Systems Security Certified Practitioner SSCP (SSCP) — Questions 226300

504 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
Multi-Selecthard

Which THREE of the following are common techniques for identifying risks?

Select 3 answers
A.Stakeholder interviews
B.Penetration testing
C.SWOT analysis
D.Quantitative risk analysis
E.Brainstorming sessions
AnswersA, C, E

Interviews with knowledgeable individuals are a key identification technique.

Why this answer

Stakeholder interviews are a common technique for identifying risks because they leverage the knowledge and experience of individuals who have a direct interest in or are affected by the project or system. By engaging stakeholders, you can uncover risks that may not be apparent from documentation or technical analysis, as they provide insights into operational, regulatory, and business-specific threats. This aligns with the risk identification process in the SSCP domain, which emphasizes gathering input from diverse sources to build a comprehensive risk profile.

Exam trap

ISC2 often tests the distinction between risk identification techniques and risk analysis or validation techniques, so the trap here is confusing a method like penetration testing (which validates controls) or quantitative analysis (which evaluates risk) with the initial discovery process of risk identification.

227
MCQhard

A Linux server administrator configures SSH key-based authentication for user 'admin'. The authentication fails with the error 'Authentication refused: bad permissions' in the logs. What is the most likely cause?

A.The SSH service is not running
B.The private key file has permissions set to 644 (world-readable)
C.The public key is not in the ~/.ssh/authorized_keys file
D.The passphrase on the private key is incorrect
AnswerB

SSH daemon checks private key permissions; if too permissive, it refuses authentication for security.

Why this answer

Option B is correct because SSH key-based authentication requires the private key file to have restrictive permissions (typically 600 or 640) to prevent unauthorized access. When the private key is world-readable (e.g., 644), the SSH daemon refuses to use it for security reasons, logging 'Authentication refused: bad permissions'. This is a direct check performed by OpenSSH to protect against key disclosure.

Exam trap

ISC2 often tests the distinction between file permission errors and other authentication failures, trapping candidates who confuse 'bad permissions' with missing keys or incorrect passphrases.

How to eliminate wrong answers

Option A is wrong because if the SSH service were not running, the error would be a connection timeout or 'Connection refused', not an authentication-specific permission error. Option C is wrong because a missing public key in authorized_keys would result in 'Permission denied (publickey)' or 'No supported authentication methods available', not a 'bad permissions' error. Option D is wrong because an incorrect passphrase would prompt for the passphrase again or fail with 'Permission denied', but the error 'bad permissions' specifically refers to file permission checks, not passphrase validation.

228
Multi-Selecthard

Which THREE of the following are key elements of a security incident response plan?

Select 3 answers
A.Vendor management process
B.Preparation and training
C.Restoring all systems from backup
D.Containment, eradication, and recovery
E.Detection and analysis
AnswersB, D, E

Preparation is the first phase of the incident response process.

Why this answer

Preparation and training (Option B) is a key element because an incident response plan must include establishing and rehearsing procedures, roles, and tools before an incident occurs. Without trained personnel and tested playbooks, the response will be chaotic and ineffective, regardless of other plan components.

Exam trap

ISC2 often tests the misconception that 'restoring all systems from backup' is a standalone key element, when in fact it is a sub-step of the recovery phase and must be preceded by containment and eradication to avoid reinfection.

229
MCQeasy

Which of the following is a primary function of a firewall?

A.Filter traffic based on rules
B.Assign IP addresses
C.Encrypt network traffic
D.Detect malware on endpoints
AnswerA

Firewalls enforce security policies by filtering packets.

Why this answer

A firewall's primary function is to filter network traffic based on a defined set of security rules, such as source/destination IP addresses, ports, and protocols. It operates at the network layer (or higher) to permit or deny packets, acting as a barrier between trusted and untrusted networks. This rule-based filtering is the core mechanism that enforces access control policies.

Exam trap

The trap here is that candidates often confuse a firewall's primary function with ancillary features like VPN termination or intrusion detection, but the SSCP exam emphasizes that filtering traffic based on rules is the fundamental and defining role of a firewall.

