administrator' which exists; a nonexistent account would generate Event ID 4625 with a different status code (e.g., 0xC0000064 for account name not found) and the account name would not match a built-in account. Option D is wrong because a locked-out Administrator account would generate Event ID 4740 (account locked out) or Event ID 4625 with status 0xC0000234 (account locked), not just multiple failed logon attempts with status 0xC000006D (bad password).

169
MCQmedium

An organization is implementing a secure software development lifecycle (SDLC). Which activity should be performed during the design phase to minimize security flaws?

A.Perform threat modeling to identify potential attack vectors.
B.Run dynamic application security testing (DAST) tools.
C.Apply security patches to the development environment.
D.Conduct a code review for security vulnerabilities.
AnswerA

Threat modeling in design phase identifies risks before coding.

Why this answer

Threat modeling is a proactive security activity performed during the design phase to identify potential attack vectors, trust boundaries, and threats before any code is written. By analyzing the system architecture and data flows, teams can mitigate security flaws early, reducing the cost and effort of fixing vulnerabilities later in the SDLC.

Exam trap

ISC2 often tests the distinction between design-phase activities (like threat modeling) and implementation or testing-phase activities (like code review or DAST), so the trap is assuming that any security testing or patching belongs in the design phase.

How to eliminate wrong answers

Option B is wrong because dynamic application security testing (DAST) is a runtime testing activity performed after the application is built, not during the design phase. Option C is wrong because applying security patches to the development environment is an operational security task that maintains the integrity of the development infrastructure, not a design-phase activity to minimize flaws in the application itself. Option D is wrong because code review for security vulnerabilities is performed during the implementation phase, after code has been written, not during the design phase.

170
MCQmedium

You are a risk analyst at a healthcare organization. The organization recently deployed a new electronic health records (EHR) system. During the first month of operation, the IT helpdesk received multiple reports from doctors that the system becomes unresponsive for 10-15 seconds several times a day. The EHR vendor attributes this to insufficient database connection pooling, but the organization's system administrator notes that the database server's CPU and memory utilization never exceed 30%. The organization has a risk management policy that requires any system with availability <99.5% to be treated as a high risk. Based on initial data, the system has been unavailable for about 0.1% of the time (excluding planned maintenance). However, doctors report that the brief unresponsiveness is causing frustration and potential misdiagnosis due to interrupted workflows. You need to recommend a risk treatment approach. What should you do?

A.Accept the current risk because the system meets the 99.5% availability threshold
B.Reduce the risk by implementing a load balancer and additional application servers
C.Document the system as high risk and require immediate remediation, such as upgrading the database server hardware
D.Conduct a deeper analysis to quantify the impact of these brief outages on clinical workflows and patient safety, then reassess risk
AnswerD

A deeper analysis will clarify the true risk level before deciding on treatment.

Why this answer

Option D is correct because the risk management policy defines high risk based on availability <99.5%, and the system currently shows 99.9% availability (0.1% unavailability). However, the brief 10-15 second unresponsiveness may still pose a clinical safety risk that is not captured by a simple uptime metric. A deeper analysis is required to quantify the actual impact on clinical workflows and patient safety before deciding on risk treatment, as the policy may need to consider functional availability rather than just binary uptime.

Exam trap

The trap here is that candidates focus on the 99.5% availability threshold and assume the risk is acceptable (Option A) or immediately high (Option C), without recognizing that the policy requires a risk assessment that includes impact analysis, and that the technical symptom (connection pooling) may not be resolved by hardware upgrades or load balancers.

How to eliminate wrong answers

Option A is wrong because accepting the risk based solely on the 99.5% availability threshold ignores the qualitative reports of frustration and potential misdiagnosis; the policy may require a risk assessment that includes impact on patient safety, not just uptime percentage. Option B is wrong because implementing a load balancer and additional application servers addresses a different problem (scalability under load) while the vendor attributes the issue to insufficient database connection pooling, which is a database-tier configuration problem, not an application-tier capacity issue. Option C is wrong because documenting the system as high risk and requiring immediate hardware upgrade is premature without first quantifying the clinical impact; the database server CPU and memory are below 30%, indicating the bottleneck is likely connection pooling configuration, not hardware capacity.

171
MCQmedium

A system administrator needs to ensure that a Linux server is hardened against common attacks. Which configuration change is MOST effective in preventing privilege escalation via SUID binaries?

A.Enable auditd to log all SUID executions.
B.Set the umask to 077 for all users.
C.Mount the /tmp and /var partitions with the 'nosuid' option.
D.Remove all SUID binaries from the system.
AnswerC

Prevents execution of SUID binaries on those partitions.

Why this answer

Mounting partitions like /tmp and /var with the 'nosuid' option prevents SUID and SGID bits from taking effect on files stored there. Since attackers often place malicious SUID binaries in world-writable directories to escalate privileges, this configuration blocks the execution of such binaries regardless of their permissions. This is more effective than logging or removing all SUID binaries, as it proactively neutralizes a common attack vector without breaking system functionality.

Exam trap

The trap here is that candidates may think logging (auditd) or removing all SUID binaries is a viable solution, but the exam tests the understanding that 'nosuid' is a practical, targeted control that prevents exploitation without breaking legitimate system functionality.

How to eliminate wrong answers

Option A is wrong because enabling auditd to log all SUID executions only provides visibility into when SUID binaries are run; it does not prevent privilege escalation, as the binaries still execute with elevated privileges. Option B is wrong because setting the umask to 077 for all users restricts default file permissions for new files but does not affect existing SUID binaries or prevent their execution, nor does it remove the SUID bit from files already present. Option D is wrong because removing all SUID binaries from the system is impractical and often breaks essential system utilities (e.g., sudo, passwd, ping) that legitimately require the SUID bit to function; a more targeted approach like using 'nosuid' on specific partitions is preferred.

172
Multi-Selectmedium

Which THREE of the following are examples of detective controls?

Select 3 answers
A.Intrusion detection system (IDS)
B.Security information and event management (SIEM)
C.Data encryption at rest
D.Log monitoring and analysis
E.Firewall with default-deny rule
AnswersA, B, D

IDS detects intrusions and alerts.

Why this answer

An intrusion detection system (IDS) is a detective control because it passively monitors network traffic or system activity for signs of malicious behavior or policy violations, generating alerts when suspicious patterns are detected. Unlike a preventive control, an IDS does not block traffic; it only identifies and reports incidents after they occur or in real-time, making it a classic example of a detective security measure.

Exam trap

The trap here is that candidates often confuse preventive controls (like firewalls and encryption) with detective controls, mistakenly thinking that any security tool that 'stops' or 'protects' data also detects attacks, when in fact detective controls only identify and report incidents without blocking them.

173
MCQmedium

A company has deployed an intrusion detection system (IDS) that generates numerous false positives. Which approach would best reduce false positives while maintaining detection capability?

A.Increase the alert generation threshold
B.Replace the IDS with an intrusion prevention system (IPS)
C.Disable the IDS until a full review is completed
D.Tune the IDS signatures and rules
AnswerD

Tuning reduces false positives by refining detection criteria.

Why this answer

Tuning IDS signatures and rules (option D) directly addresses the root cause of false positives by refining detection patterns to match legitimate traffic more accurately. This approach preserves the IDS's ability to detect genuine threats while eliminating noise, unlike threshold adjustments which can miss low-and-slow attacks.

Exam trap

The trap here is that candidates confuse 'increasing the threshold' (option A) with tuning, but threshold adjustments are a blunt instrument that can suppress true positives, whereas signature tuning refines detection granularity without sacrificing sensitivity.

How to eliminate wrong answers

Option A is wrong because increasing the alert generation threshold reduces sensitivity across all events, potentially causing true positives (e.g., stealthy attacks) to be missed, which compromises detection capability. Option B is wrong because replacing the IDS with an IPS does not inherently reduce false positives; an IPS uses the same detection mechanisms and may block legitimate traffic if false positives persist, introducing availability risks. Option C is wrong because disabling the IDS eliminates all detection capability, leaving the network blind to attacks during the review period, which is an unacceptable security gap.