How to eliminate wrong answers

Option B is wrong because assigning IP addresses is the function of a DHCP server, not a firewall; firewalls may integrate DHCP services but that is not their primary role. Option C is wrong because encrypting network traffic is performed by VPN gateways, IPsec, or TLS, not by a standard firewall; firewalls can inspect encrypted traffic but do not perform the encryption themselves. Option D is wrong because detecting malware on endpoints is the function of endpoint protection platforms (EPP) or antivirus software; firewalls may include intrusion prevention systems (IPS) to detect network-based threats, but endpoint malware detection is outside their scope.

230
MCQeasy

A small financial services company has deployed a SIEM solution collecting logs from their firewall, web server, and domain controller. They also have an IDS monitoring the network perimeter. The security analyst receives an alert from the IDS indicating a potential exploit attempt against the web server from an external IP. The analyst checks the SIEM and sees that the firewall log shows the connection was allowed, but the web server log does not show any corresponding request. The domain controller logs show no abnormal activity. The company has a policy to immediately contain any confirmed threats. What should the analyst do first based on this information?

A.Reboot the web server to clear any potential memory-resident malware
B.Block the external IP at the firewall
C.Verify the web server's integrity by checking for filesystem changes or anomalous processes
D.Escalate the alert to the incident response team
AnswerC

The missing log entry could be an anomaly; checking the server ensures no compromise occurred.

Why this answer

The IDS alert indicates a possible exploit, but the missing web server log suggests the request may have been blocked or the IDS generated a false positive. However, the firewall allowed the connection, so it is possible the traffic reached the web server but the log entry is missing or delayed. The safest first step is to verify the web server's integrity by checking for signs of compromise (Option B).

Immediately blocking the external IP (Option A) might disrupt legitimate traffic if the alert is false. Rebooting (C) could destroy forensic evidence. Escalating (D) without verification wastes time.

231
MCQeasy

Which backup strategy is MOST suitable for a server with an RTO of 4 hours and an RPO of 15 minutes?

A.Full backup daily, transaction log backup every 15 minutes
B.Full backup daily
C.Full backup monthly, incremental daily
D.Full backup weekly, differential daily
AnswerA

Transaction log backups every 15 minutes meet RPO; full daily allows recovery within RTO.

Why this answer

A full backup daily combined with transaction log backups every 15 minutes meets the RPO of 15 minutes by allowing point-in-time recovery to within that window, and the full backup ensures the RTO of 4 hours is achievable because restoring the full backup plus the transaction logs is a well-understood process that can complete within the time limit. Transaction log backups capture every committed change, enabling granular recovery without requiring a full backup more frequently.

Exam trap

ISC2 often tests the distinction between RPO and RTO by making candidates think that more frequent full backups are needed for a low RPO, when in fact transaction log or differential backups can achieve the same with less overhead, and the trap here is assuming that incremental or differential backups alone can meet a 15-minute RPO without log backups.

How to eliminate wrong answers

Option B is wrong because a daily full backup alone cannot achieve an RPO of 15 minutes; any data loss would be up to 24 hours. Option C is wrong because monthly full backups with incremental daily backups would require restoring the full backup plus all incrementals, which is slow and cannot guarantee an RTO of 4 hours, and the RPO would be up to 24 hours (not 15 minutes). Option D is wrong because a weekly full backup with differential daily backups still results in an RPO of up to 24 hours (since differentials do not provide point-in-time recovery within 15 minutes), and restoring a full backup plus a differential can be time-consuming, risking the 4-hour RTO.

232
MCQhard

During a security incident, the IR team collects memory dumps from an infected workstation. The analysis reveals a process injecting code into 'svchost.exe'. Which technique is most likely being used?

A.Process hollowing
B.Reflective DLL injection
C.Token stealing
D.DLL injection
AnswerD

DLL injection loads a malicious DLL into a target process.

Why this answer

DLL injection is the most likely technique because it involves a process loading a malicious DLL into the address space of a legitimate process like svchost.exe. This is typically achieved using Windows API calls such as CreateRemoteThread and LoadLibrary, allowing the attacker to execute code within the trusted svchost.exe context, evading detection by blending in with legitimate system processes.

Exam trap

The trap here is that candidates often confuse DLL injection with process hollowing, but process hollowing replaces the process's code entirely, whereas the question describes injecting code into an already running svchost.exe, which aligns with DLL injection.

How to eliminate wrong answers

Option A is wrong because process hollowing replaces the legitimate code of a process (e.g., svchost.exe) with malicious code in its own memory space, but the question specifies code injection into an existing svchost.exe, not replacement of its code. Option B is wrong because reflective DLL injection loads a DLL from memory without using the standard Windows loader (LoadLibrary), but the question does not indicate a need to avoid the loader or bypass detection mechanisms like API monitoring; standard DLL injection is more common for this scenario. Option C is wrong because token stealing is a privilege escalation technique that involves duplicating or impersonating a security token (e.g., using DuplicateTokenEx) to gain higher privileges, not a method for injecting code into a process.

233
Multi-Selectmedium

Which TWO of the following are effective measures to prevent cross-site scripting (XSS) vulnerabilities in a web application?

Select 2 answers
A.Implement a Content Security Policy (CSP).
B.Use a web application firewall (WAF) to block known XSS payloads.
C.Replace GET requests with POST for all form submissions.
D.Encode all user input before displaying it in HTTP responses.
E.Use HTTPS for all communications.
AnswersA, D

CSP restricts sources of executable scripts, mitigating XSS even if injection occurs.

Why this answer

Options B and C are correct because output encoding prevents XSS by neutralizing script payloads, and Content Security Policy (CSP) provides a browser-level defense that restricts script execution. Option A is incorrect because HTTPS only encrypts data in transit, not preventing XSS. Option D is incorrect because WAFs can block some XSS attempts but are not a prevention measure at the application level.

Option E is incorrect because HTTP method does not affect XSS.

234
Multi-Selecthard

Which THREE of the following are common indicators of a cross-site scripting (XSS) attack? (Choose three.)

Select 3 answers
A.Unusual cookie values or multiple cookies
B.JavaScript execution in the browser's developer console that was not initiated by the user
C.Presence of script tags in the page source that are not part of the original application
D.Unexpected pop-up windows in the browser
E.Unusual network traffic to external IP addresses
AnswersB, C, D

XSS payloads often execute script automatically.

Why this answer

Option B is correct because XSS attacks often inject malicious JavaScript that executes in the victim's browser without user initiation. Observing unexpected script execution in the developer console indicates that an attacker's payload has run, which is a direct sign of a successful XSS exploit.

Exam trap

ISC2 often tests the distinction between direct indicators of an attack (like unexpected script execution or script tags) and secondary consequences (like unusual network traffic or cookie anomalies), causing candidates to select options that are results of an attack rather than the attack itself.

235
MCQeasy

Refer to the exhibit. What does this event indicate?

A.A successful logon for the Administrator account.
B.An interactive logon failure for the Administrator account.
C.The Administrator account is locked out.
D.A failed logon attempt for the Administrator account from the network.
AnswerD

The event shows a failed logon for Administrator via network (logon type 3).

Why this answer

The event shows a logon failure with a status code indicating the account is disabled or locked, but the exhibit specifically references a network logon (logon type 3) for the Administrator account. Option D is correct because the failure is from the network, not interactive or locked out, and the event ID 4625 with logon type 3 indicates a failed network logon attempt.

Exam trap

The trap here is that candidates confuse a failed logon with an account lockout, or misinterpret logon type 3 as interactive, because they focus on the 'Administrator' account name rather than the logon type and status code details.

How to eliminate wrong answers

Option A is wrong because the event is a failure (event ID 4625), not a success (event ID 4624). Option B is wrong because logon type 3 indicates a network logon, not an interactive logon (logon type 2 or 10). Option C is wrong because a locked-out account would show a specific status code like 0xC0000234, not the generic failure code in the exhibit; the event does not indicate lockout.