174
MCQmedium

An organization's security policy requires that all data at rest be encrypted. A database administrator objects, stating that encryption will degrade performance. What is the best response?

A.Remove the encryption requirement for databases.
B.Encrypt only the backup files, not the live database.
C.Use column-level encryption on sensitive columns only.
D.Implement transparent data encryption (TDE) to minimize performance impact.
AnswerD

TDE encrypts the entire database transparently with low overhead.

Why this answer

Transparent Data Encryption (TDE) encrypts data at rest at the storage layer, automatically encrypting data before it is written to disk and decrypting it when read into memory. This minimizes performance impact because encryption/decryption occurs outside the application logic and does not require schema changes, making it the best response to the DBA's concern while still meeting the policy requirement.

Exam trap

The trap here is that candidates may choose column-level encryption (Option C) thinking it is more targeted and thus less impactful, but they overlook that TDE is designed specifically to minimize performance impact by operating at the storage layer without requiring application changes.

How to eliminate wrong answers

Option A is wrong because removing the encryption requirement violates the security policy and leaves data at rest unprotected, which is not an acceptable response. Option B is wrong because encrypting only backup files leaves the live database unencrypted, failing to meet the policy's requirement that all data at rest be encrypted, and does not address the DBA's performance concern for the live database. Option C is wrong because column-level encryption can still cause significant performance overhead due to per-row encryption/decryption operations and requires application or schema changes, whereas TDE provides a more efficient, system-level solution.

175
MCQeasy

Refer to the exhibit. A security administrator notices repeated events with the same failure reason for the Administrator account. What is the MOST likely type of attack?

A.Spear phishing
B.Password spraying
C.Brute force
D.Denial of service
AnswerC

Multiple failed attempts for one account is characteristic of brute force.

Why this answer

Option A is correct because repeated failed logins for a single account indicate a brute force attack. Option B is wrong; password spraying uses many accounts with common passwords. Option C is wrong; phishing involves tricking users, not repeated login attempts.

Option D is wrong; DoS aims to disrupt service, not gain access.

176
Multi-Selecteasy

Which two of the following measures ensure the integrity of backup data? (Choose two.)

Select 2 answers
A.Keeping backups offline and immutable
B.Storing backups on the same drive as original data
C.Using encryption for backup media
D.Regular backup testing
E.Setting backups to overwrite each month
AnswersA, D

Offline/immutable backups prevent modification.

Why this answer

Regular backup testing verifies that backups are restorable. Keeping backups offline and immutable prevents tampering. Storing on the same drive risks loss.

Encryption protects confidentiality, not necessarily integrity.

177
MCQhard

Refer to the exhibit. A web server log shows two requests from the same IP. What type of attack is being attempted, and which mitigation is MOST effective?

A.SQL injection; use parameterized queries
B.Cross-site scripting (XSS); encode all output
C.Cross-site request forgery (CSRF); use anti-CSRF tokens
D.Command injection; implement input validation
AnswerA

The log shows SQL injection attempts; parameterized queries prevent them.

Why this answer

Option A is correct because the requests contain SQL injection patterns (OR 1=1 and DROP TABLE). Parameterized queries prevent SQL injection. Option B is wrong because XSS would involve script tags.

Option C is wrong because command injection would involve shell commands. Option D is wrong because CSRF would involve a different method and referrer.

178
Multi-Selecteasy

Which TWO components are essential for an effective disaster recovery plan (DRP)?

Select 2 answers
A.Automated failover system
B.Recovery Point Objective (RPO)
C.Business Impact Analysis (BIA)
D.Redundant array of independent disks (RAID)
E.Recovery Time Objective (RTO)
AnswersB, E

RPO defines maximum acceptable data loss.

Why this answer

The Recovery Point Objective (RPO) defines the maximum acceptable data loss measured in time, which directly determines the required backup frequency and data replication strategy. Without an RPO, the DRP cannot specify how much data can be lost, making it impossible to design appropriate backup and recovery mechanisms. This metric is essential because it drives the technical implementation of data protection, such as snapshot intervals or synchronous replication.

Exam trap

ISC2 often tests the distinction between essential DRP components (RPO and RTO) and supporting technologies or prerequisites (BIA, failover systems, RAID), leading candidates to confuse inputs or tools with the plan's core metrics.

179
Multi-Selecteasy

Which TWO of the following are common weaknesses in cryptographic implementations that an SSCP should be aware of? (Select exactly 2.)

Select 2 answers
A.Weak random number generation
B.Improper key storage
C.Frequent rekeying
D.Using proven encryption algorithms like AES
E.Following NIST guidelines
AnswersA, B

Predictable random numbers can lead to key compromise.

Why this answer

Weak random number generation is a critical flaw because cryptographic keys, nonces, and initialization vectors rely on unpredictability. If an attacker can predict or reproduce the random values (e.g., due to a low-entropy source or a flawed PRNG like a linear congruential generator), they can derive secret keys or break session security. This undermines the entire cryptographic system regardless of the algorithm strength.

Exam trap

ISC2 often tests the misconception that 'using strong algorithms' or 'following standards' automatically guarantees security, when in fact implementation flaws like weak randomness or poor key management are the real vulnerabilities.

180
Drag & Dropmedium

Drag and drop the steps for implementing mandatory access control (MAC) using security labels into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

MAC relies on predefined labels; subjects and objects are labeled, then the reference monitor enforces rules like no read up, no write down.

181
MCQmedium

Given the exhibit, what is the most likely conclusion?

A.The SIEM alert is a false positive and can be ignored
B.The authentication server logs are misconfigured
C.The successful login is unrelated and coincidental
D.The brute-force attack was successful and the admin account may be compromised
AnswerD

The pattern indicates successful compromise.

Why this answer

The exhibit shows a brute-force attack with multiple failed login attempts followed by a successful login from the same source IP. This pattern indicates that the attacker likely guessed or cracked the password, making the admin account compromised. Option D is correct because the sequence of events directly correlates with a successful brute-force attack.

Exam trap

The trap here is that candidates may dismiss the successful login as a false positive or coincidence, failing to recognize that the sequential pattern of failures followed by a success from the same source is the definitive signature of a successful brute-force attack.

How to eliminate wrong answers

Option A is wrong because the alert is not a false positive; the pattern of repeated failures followed by a success is a classic indicator of a successful brute-force attack, not a benign event. Option B is wrong because the authentication server logs are not misconfigured; they correctly recorded both the failed and successful logins, which is expected behavior. Option C is wrong because the successful login is not coincidental; it is directly linked to the preceding brute-force attempts, as evidenced by the same source IP and target account.

182
MCQmedium

A cloud application uses OAuth 2.0 to authorize a third-party app to access user data. What is the primary purpose of the access token issued by the authorization server?

A.To revoke the user's access to the client application
B.To encrypt data exchanged between client and resource server
C.To grant the client application limited access to user's resources
D.To authenticate the user to the resource server
AnswerC

The access token contains scopes and is presented to the resource server to obtain access to protected resources.

Why this answer

In OAuth 2.0, the access token is a credential that represents the authorization granted to the client application by the resource owner. Its primary purpose is to allow the client to access specific, scoped resources on the resource server on behalf of the user, without exposing the user's credentials. This is defined in RFC 6749, where the token encapsulates the granted permissions and scope.

Exam trap

The trap here is that candidates often confuse authentication with authorization, mistakenly believing the access token authenticates the user to the resource server, when in fact it only authorizes the client to access resources on behalf of the user.

How to eliminate wrong answers

Option A is wrong because revoking the user's access to the client application is not a function of the access token; revocation is handled via token revocation endpoints or by the authorization server invalidating the token, not by the token itself. Option B is wrong because the access token does not encrypt data; it is a bearer token that is passed in HTTP headers, and encryption of data in transit is typically handled by TLS, not by the token. Option D is wrong because the access token is not used to authenticate the user to the resource server; authentication is performed by the authorization server during the authorization grant flow, and the token only authorizes access to resources, it does not prove the user's identity.