236
MCQhard

An organization wants to implement a centralized authentication system that supports single sign-on and uses tickets. Which technology should they choose?

A.LDAP
B.Kerberos
C.SAML
D.RADIUS
AnswerB

Kerberos uses a ticket-granting system for SSO.

Why this answer

Kerberos is the correct choice because it is a ticket-based authentication protocol that provides single sign-on (SSO) capabilities. It uses a trusted third-party Key Distribution Center (KDC) to issue time-limited tickets, allowing users to authenticate once and access multiple services without re-entering credentials.

Exam trap

The trap here is that candidates often confuse LDAP (a directory protocol) with authentication, or assume SAML's SSO capability uses tickets, when in fact Kerberos is the only option that explicitly uses tickets as its core mechanism.

How to eliminate wrong answers

Option A (LDAP) is wrong because LDAP is a directory access protocol used for querying and modifying directory services, not a ticket-based authentication system; it does not inherently support SSO via tickets. Option C (SAML) is wrong because SAML is an XML-based federated identity standard that uses assertions (not tickets) for SSO across domains, but it relies on browser redirects and does not use a ticket-granting ticket model like Kerberos. Option D (RADIUS) is wrong because RADIUS is a network access protocol for AAA (Authentication, Authorization, Accounting) typically used for dial-up or VPN connections, and it does not provide ticket-based SSO; it uses shared secrets and is not designed for centralized ticket management.

237
MCQhard

A security analyst is reviewing logs and sees an alert for a known malware signature on an endpoint. Upon investigation, the file is identified as a false positive. What should the analyst do next?

A.Create an exception in the detection rule.
B.Quarantine the endpoint anyway.
C.Escalate to management.
D.Delete the alert from the SIEM.
AnswerA

An exception reduces noise and improves detection fidelity for actual threats.

Why this answer

Creating an exception in the detection rule is the correct next step because the file has been confirmed as a false positive. This action prevents the security tool from generating future alerts for the same benign file, reducing noise and allowing the analyst to focus on genuine threats. It is a standard whitelisting practice in endpoint detection and response (EDR) or antivirus systems to maintain operational efficiency without compromising security.

Exam trap

The trap here is that candidates may confuse 'false positive' with 'true positive' and choose to quarantine or escalate, failing to recognize that the correct response is to tune the detection rule to eliminate noise.

How to eliminate wrong answers

Option B is wrong because quarantining a known false positive would disrupt legitimate operations and waste resources, as the file is not malicious. Option C is wrong because escalating a confirmed false positive to management is unnecessary and bypasses the analyst's responsibility to handle routine tuning of detection rules. Option D is wrong because deleting the alert from the SIEM removes forensic evidence and audit trails; instead, the alert should be closed with a reason or suppressed via an exception rule.

238
MCQeasy

A security analyst notices repeated failed login attempts from a single IP address within a short time window. Which control should be implemented to automatically mitigate this behavior?

A.Set session timeout to 15 minutes
B.Implement account lockout policy
C.Enforce complex password policy
D.Require multi-factor authentication
AnswerB

Account lockout disables the account after a set number of failed attempts.

Why this answer

An account lockout policy automatically disables an account after a specified number of failed login attempts within a defined time window, directly mitigating brute-force attacks from a single IP. This control is specifically designed to prevent repeated authentication failures by temporarily or permanently locking the account, stopping further attempts without manual intervention.

Exam trap

ISC2 often tests the distinction between preventive controls (like complex passwords or MFA) and corrective/detective controls (like account lockout), leading candidates to choose MFA because it seems stronger, but the question specifically asks for automatic mitigation of repeated failed attempts, which only lockout directly addresses.

How to eliminate wrong answers

Option A is wrong because setting a session timeout to 15 minutes controls idle session duration, not failed login attempts; it does not prevent repeated authentication failures from a single IP. Option C is wrong because enforcing a complex password policy makes passwords harder to guess but does not automatically stop repeated failed login attempts; it is a preventive control, not a detective or corrective one. Option D is wrong because requiring multi-factor authentication (MFA) adds an additional layer of security but does not automatically mitigate repeated failed login attempts; MFA can still be bypassed if the first factor is guessed, and it does not lock out the account after failures.