183
MCQeasy

A security analyst needs to verify that a downloaded file has not been tampered with. The publisher provides a SHA-256 hash. Which property of the hash function is being relied upon?

A.Avalanche effect
B.Collision resistance
C.Second pre-image resistance
D.Pre-image resistance
AnswerB

Collision resistance prevents finding two inputs with same hash.

Why this answer

The security analyst relies on collision resistance to ensure that no two different inputs produce the same SHA-256 hash. If an attacker could find a collision, they could substitute a malicious file that hashes to the same value as the legitimate file, bypassing integrity verification. SHA-256 is designed to make finding such collisions computationally infeasible, which is why it is trusted for file integrity checks.

Exam trap

The trap here is that candidates often confuse collision resistance with second pre-image resistance, mistakenly thinking that verifying a file against a known hash requires second pre-image resistance, when in fact the scenario of a publisher providing a hash for a file relies on collision resistance to prevent an attacker from creating a different file that hashes to the same value.

How to eliminate wrong answers

Option A is wrong because the avalanche effect describes how a small change in input drastically changes the output hash, but it does not directly prevent tampering; it is a property that contributes to security but is not the primary reliance for verifying file integrity. Option C is wrong because second pre-image resistance ensures that given a message and its hash, an attacker cannot find a different message with the same hash; while important, the scenario of verifying a downloaded file against a provided hash relies on collision resistance to prevent an attacker from creating any two messages with the same hash, not just finding a second pre-image for a known message. Option D is wrong because pre-image resistance ensures that given a hash, an attacker cannot find the original input; this is irrelevant for verifying that a file has not been tampered with, as the analyst already has the file and is checking its hash against the published one.

184
MCQhard

During an incident response, a forensic analyst captures a memory dump from a compromised server. Which of the following is the MOST important step to ensure the integrity of the evidence?

A.Create a cryptographic hash of the memory dump before analysis
B.Use a write blocker when capturing the memory dump
C.Store the memory dump on the same server for easy access
D.Run antivirus on the memory dump file
AnswerA

Hashing preserves integrity by allowing verification that the evidence has not been modified.

Why this answer

Option B is correct because creating a cryptographic hash immediately after capture provides a fingerprint to prove the evidence hasn't been altered. Option A is unsafe. Option C is unnecessary and could alter the dump.

Option D is not applicable to memory captures.

185
MCQhard

An organization is implementing an access control system where access decisions are based on the sensitivity of the resource and the clearance of the user. Which model is being used?

A.Discretionary Access Control (DAC)
B.Attribute-Based Access Control (ABAC)
C.Role-Based Access Control (RBAC)
D.Mandatory Access Control (MAC)
AnswerD

MAC uses security labels to enforce access based on classification and clearance.

Why this answer

Mandatory Access Control (MAC) enforces access decisions based on comparing the sensitivity label (e.g., classification level) of the resource with the clearance level of the user. This model is non-discretionary, meaning users cannot override or delegate permissions; the system centrally controls all access according to a security policy, such as Bell-LaPadula or Biba.

Exam trap

The trap here is that candidates often confuse MAC with RBAC because both involve centralized control, but MAC uniquely relies on mandatory sensitivity labels and user clearances, not roles or user-defined permissions.

How to eliminate wrong answers

Option A is wrong because Discretionary Access Control (DAC) allows resource owners to set permissions at their discretion, not based on fixed sensitivity labels and user clearances. Option B is wrong because Attribute-Based Access Control (ABAC) evaluates policies using multiple attributes (user, resource, environment) but does not inherently require hierarchical sensitivity labels and clearances as the primary decision factor. Option C is wrong because Role-Based Access Control (RBAC) grants access based on job roles, not on the sensitivity of the resource or the clearance of the user.

186
MCQeasy

A system administrator needs to grant a temporary contractor access to a specific shared folder for two weeks. Which access control approach is most appropriate?

A.Create a new role with access to the folder and assign the contractor to that role
B.Create a temporary user account with an expiration date and grant NTFS permissions
C.Use mandatory access control (MAC) to enforce a security label for the contractor
D.Configure the folder with discretionary access control (DAC) and let the contractor request access
AnswerB

This provides time-limited access with minimal overhead.

Why this answer

Option B is correct because creating a temporary user account with an expiration date directly addresses the need for time-limited access. Granting NTFS permissions on the specific shared folder provides granular, least-privilege access control. This approach ensures the account is automatically disabled after two weeks, reducing administrative overhead and security risk.

Exam trap

The trap here is that candidates often choose role-based access control (RBAC) as a best practice, but fail to recognize that creating a new role for a single temporary user is an anti-pattern that violates role-based design principles and does not inherently enforce time limits.

How to eliminate wrong answers

Option A is wrong because creating a new role for a single temporary contractor violates the principle of role engineering—roles should be based on job functions, not individuals, and this approach adds unnecessary complexity without addressing the time limit. Option C is wrong because mandatory access control (MAC) uses system-wide security labels enforced by the operating system, which is overly rigid for a simple temporary access need and requires significant configuration overhead. Option D is wrong because discretionary access control (DAC) allows the resource owner to grant permissions, but relying on the contractor to request access introduces delays and lacks automatic expiration, leaving the folder exposed after the two-week period.

187
MCQhard

A company uses a cloud storage service that encrypts files with a key derived from the user's password (e.g., using PBKDF2). The security team recommends migrating to a separate key management service (KMS) that generates and manages encryption keys independently of user passwords. What is the most critical security advantage of using a KMS in this scenario?

A.Password-derived keys are inherently weaker than KMS-generated keys.
B.Changing the user password does not require re-encrypting all files.
C.A KMS is faster at encrypting and decrypting large files.
D.A KMS provides better audit logging of key usage.
AnswerB

When keys are separate from passwords, password changes can be handled without re-encrypting data.

Why this answer

Option B is correct because when encryption keys are derived from a user's password (e.g., via PBKDF2), changing the password changes the derived key, requiring all files encrypted under the old key to be decrypted and re-encrypted with the new key. A separate KMS decouples key management from user credentials, allowing password changes without affecting the underlying encryption keys, thus avoiding costly and time-consuming re-encryption operations.

Exam trap

ISC2 often tests the misconception that KMS-generated keys are always cryptographically stronger than password-derived keys, when the real advantage is operational separation of key lifecycle from user credentials.

How to eliminate wrong answers

Option A is wrong because password-derived keys are not inherently weaker than KMS-generated keys; PBKDF2 with sufficient iterations and salt can produce strong keys, and the weakness often lies in poor password entropy rather than the derivation algorithm itself. Option C is wrong because KMS encryption/decryption speed is typically slower than local operations due to network latency and API overhead, especially for large files where envelope encryption is used. Option D is wrong because while KMS can provide audit logging, this is not the most critical advantage in this scenario; the primary security benefit is the separation of key management from user passwords, which directly addresses the re-encryption problem.

188
MCQhard

Refer to the exhibit. The security group is attached to a database server. Which hosts can connect to the database?

A.No hosts can connect to the database
B.Both internet hosts and internal hosts
C.Any host on the internet
D.Only hosts in the 10.0.0.0/8 range
AnswerD

The security group allows port 3306 traffic only from the 10.0.0.0/8 CIDR.

Why this answer

The security group rule allows inbound traffic on the database port from the 10.0.0.0/8 range. Since the database server is in a private subnet with no public IP, only hosts within that RFC 1918 address space can reach it. Option D is correct because the rule explicitly permits only 10.0.0.0/8, which includes internal hosts in that range.

Exam trap

ISC2 often tests the misconception that a security group rule allowing a private IP range (like 10.0.0.0/8) also permits internet hosts, but the trap is that internet hosts cannot have source IPs in that private range unless they are behind NAT or VPN.

How to eliminate wrong answers

Option A is wrong because the security group rule permits traffic from 10.0.0.0/8, so some hosts can connect. Option B is wrong because internet hosts are not in the 10.0.0.0/8 range and cannot connect unless a public IP or NAT is involved, which is not indicated. Option C is wrong because the rule does not allow any host on the internet; it restricts source to a private IP range.

189
Multi-Selecteasy

Which TWO of the following are examples of administrative controls in a security program? (Choose two.)

Select 2 answers
A.Security policies
B.Firewall rules
C.Locks on server room doors
D.Employee background checks
E.Intrusion detection software
AnswersA, D

Policies are administrative directives.

Why this answer

Security policies (A) are administrative controls because they define the rules, responsibilities, and expected behaviors for users and administrators, forming the foundation of a security program. Employee background checks (D) are also administrative controls, as they are personnel vetting procedures that reduce insider risk and enforce trust before granting access. Both are non-technical, process-based measures that guide human actions rather than directly blocking or detecting threats.

Exam trap

ISC2 often tests the distinction between administrative, technical, and physical controls, and the trap here is that candidates confuse firewall rules or intrusion detection software (both technical controls) with administrative controls because they are part of a security program, but they are not process-based or policy-driven.

190
MCQhard

A network has multiple VLANs with an IDS deployed on the core switch using SPAN ports. The IDS is missing some packets during high traffic periods. What is the best course of action to improve packet capture reliability?

A.Deploy the IDS inline
B.Implement NetFlow for monitoring
C.Use multiple SPAN sessions
D.Increase the SPAN port buffer
AnswerA

An inline IDS passes all traffic directly through the device, eliminating SPAN port drops and ensuring full visibility.

Why this answer

Deploying the IDS inline ensures that all traffic destined for the monitored segment must pass through the device, eliminating packet loss caused by oversubscription of SPAN ports during high traffic periods. SPAN ports rely on switch fabric replication, which can drop packets when the aggregate traffic exceeds the port's bandwidth or the switch's internal buffer capacity. Inline deployment places the IDS directly in the data path, guaranteeing that every packet is inspected without reliance on replication.

Exam trap

ISC2 often tests the misconception that increasing buffers or adding more SPAN sessions can solve packet loss, when the real issue is the inherent unreliability of SPAN port replication under high load, making inline deployment the only guaranteed solution.

How to eliminate wrong answers

Option B is wrong because NetFlow is a flow-based monitoring technology that provides statistical summaries and metadata, not full packet capture, so it cannot improve packet capture reliability. Option C is wrong because using multiple SPAN sessions does not address the root cause of packet loss; it only replicates the same oversubscribed traffic to additional ports, potentially worsening congestion. Option D is wrong because increasing the SPAN port buffer may temporarily reduce drops but does not solve the fundamental issue of the SPAN port being unable to handle peak traffic rates, as buffers can still overflow under sustained high load.

191
MCQhard

Refer to the exhibit. What security issue is present in this firewall policy?

A.Web traffic is allowed from any source
B.The default deny rule is missing
C.The firewall is allowing all traffic on port 443
D.The destination network is too broad
E.SSH is blocked for a specific subnet
AnswerB

Without a deny all, any unmatched traffic is allowed.

Why this answer

The exhibit shows a firewall policy with explicit permit rules but no explicit deny all rule at the bottom. Without a default deny rule, any traffic not matching an explicit permit may be implicitly allowed or handled unpredictably depending on the firewall platform, violating the security principle of least privilege. A proper firewall policy must end with an explicit deny all to block all unauthorized traffic.

Exam trap

ISC2 often tests the concept that a firewall policy without an explicit deny all rule at the bottom is inherently insecure, even if all other rules appear correct, because candidates may focus on specific rule content rather than the overall policy structure.

How to eliminate wrong answers

Option A is wrong because the exhibit does not show any rule allowing web traffic from any source; the policy may permit web traffic only from specific sources or to specific destinations. Option C is wrong because the exhibit does not indicate that all traffic on port 443 is allowed; port 443 traffic may be restricted by source or destination. Option D is wrong because the destination network being broad is not the primary security issue; while overly broad destinations can weaken security, the fundamental flaw is the missing default deny rule.

Option E is wrong because SSH being blocked for a specific subnet is a legitimate security control, not an issue; the problem is the absence of a catch-all deny rule.

192
Multi-Selectmedium

Which TWO of the following are valid reasons for implementing a separation of duties policy? (Choose two.)

Select 2 answers
A.To reduce the workload on individual employees.
B.To detect errors through independent verification.
C.To simplify training requirements.
D.To comply with regulatory requirements.
E.To prevent fraud by requiring collusion.
AnswersB, E

Having different people perform related tasks allows for error detection.

Why this answer

Separation of duties (SoD) is a security control that divides critical tasks among multiple individuals to prevent any single person from having excessive control. Option B is correct because independent verification is a core benefit: when one person performs a task and another reviews it, errors are more likely to be caught before they cause damage. This is especially important in financial transactions or system configuration changes where a single mistake could have significant consequences.

Exam trap

ISC2 often tests the distinction between compliance as a requirement versus a fundamental security reason; candidates mistakenly choose 'compliance' as a core reason when the question asks for the underlying security benefit.

193
MCQmedium

A company deploys a web application that handles sensitive financial transactions. To protect data in transit, which protocol should be used?

A.SSH (Secure Shell)
B.SSL 3.0
C.IPsec in transport mode
D.TLS 1.2
AnswerD

TLS 1.2 is secure and appropriate for web applications.

Why this answer

TLS 1.2 is the correct choice because it is the industry-standard protocol for securing HTTP traffic, providing encryption, integrity, and authentication for data in transit. It is widely supported, has no known practical vulnerabilities (unlike SSL 3.0), and is specifically designed for web application protocols like HTTPS, making it ideal for protecting sensitive financial transactions.

Exam trap

The trap here is that candidates often confuse SSH with a general-purpose encryption protocol or think SSL 3.0 is still acceptable because it was historically used, but the exam tests awareness of deprecated protocols and the correct protocol for web-specific security.

How to eliminate wrong answers

Option A is wrong because SSH (Secure Shell) is a protocol for secure remote administration and file transfer (e.g., SFTP), not for securing web application traffic; it operates on a different application layer and does not integrate with HTTP. Option B is wrong because SSL 3.0 is deprecated due to critical vulnerabilities such as the POODLE attack (CVE-2014-3566), which allows plaintext recovery, and it is no longer considered secure for protecting sensitive data. Option C is wrong because IPsec in transport mode secures IP packets between two hosts (e.g., for VPNs or host-to-host communication), but it is not designed to protect application-layer web traffic like HTTP; it requires complex configuration and does not natively integrate with web browsers or servers.

194
Multi-Selectmedium

An organization is implementing a new remote access VPN for employees using IPsec. Which TWO of the following are best practices for securing the IPsec VPN?

Select 2 answers
A.Use AES encryption with a minimum key size of 128 bits
B.Use pre-shared keys for authentication
C.Disable anti-replay protection to improve performance
D.Enable Perfect Forward Secrecy (PFS)
E.Allow all IP protocols through the VPN tunnel
AnswersA, D

AES-128 is a strong, recommended encryption algorithm for IPsec.

Why this answer

AES encryption with a minimum key size of 128 bits is a best practice for IPsec VPNs because it provides strong, symmetric encryption that is resistant to known cryptographic attacks. AES-128 is approved by NIST and widely considered secure for protecting sensitive data over untrusted networks like the internet.

Exam trap

The trap here is that candidates often confuse pre-shared keys as a secure authentication method for IPsec, but the SSCP exam emphasizes that PSKs are weak compared to digital certificates or EAP methods, especially in enterprise environments.

195
MCQmedium

A security analyst notices that a user’s account has been used to access sensitive files at 3:00 AM from an IP address outside the company’s country. The analyst suspects a compromised account. Which action should be taken FIRST?