239
MCQhard

To determine how malware initially infected a workstation, which artifact would be MOST useful?

A.Windows Event Log showing process creation
B.Prefetch files
C.Windows registry autorun keys
D.Web browser history
AnswerA

Process creation events can reveal the initial executable that ran.

Why this answer

The Windows Event Log showing process creation (Event ID 4688) provides a chronological record of every executable that ran on the system, including the parent process and command-line arguments. This allows an investigator to trace the initial execution of the malware binary, identifying the exact moment and mechanism (e.g., a dropped file, a script launch, or a scheduled task) that triggered the infection. Other artifacts may indicate persistence or lateral movement, but only process creation logs directly capture the first execution event.

Exam trap

The trap here is that candidates often choose web browser history (Option D) because they assume malware always arrives via the internet, but SSCP tests the understanding that process creation logs are the definitive source for identifying the first execution of any binary, regardless of delivery method.

How to eliminate wrong answers

Option B is wrong because Prefetch files (.pf) record application startup times and load patterns to speed up subsequent launches, but they do not capture the initial infection vector (e.g., how the malware was introduced via email, drive-by download, or removable media). Option C is wrong because Windows registry autorun keys (e.g., Run, RunOnce, RunServices) show persistence mechanisms that execute malware after reboot, not the initial infection event that first introduced the malware to the workstation. Option D is wrong because web browser history only shows URLs visited, not the execution of a downloaded file or the triggering of a malicious script; malware can be delivered without any browser interaction (e.g., via network share or USB).

240
MCQmedium

A security analyst needs to ensure that a legacy application running on an unsupported operating system remains secure until it can be replaced. Which strategy provides the most effective risk reduction?

A.Move the application to a sandboxed virtual machine and isolate it from the network.
B.Apply all available security patches from third-party sources.
C.Upgrade the application to the latest version with vendor support.
D.Implement application whitelisting to allow only approved executables.
AnswerA

Sandboxing and network isolation contain the application and reduce exposure.

Why this answer

Option D is correct because isolating the application in a sandboxed virtual machine with network restrictions minimizes the attack surface. Option A is incorrect because application whitelisting does not protect against OS-level vulnerabilities. Option B is incorrect because upgrading the application is not feasible if it runs on an unsupported OS.

Option C is incorrect because third-party patches may introduce instability or conflicts.

241
Drag & Dropmedium

Drag and drop the steps for performing a risk assessment according to NIST SP 800-30 into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment steps: characterize system, identify threats, identify vulnerabilities, determine risk, then mitigate.

242
Multi-Selecthard

A network security team is implementing a defense-in-depth strategy. Which three layers should be included? (Choose three.)

Select 3 answers
A.Intrusion Detection System (IDS)
B.Firewall
C.Single sign-on (SSO)
D.Physical security controls
E.Anti-malware at endpoints
AnswersA, B, E

An IDS monitors network traffic for malicious activity, providing a detection layer.

Why this answer

An Intrusion Detection System (IDS) is a key layer in defense-in-depth because it monitors network traffic for suspicious activity and known attack signatures, providing visibility and alerting when perimeter defenses like firewalls are bypassed. It operates by analyzing packets against a rule set (e.g., Snort rules) and generating alerts, enabling a response before damage escalates. This adds a detection layer that complements preventive controls, ensuring that even if an attacker penetrates the outer defenses, the breach is identified.

Exam trap

The trap here is that candidates often mistake Single Sign-On (SSO) for a security layer because it involves authentication, but it is an access management convenience tool, not a defensive control that protects against network or endpoint threats.

243
MCQhard

Refer to the exhibit. A network engineer is configuring a site-to-site VPN. The remote peer is using AES-256 encryption and SHA-1 for integrity. Which configuration parameter is likely misconfigured?

A.Transform-set
B.Pre-shared key
C.Group 5
D.IKE lifetime
AnswerC

Group 5 (DH5) is deprecated; the peer may require a stronger DH group.

Why this answer

The remote peer is using AES-256 encryption and SHA-1 for integrity, which are both supported in an IPsec transform-set. However, the exhibit shows that the local peer is configured with Group 5 (Diffie-Hellman 1536-bit), while the remote peer likely expects a different DH group (e.g., Group 2 or Group 14). DH group mismatch during Phase 1 (IKE) negotiation causes the VPN tunnel to fail, even if encryption and integrity algorithms match.

Exam trap

ISC2 often tests the misconception that transform-set mismatches are the only cause of VPN failures, but the trap here is that DH group mismatch in IKE Phase 1 is a separate, easily overlooked parameter that prevents tunnel establishment even when encryption and integrity algorithms match.

How to eliminate wrong answers

Option A is wrong because the transform-set defines encryption (AES-256) and integrity (SHA-1) algorithms for Phase 2, and both are compatible with the remote peer's settings. Option B is wrong because the pre-shared key is used for authentication in Phase 1; a mismatch would cause authentication failure, not a DH group negotiation error. Option D is wrong because the IKE lifetime (e.g., 86400 seconds) is a timer for rekeying; while mismatched lifetimes can cause rekey issues, they do not prevent initial tunnel establishment as DH group mismatch does.

244
MCQhard

An organization uses attribute-based access control (ABAC) for its cloud storage. The policy states that a user can read a document only if the user’s department attribute matches the document’s department attribute AND the current time is within business hours (9AM-5PM). A user from Engineering tries to read a document classified for Engineering at 8:55 AM. What is the expected result?

A.Access granted because the department matches
B.Access denied because the department does not match
C.Access granted because the user is in Engineering
D.Access denied because the time is outside business hours
AnswerD

8:55 AM is before 9 AM, so the time condition fails.

Why this answer

The ABAC policy requires both conditions to be true: department match AND time within business hours (9AM-5PM). At 8:55 AM, the time condition is false, so access is denied regardless of the department match. This is a classic example of a conjunctive (AND) policy in ABAC where all attributes must satisfy the rules.

Exam trap

The trap here is that candidates focus on the department match and overlook the conjunctive AND logic, assuming a single matching attribute is sufficient for access.

How to eliminate wrong answers

Option A is wrong because it ignores the time condition; ABAC policies with AND require all attributes to match, not just one. Option B is wrong because the department does match (both Engineering), but the denial is due to time, not department mismatch. Option C is wrong because being in Engineering alone does not satisfy the policy; the time attribute must also be within business hours.

245
MCQeasy

A company wants to prevent unauthorized applications from running on employee workstations. Which of the following is the most effective control?

A.User training
B.Regular antivirus updates
C.Host-based intrusion detection system
D.Application whitelisting
AnswerD

Whitelisting blocks unapproved applications from running.

Why this answer

Application whitelisting allows only approved executables to run, effectively preventing unauthorized applications. Host-based intrusion detection can detect but not prevent. Antivirus relies on signatures and may miss unknown malware.

User training is important but not a technical control.

246
Multi-Selecteasy

Which THREE of the following are common methods for identifying risks? (Select three.)

Select 3 answers
A.SWOT analysis
B.Threat modeling
C.Brainstorming sessions
D.Penetration testing
E.Vulnerability scanning
AnswersB, C, E

Systematic approach to identify threats and vulnerabilities.

Why this answer

Threat modeling is a structured approach for identifying risks by analyzing potential threats, vulnerabilities, and attack vectors in a system. It involves creating diagrams, identifying assets, and applying frameworks like STRIDE or PASTA to systematically uncover risks before they are exploited. This makes it a core risk identification method in the SSCP domain.

Exam trap

The trap here is that candidates confuse risk identification methods (like threat modeling and brainstorming) with risk validation or assessment techniques (like penetration testing and vulnerability scanning), leading them to select options D or A instead of the correct set.