A.Block the external IP address in the firewall
B.Disable the user account immediately
C.Reset the user’s password and force a logout
D.Contact the user to verify if they were working late
AnswerB

Disabling the account stops all access from any source.

Why this answer

The first step in incident response is to isolate the threat. Disabling the account prevents further unauthorized access while the investigation proceeds.

196
MCQmedium

During a vulnerability scan, a critical vulnerability is found on a publicly accessible web server. The server hosts a legacy application that cannot be patched immediately. What should the risk manager do first?

A.Implement compensating controls.
B.Remove the server from the network.
C.Notify the application owner.
D.Accept the risk.
AnswerA

Compensating controls mitigate the vulnerability without patching, buying time for a permanent fix.

Why this answer

Option A is correct because when a critical vulnerability cannot be patched immediately, implementing compensating controls is the appropriate first step to reduce risk while maintaining business operations. Compensating controls, such as a web application firewall (WAF) with custom rules to block exploit attempts or network segmentation with strict access control lists (ACLs), provide a temporary mitigation layer. This aligns with the risk management principle of reducing risk to an acceptable level without disrupting critical services.

Exam trap

ISC2 often tests the misconception that immediate removal from the network is always the correct first step, but the SSCP exam emphasizes balancing security with business continuity, making compensating controls the preferred initial action.

How to eliminate wrong answers

Option B is wrong because removing the server from the network would cause immediate denial of service for the legacy application, which may be critical to business operations, and is an extreme measure that should only be taken if the vulnerability is actively exploited and no other controls exist. Option C is wrong because notifying the application owner is a procedural step that should occur after or in parallel with implementing compensating controls; it does not directly address the immediate risk reduction required. Option D is wrong because accepting the risk without first attempting to mitigate it through compensating controls is premature and violates the risk management hierarchy, which prioritizes mitigation over acceptance when feasible.

197
MCQmedium

Refer to the exhibit. An administrator applies this ACL to the external interface. What specific traffic is blocked?

A.Both ping requests and replies
B.Only ping replies
C.All ICMP traffic
D.All ping requests
AnswerD

The deny statement blocks all ICMP echo-request messages, i.e., ping requests.

Why this answer

The ACL is applied to the external interface and denies ICMP echo-request (type 8) packets while permitting ICMP echo-reply (type 0) packets. This blocks only ping requests (echo-requests) from entering the network, but allows ping replies (echo-replies) to return for outbound-initiated traffic. Therefore, option D is correct because the ACL specifically targets and blocks all ping requests.

Exam trap

The trap here is that candidates often assume 'ping' is a single protocol or that blocking ping requests also blocks replies, but Cisco tests the distinction between ICMP echo-request (type 8) and echo-reply (type 0) in ACLs.

How to eliminate wrong answers

Option A is wrong because the ACL only denies ICMP type 8 (echo-request) and permits ICMP type 0 (echo-reply), so ping replies are not blocked. Option B is wrong because the ACL explicitly permits ICMP echo-reply, so only ping requests are blocked, not replies. Option C is wrong because the ACL does not block all ICMP traffic; it only denies ICMP type 8 while permitting other ICMP types, such as echo-reply and potentially others depending on the implicit permit or explicit rules.

198
MCQmedium

A security analyst detects unusual outbound traffic from a server to a known malicious IP. The server is running a critical business application. What should the analyst do FIRST?

A.Block all traffic from that server
B.Run antivirus on the server
C.Disconnect the server from the network
D.Alert the system administrator
AnswerC

Disconnecting provides quick containment to prevent further data exfiltration.

Why this answer

Option D is correct because immediate containment by disconnecting the server stops potential data exfiltration. Option A is too broad and may affect operations. Option B delays containment.

Option C is not a containment action.

199
MCQmedium

An organization is redesigning its DMZ to host a public web server and an internal file server. Which architecture provides the strongest security?

A.Place both servers in the DMZ with no firewall between them.
B.Place the web server on the internal network and the file server in the DMZ with a VPN.
C.Place both servers on the internal network with a stateful firewall inspecting traffic.
D.Place the web server in the DMZ and the file server on the internal network; allow only HTTP/HTTPS from web server to file server.
AnswerD

This isolates the file server and limits exposure.

Why this answer

Option D is correct because it follows the principle of least privilege and defense in depth by placing the public-facing web server in the DMZ, where it can be accessed from the internet, while the internal file server remains on the internal network, isolated from direct external access. Only HTTP/HTTPS traffic is allowed from the web server to the file server, typically enforced by a stateful firewall or an application-layer gateway, which minimizes the attack surface and prevents lateral movement if the web server is compromised.

Exam trap

The trap here is that candidates often assume placing both servers in the DMZ (Option A) is simpler and sufficient, but they overlook that the DMZ is a semi-trusted zone and internal servers should never be directly exposed to the internet or to compromised DMZ hosts without strict access controls.

How to eliminate wrong answers

Option A is wrong because placing both servers in the DMZ with no firewall between them exposes the internal file server directly to the internet, allowing any attacker who compromises the web server to access the file server without additional barriers, violating the segmentation principle. Option B is wrong because placing the file server in the DMZ with a VPN still exposes it to the internet (VPN termination is in the DMZ), and the web server on the internal network would require inbound internet traffic to traverse the internal network, increasing risk; VPNs do not replace the need for proper DMZ segmentation. Option C is wrong because placing both servers on the internal network with a stateful firewall inspecting traffic still exposes the internal network to direct internet traffic destined for the web server, bypassing the DMZ's isolation and increasing the risk of internal network compromise.

200
Drag & Dropmedium

Drag and drop the steps for establishing a VPN using IPsec in tunnel mode into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec tunnel setup: IKE phase 1 (management SA), IKE phase 2 (IPsec SA), then apply to traffic.

201
MCQhard

After a ransomware attack, the recovery team restored systems from backups. However, some files remain encrypted. What is the most probable cause?

A.Backups were also encrypted
B.The backup software was compromised
C.The ransomware had a delayed encryption mechanism
D.Restoration process skipped some file types
AnswerA

If the ransomware encrypted files on the backup repository before restoration, restored files would remain encrypted.

Why this answer

If backups were also encrypted, the recovery team would restore encrypted copies of the files, leaving them in an encrypted state after restoration. This occurs when the ransomware has sufficient privileges to encrypt the backup repository or when backups are stored on a mounted volume that the ransomware can access. The most probable cause is that the backup data itself was compromised, not that the restoration process failed.

Exam trap

ISC2 often tests the misconception that restoration process errors (like skipping file types) are the primary cause, when in reality the integrity of the backup source is the critical factor in ransomware recovery scenarios.

How to eliminate wrong answers

Option B is wrong because a compromised backup software would typically prevent restoration entirely or introduce new malware, not leave specific files encrypted after a successful restore. Option C is wrong because a delayed encryption mechanism would encrypt files after restoration, not leave them encrypted from the backup source. Option D is wrong because skipping file types during restoration would result in missing files, not files that are present but still encrypted.

202
MCQhard

A system administrator notices that a server's certificate was issued by a CA that is not in the trusted root store of client machines. What is the most likely impact on clients connecting via TLS?

A.Clients will receive a certificate warning or be unable to connect.
B.The server will automatically obtain a new certificate.
C.Clients will connect but with reduced cipher strength.
D.Clients will be able to connect without any warning.
AnswerA

Untrusted CA causes a trust error, resulting in a warning or failure.

Why this answer

When a server presents a certificate issued by a Certificate Authority (CA) that is not in the client's trusted root store, the TLS handshake fails the trust chain validation. The client's TLS library (e.g., OpenSSL, Schannel) will either display a certificate warning to the user or terminate the connection with an error such as 'SEC_ERROR_UNKNOWN_ISSUER' in Firefox or 'ERR_CERT_AUTHORITY_INVALID' in Chrome, depending on the client's security policy.

Exam trap

The trap here is that candidates assume TLS connections will proceed with reduced security or a warning, but in strict implementations (e.g., many browsers and modern applications), the connection is completely blocked rather than just warned.

How to eliminate wrong answers

Option B is wrong because the server cannot automatically obtain a new certificate; certificate renewal or replacement requires manual intervention or an automated protocol like ACME, but the client's lack of trust does not trigger any automatic action on the server. Option C is wrong because TLS cipher strength is negotiated independently of certificate trust; a client will not downgrade ciphers due to an untrusted CA — the handshake will fail before cipher negotiation completes. Option D is wrong because clients enforce trust validation by default; they will not connect without a warning unless the user has explicitly disabled certificate validation (e.g., by adding an exception or using an insecure configuration like `CURLOPT_SSL_VERIFYPEER` set to false).

203
Multi-Selecthard

A security auditor is reviewing the cryptographic algorithms used in an organization. Which THREE of the following are considered insecure or deprecated and should be avoided? (Select THREE.)

Select 3 answers
A.RSA-2048
B.DES
C.3DES
D.AES-256
E.MD5
AnswersB, C, E

DES uses a 56-bit key, making it vulnerable to brute-force attacks.

Why this answer

DES (Data Encryption Standard) uses a 56-bit key, which is too short to withstand modern brute-force attacks; it was officially withdrawn as a standard by NIST in 2005. 3DES, while an improvement, is now deprecated due to its relatively slow performance and susceptibility to meet-in-the-middle attacks, with NIST disallowing it for new applications after 2023. MD5 is a broken hash algorithm; collision attacks (e.g., using a chosen-prefix collision) can be performed in seconds on commodity hardware, making it unsuitable for any security-sensitive use.

Exam trap

ISC2 often tests the misconception that 3DES is still acceptable because it is 'triple' strength, but the trap is that both DES and 3DES are deprecated due to small block sizes and key lengths, while MD5 is often mistakenly considered safe for checksums despite its proven collision vulnerabilities.

204
MCQeasy

A company wants to secure wireless communication for guests. Which protocol provides the strongest encryption for a wireless network?

A.WEP with 128-bit key
B.WPA2-PSK with TKIP
C.WPA2-PSK with AES
D.WPA3-SAE
AnswerD

WPA3-SAE offers the strongest encryption and authentication.

Why this answer

WPA3-SAE (Simultaneous Authentication of Equals) provides the strongest encryption for wireless networks, using 128-bit AES in CCMP mode for encryption and replacing the Pre-Shared Key (PSK) exchange with a more secure handshake that resists offline dictionary attacks. This makes it the most secure option among the choices, especially for guest networks where authentication security is critical.

Exam trap

The trap here is that candidates often assume WPA2-PSK with AES is the strongest because it uses AES encryption, but they overlook the vulnerability of the PSK authentication method to offline dictionary attacks, which WPA3-SAE specifically addresses with SAE.

How to eliminate wrong answers

Option A is wrong because WEP with a 128-bit key still uses the flawed RC4 stream cipher and a weak integrity check (CRC-32), making it vulnerable to key recovery attacks within minutes regardless of key length. Option B is wrong because WPA2-PSK with TKIP (Temporal Key Integrity Protocol) is a deprecated protocol that still uses RC4 and is susceptible to attacks like Beck-Tews and Michael MIC exhaustion, offering weaker encryption than AES. Option C is wrong because while WPA2-PSK with AES provides strong encryption via AES-CCMP, it relies on the 4-way handshake with a pre-shared key that is vulnerable to offline dictionary attacks if the passphrase is weak, making it less secure than WPA3-SAE.

205
Multi-Selecteasy

Which TWO of the following are examples of administrative controls? (Choose two.)

Select 2 answers
A.Firewall rules
B.Access control policies
C.Security awareness training
D.Security guards
E.Encryption of data at rest
AnswersB, C

Policies are administrative controls.

Why this answer

Access control policies (B) are administrative controls because they define the rules, procedures, and responsibilities for managing access to resources, forming the governance framework that guides technical and physical implementations. Security awareness training (C) is also an administrative control as it educates users on security policies and procedures, reducing human error and reinforcing organizational security culture.

Exam trap

The trap here is that candidates often confuse administrative controls with technical or physical controls, mistakenly selecting firewall rules or encryption because they are common security measures, but the SSCP exam specifically tests the distinction between administrative (policy/training), technical (software/hardware), and physical (guards/locks) control categories.

206
Multi-Selecthard

Which THREE of the following are common use cases for public key infrastructure (PKI)? (Select exactly three.)

Select 3 answers
A.Password hashing
B.Symmetric key exchange
C.Digital signatures
D.Email encryption (S/MIME)
E.SSL/TLS certificate authentication
AnswersC, D, E

PKI enables digital signatures using certificates.

Why this answer

Digital signatures are a core use case for PKI because they rely on asymmetric cryptography where a private key signs data and the corresponding public key, bound to an identity via a digital certificate issued by a Certificate Authority (CA), verifies the signature. This ensures authenticity, integrity, and non-repudiation of the signed message or document.

Exam trap

The trap here is that candidates may confuse the mechanism (e.g., using PKI to exchange a symmetric key) with a direct use case of PKI, or mistakenly think password hashing involves certificates, when PKI is specifically about public key certificates, not symmetric key exchange or hashing algorithms.

207
Multi-Selectmedium

Which TWO of the following are required properties of a cryptographically secure hash function? (Select exactly 2.)

Select 2 answers
A.Deterministic output
B.Collision resistance
C.High speed for large inputs
D.Low output entropy
E.Preimage resistance
AnswersB, E

It should be infeasible to find two different inputs with the same hash.

Why this answer

Collision resistance (B) is a required property because it ensures that it is computationally infeasible to find two distinct inputs that produce the same hash output. Without this property, an attacker could substitute a legitimate message with a fraudulent one that yields an identical hash, breaking the integrity guarantees of the hash function. This is a fundamental requirement for digital signatures and message authentication codes (MACs) in cryptographic protocols.

Exam trap

ISC2 often tests the distinction between general hash function properties (like deterministic output) and the specific security properties required for cryptographic use, leading candidates to mistakenly select deterministic output as a required property when it is merely a basic characteristic of any hash function.

208
MCQeasy

Refer to the exhibit. What is the effect of this access control list on traffic entering the interface?

A.Permits only TCP traffic to 10.0.0.1 on port 22
B.Allows SSH to 10.0.0.1 and blocks all other traffic with logging
C.Blocks all traffic except SSH and logs the denied packets
D.Allows all TCP traffic to any host on port 22
E.Allows all traffic to 10.0.0.1
AnswerB

The permit allows SSH, the deny blocks all else with log.

Why this answer

Option B is correct because the ACL shown (likely an extended IP access list with a permit statement for TCP port 22 to host 10.0.0.1 followed by a deny ip any any log statement) permits SSH traffic to 10.0.0.1 and explicitly denies all other traffic while logging the denied packets. The implicit deny at the end of every ACL would block unmatched traffic, but the explicit deny with the 'log' keyword ensures that denied packets are logged, which matches the description in B.

Exam trap

ISC2 often tests the distinction between the implicit deny (which does not log) and an explicit deny with the 'log' keyword, leading candidates to mistakenly think that all denied traffic is automatically logged.

How to eliminate wrong answers

Option A is wrong because the ACL permits only TCP traffic to 10.0.0.1 on port 22, but it does not block all other traffic with logging—the explicit deny with log is required for that behavior, and the question states the ACL includes such a deny. Option C is wrong because it says 'blocks all traffic except SSH and logs the denied packets,' which is essentially the same as B, but B is more precise in stating 'Allows SSH to 10.0.0.1 and blocks all other traffic with logging'—the key difference is that C incorrectly implies the ACL logs all denied packets without specifying that the deny is explicit, while B correctly captures the explicit deny with log. Option D is wrong because the ACL is specific to host 10.0.0.1, not 'any host,' and it only permits port 22, not all TCP traffic.

Option E is wrong because the ACL does not allow all traffic to 10.0.0.1; it only permits TCP port 22 and denies everything else.

209
MCQeasy

A company is migrating its on-premises applications to a public cloud. Which security control is MOST important to implement to protect data in transit?

A.Enable server-side encryption for cloud storage.
B.Implement data classification labels.
C.Use IPsec VPNs for all cloud connections.
D.Ensure all data transmissions use TLS 1.2 or higher.
AnswerD

TLS encrypts data in transit and is widely supported.

Why this answer

TLS 1.2 or higher is the standard protocol for encrypting data in transit over public networks, ensuring confidentiality and integrity between client and server. It is the most critical control because it directly protects data as it moves across the internet to the cloud, which is the primary risk in a migration scenario.

Exam trap

The trap here is that candidates often confuse IPsec VPNs (which protect network-layer traffic) with the application-layer encryption provided by TLS, assuming VPNs are always superior for cloud connections, but TLS is the standard and most practical control for protecting data in transit to public cloud services.

How to eliminate wrong answers

Option A is wrong because server-side encryption protects data at rest in cloud storage, not data in transit. Option B is wrong because data classification labels help manage access and handling policies but do not encrypt or protect data during transmission. Option C is wrong because IPsec VPNs secure site-to-site connections but are not the most important for all cloud connections; many cloud services use HTTPS/TLS natively, and forcing all traffic through a VPN can introduce latency and complexity without providing better protection than TLS for application-layer data.

210
MCQeasy

A company wants to ensure that employees use strong passwords. Which policy is most effective?

A.Prohibit password reuse for the last 10 passwords.
B.Require password changes every 30 days.
C.Require a minimum password length of 12 characters.
D.Require a mix of uppercase, lowercase, numbers, and symbols.
AnswerC

Length is the most important factor for password strength.

Why this answer

Option C is correct because password length is the single most important factor in resistance to brute-force and rainbow table attacks. NIST SP 800-63B and industry best practices now recommend a minimum of 12–16 characters, as each additional character exponentially increases the keyspace. While complexity adds some entropy, a long passphrase is far more effective against modern GPU-based cracking than a short, complex password.

Exam trap

The trap here is that many candidates overvalue complexity (uppercase, numbers, symbols) because of legacy policies, but Cisco tests the modern NIST guidance that password length trumps complexity and periodic changes.

How to eliminate wrong answers

Option A is wrong because prohibiting reuse of the last 10 passwords does not prevent weak passwords from being chosen; it only prevents immediate repetition, and attackers can still crack a weak password if it is not in the history. Option B is wrong because forcing changes every 30 days often leads users to create predictable patterns (e.g., Password1!, Password2!) or write passwords down, reducing overall security; NIST now advises against arbitrary periodic expiration. Option D is wrong because requiring a mix of character types without a sufficient length is ineffective—a 6-character password with all four types has only ~2^36 possibilities, which can be brute-forced in minutes, whereas a 12-character lowercase-only password has ~2^56 possibilities, making length far more impactful than complexity alone.

211
MCQhard

During a security audit, it is discovered that a system administrator shared their personal credentials with a colleague to troubleshoot an issue after hours. This violates the company's policy regarding password sharing. Which control would BEST prevent this type of incident in the future?

A.Implement a two-person rule for administrative actions.
B.Enforce a stricter password complexity policy.
C.Require multifactor authentication for all systems.
D.Deploy a privileged access management (PAM) solution.
AnswerD

PAM allows temporary access without sharing credentials.

Why this answer

Option D is correct because a Privileged Access Management (PAM) solution provides temporary, audited access without sharing permanent credentials. Option A is wrong because a two-person rule is for dual control, not sharing prevention. Option B is wrong while MFA adds a layer, it does not prevent sharing of the first factor.

Option C is wrong because password complexity does not deter sharing. Option E is wrong because training is important but less effective than a technical control.

212
MCQmedium

Based on the exhibit, which conclusion is most likely?

A.Two hosts are consistently downloading malware.
B.The downloads are false positives.
C.The threat has been contained.
D.The proxy is blocking the downloads.
AnswerA

The logs show repeated successful GET requests for an executable from a known malware domain by two IPs.

Why this answer

Option A is correct because two internal hosts (192.168.1.10 and .20) repeatedly download an executable from a known malware domain. The HTTP status 200 indicates successful downloads. Option B is incorrect because 'TCP_MISS' and 'DIRECT' show the proxy allowed the request.

Option C is unlikely given the repeated connections to a malware domain. Option D is incorrect because the activity is ongoing.

213
MCQeasy

In the context of risk assessment, which of the following best describes a vulnerability?

A.A potential event that can cause harm
B.The likelihood of a threat exploiting a weakness
C.An actual occurrence of a harmful event
D.A weakness in a system that can be exploited
AnswerD

Correct definition.

Why this answer

In risk assessment, a vulnerability is specifically a weakness in a system, application, or process that can be exploited by a threat. Option D correctly defines this as a weakness that can be exploited, which aligns with the NIST SP 800-30 definition of vulnerability as a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

Exam trap

The trap here is that candidates confuse 'vulnerability' with 'threat' (Option A) or 'risk' (Option B), because risk assessment terminology is often used interchangeably in casual conversation, but the SSCP exam strictly defines vulnerability as a weakness, not the event or likelihood.

How to eliminate wrong answers

Option A is wrong because it describes a threat (a potential event that can cause harm), not a vulnerability. Option B is wrong because it describes risk (the likelihood of a threat exploiting a weakness), which combines threat, vulnerability, and impact. Option C is wrong because it describes an incident or actual occurrence of a harmful event, which is the realization of a threat exploiting a vulnerability, not the vulnerability itself.

214
Matchingmedium

Match each network security device to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters traffic based on rules

Monitors and alerts on suspicious activity

Blocks malicious traffic in real-time

Manages encrypted tunnels

Why these pairings

These devices are commonly used in network security.

215
MCQhard

A SOC analyst reviews an alert for a user who downloaded a large amount of data from a sensitive database at 3:00 AM. The user's manager confirms the user was not on call. Which type of risk indicator is this activity best described as?

A.Technical vulnerability indicator
B.User behavior risk indicator
C.Error log indicator
D.Configuration drift indicator
AnswerB

The unusual access pattern is a behavioral indicator of potential insider threat or compromise.

Why this answer

The activity describes a user downloading a large volume of sensitive data at an anomalous time (3:00 AM) without authorization, which directly maps to a User Behavior Risk Indicator (UBRI). UBRI focuses on deviations from established baselines of user actions, such as unusual access times, data volumes, or locations, to detect potential insider threats or compromised accounts. This is not a technical vulnerability, error log, or configuration issue, but a behavioral anomaly that requires investigation.

Exam trap

ISC2 often tests the distinction between technical indicators (like vulnerabilities or errors) and behavioral indicators, trapping candidates who confuse a user's anomalous action with a system-level flaw or log entry.

How to eliminate wrong answers

Option A is wrong because a technical vulnerability indicator refers to a flaw in software, hardware, or network design (e.g., an unpatched CVE in the database server) that could be exploited, not an anomalous user action. Option C is wrong because an error log indicator is derived from system or application error messages (e.g., failed login attempts, disk I/O errors), not from successful but suspicious user behavior. Option D is wrong because configuration drift indicator tracks changes to system settings or policies over time (e.g., a firewall rule being altered or a registry key modified), not a user's data access pattern.

216
Matchingmedium

Match each security policy type to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines proper use of resources

Requirements for password strength

Categorizes data sensitivity

Procedures for handling breaches

Why these pairings

These policies are foundational in information security.

217
MCQmedium

Refer to the exhibit. A security analyst observes this event on a workstation. What is the MOST likely explanation?

A.Microsoft Office is performing an automatic update.
B.A scheduled task triggered the command.
C.A user ran a legitimate command from the Start menu.
D.A malicious macro in a Word document executed the command.
AnswerD

Macros can execute shell commands; this is a common attack vector.

Why this answer

The event shows a command prompt launching with a base64-encoded PowerShell command, which is a common technique used by malicious macros to download and execute payloads. Microsoft Office macros can invoke cmd.exe or PowerShell to bypass security controls, and the encoded command suggests obfuscation typical of malware, not legitimate software updates or user actions.

Exam trap

ISC2 often tests the distinction between legitimate system processes and obfuscated command execution, where candidates mistake encoded PowerShell commands for normal update or task operations instead of recognizing them as indicators of macro-based malware.

How to eliminate wrong answers

Option A is wrong because Microsoft Office automatic updates are managed by the Office Click-to-Run service or Windows Update, not by launching a base64-encoded PowerShell command from cmd.exe. Option B is wrong because scheduled tasks typically run with a clear task name and path in the command line, not with obfuscated PowerShell commands that hide the actual execution. Option C is wrong because a user running a legitimate command from the Start menu would not involve a base64-encoded PowerShell command; such encoding is used to conceal malicious intent, not for normal user operations.

218
MCQhard

A security analyst reviews the syslog message from a router. What does this log entry indicate?

A.The router's ACL is misconfigured and is blocking all traffic.
B.An external host attempted to access an internal web server and was blocked.
C.An internal host attempted to access an external web server and was blocked.
D.An internal host successfully accessed an external web server.
AnswerC

The ACL denied the TCP connection to port 80.

Why this answer

The log entry shows a packet from source IP 10.0.0.2 (internal) to destination IP 203.0.113.5 (external) on port 80 (HTTP) being denied by the router's access control list (ACL). The 'DENY' action indicates the traffic was blocked, not allowed. Since the source is internal and the destination is external, this matches an outbound connection attempt being blocked.

Exam trap

ISC2 often tests the ability to distinguish source vs. destination IPs in ACL logs, and the trap here is that candidates may misidentify the internal IP (10.0.0.2) as external due to not recognizing RFC 1918 private addresses, leading them to choose option B.

How to eliminate wrong answers

Option A is wrong because the log shows only specific traffic being denied (source 10.0.0.2 to 203.0.113.5:80), not all traffic; a misconfigured ACL blocking all traffic would show multiple denials for various protocols and ports. Option B is wrong because the source IP (10.0.0.2) is internal (RFC 1918 private address), not external; an external host would have a public IP. Option D is wrong because the log explicitly states 'DENY', meaning the packet was blocked, not successfully accessed.

219
MCQeasy

A security administrator is configuring a firewall to allow HTTPS traffic from the internet to a web server. Which default port must be permitted?

A.8443
B.8080
C.443
D.80
AnswerC

HTTPS utilizes port 443 as its default port for secure communications.

Why this answer

HTTPS uses port 443 by default. Port 80 is HTTP, 8080 is common HTTP alternative, and 8443 is HTTPS alternative but not default.

220
MCQmedium

A network administrator needs to ensure that internal users can access only approved external websites. Which technology should be implemented?

A.Web Proxy with content filtering
B.Intrusion Prevention System (IPS)
C.Virtual Private Network (VPN)
D.Network Address Translation (NAT)
AnswerA

A proxy can enforce URL whitelists/blacklists.

Why this answer

A web proxy with content filtering intercepts HTTP/HTTPS requests from internal users and applies policy rules (e.g., URL whitelists, category blocking) to allow only approved external websites. This technology operates at the application layer, inspecting the full URL and content, making it the correct choice for granular access control.

Exam trap

ISC2 often tests the misconception that an IPS or firewall can perform URL filtering, but these devices typically filter based on IP/port/application signatures, not full URL paths or content categories, which is the specific function of a web proxy with content filtering.

How to eliminate wrong answers

Option B (Intrusion Prevention System) is wrong because an IPS monitors network traffic for malicious activity and blocks attacks, not for enforcing website access policies based on URL or content categories. Option C (Virtual Private Network) is wrong because a VPN creates an encrypted tunnel for secure remote access but does not filter or restrict which external websites users can visit. Option D (Network Address Translation) is wrong because NAT translates private IP addresses to a public IP for internet connectivity and has no capability to filter or approve specific websites.

221
Drag & Dropmedium

Drag and drop the steps for implementing a patch management process into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Patch management: inventory, assess, test, deploy, verify.

222
MCQeasy

A help desk technician receives multiple reports that users cannot access a critical web application. The application's error log shows repeated '403 Forbidden' errors. Which of the following is the most likely cause?

A.The web application firewall is blocking legitimate traffic.
B.The SSL certificate has expired.
C.The application's database connection pool is exhausted.
D.The web server's IP address has changed.
AnswerA

WAFs often return 403 Forbidden when security rules trigger on legitimate traffic.

Why this answer

Option C is correct because a 403 Forbidden error typically indicates that the web application firewall (WAF) is blocking requests, often due to false positives. Option A is incorrect because an IP change would result in connection errors, not HTTP 403. Option B is incorrect because a database connection pool exhaustion would cause 500-type errors.

Option D is incorrect because an expired SSL certificate would cause SSL handshake errors, not 403.

223
Multi-Selectmedium

Which two components are integral to a Kerberos authentication system? (Select TWO)

Select 2 answers
A.Authentication Server (AS)
B.Key Distribution Center (KDC)
C.Ticket Granting Ticket (TGT)
D.Certificate Authority (CA)
E.Security Assertion Markup Language (SAML)
AnswersB, C

The KDC is the central component that authenticates users and issues tickets.

Why this answer

The Key Distribution Center (KDC) is the core component of a Kerberos authentication system, responsible for issuing tickets and managing session keys. The Ticket Granting Ticket (TGT) is a temporary credential obtained from the Authentication Server (AS) within the KDC, used to request service tickets without re-entering credentials. Both are integral to the Kerberos protocol (RFC 4120) for secure, ticket-based authentication.

Exam trap

The trap here is that candidates often select 'Authentication Server (AS)' as a separate component, not realizing it is a subcomponent of the KDC, and thus fail to recognize that the KDC and TGT are the two integral components tested.

224
MCQhard

An organization implements an attribute-based access control (ABAC) system with the following policy: if user.role == 'doctor' and resource.type == 'patient_record' and environment.time between 08:00-18:00 then permit. A doctor tries to access a patient record at 20:00. What is the result?

A.Permit
B.Indeterminate
C.Not applicable
D.Deny
AnswerD

Since the time condition is not satisfied, the policy does not grant access, and the default deny rule applies.

Why this answer

The ABAC policy requires the environment.time to be between 08:00 and 18:00 for access to be permitted. Since the doctor attempts access at 20:00, which falls outside this time window, the condition is not met, and the policy evaluates to 'deny' by default in a closed-system ABAC model. The correct result is Deny (option D).

Exam trap

ISC2 often tests the default deny principle in ABAC, where candidates mistakenly assume a missing explicit 'deny' rule means 'permit' or 'not applicable', but the absence of a matching permit condition results in an implicit deny.

How to eliminate wrong answers

Option A is wrong because 'permit' would only occur if all conditions in the policy are satisfied, but the time condition (08:00-18:00) is false at 20:00. Option B is wrong because 'indeterminate' typically arises from missing attributes or policy evaluation errors, not from a clear false condition; here, all attributes are present and the time is explicitly outside the allowed range. Option C is wrong because 'not applicable' would mean the policy does not match the request at all, but the user role and resource type do match; the policy applies, but the time condition fails, leading to a deny.

225
MCQhard

What is the analyst's BEST next step?

A.Isolate the system
B.Block PowerShell execution
C.Decode the command to analyze
D.Run a full antivirus scan
AnswerC

Decoding allows the analyst to determine if the command is malicious.

Why this answer

Option C is correct because decoding the encoded PowerShell command will reveal the payload. Option A is premature without understanding the threat. Option B is less helpful.

Option D may break legitimate functionality.

Page 2

Page 3 of 7

Page 4

All pages