247
MCQmedium

A company's disaster recovery plan includes offsite tape backups. During a test, it is discovered that the tapes are stored at a location that shares the same power grid as the primary site. Which risk does this pose?

A.The tapes may degrade over time
B.The tapes may be inaccessible during a power outage
C.The tapes are not encrypted
D.The recovery time may exceed the RTO
AnswerB

If both sites lose power, the tapes cannot be retrieved for recovery.

Why this answer

Option A is correct because a regional power outage could affect both sites, making the tapes inaccessible. Option B is not specific to this risk. Option C is about media degradation, not power.

Option D is about encryption, unrelated.

248
MCQhard

During a security audit, an analyst finds that a server's audit log shows repeated failed login attempts from a single IP, followed by a successful login from the same IP five minutes later. What is the most likely type of attack that occurred?

A.Dictionary attack
B.Man-in-the-middle attack
C.Brute-force attack
D.Replay attack
E.Password spraying attack
AnswerC

Brute-force tries all possible combinations until success, matching the log pattern.

Why this answer

Option D is correct because a brute-force attack involves repeated attempts until success. Option A (replay) requires capturing and reusing credentials; B (man-in-the-middle) intercepts traffic; C (dictionary) uses a list of likely passwords, but the description matches brute-force due to time; E (spray) targets multiple accounts with few passwords.

249
MCQmedium

An administrator reports that a TLS handshake fails between a web server and client. The server supports TLS 1.2 with ciphers ECDHE-RSA-AES128-GCM-SHA256 and RSA-AES256-CBC-SHA256. The client supports only TLS 1.0 with ciphers RSA-RC4-SHA and RSA-AES128-SHA. What is the most likely cause?

A.Cipher suite order misconfiguration
B.Certificate validation failure
C.No common TLS version
D.No common cipher suite
AnswerC

The server supports TLS 1.2 only; client only TLS 1.0.

Why this answer

The TLS handshake fails because the server supports only TLS 1.2, while the client supports only TLS 1.0. During the handshake, the client sends a ClientHello with its highest supported version (1.0), and the server responds with a ServerHello indicating its highest supported version (1.2). Since neither side can downgrade to a mutually supported version, the handshake aborts.

This is a version negotiation failure, not a cipher mismatch.

Exam trap

The trap here is that candidates see different cipher suites and assume a cipher mismatch (Option D), but the real issue is that the TLS versions are incompatible, which is checked before cipher negotiation.

How to eliminate wrong answers

Option A is wrong because cipher suite order misconfiguration would only matter if both sides shared a common TLS version; here, the version mismatch prevents any cipher negotiation from occurring. Option B is wrong because certificate validation failure occurs after the handshake establishes a secure channel, typically during the CertificateVerify or Finished messages, but the handshake fails before that point due to version incompatibility. Option D is wrong because even if the client and server had no common cipher suites, the handshake would still proceed to the ServerHello stage and fail at cipher negotiation, but here the failure is earlier at version negotiation; the client's TLS 1.0 ciphers are irrelevant when the server only offers TLS 1.2.

250
MCQmedium

A company's internal network uses a /24 subnet and has a single firewall connecting to the internet. Employees report that they cannot access an external web server at 203.0.113.50. The firewall has a rule that allows outbound HTTP. What is the most likely cause?

A.The default gateway on the internal hosts is incorrect.
B.NAT is not configured for outbound traffic.
C.DNS resolution is failing for the server name.
D.An ACL is blocking the destination IP.
AnswerB

Internal private IPs must be translated to a public IP for internet access.

Why this answer

The firewall rule allows outbound HTTP, but without NAT configured, the internal hosts' private IP addresses (e.g., 192.168.1.x) are used as source addresses in packets sent to the external web server. The web server at 203.0.113.50 will see these private addresses as the source and attempt to reply to them, but private addresses are not routable on the public internet, so the return traffic never reaches the internal hosts. NAT (specifically source NAT or PAT) translates the private source IP to the firewall's public IP, enabling two-way communication.

Exam trap

The trap here is that candidates often assume a firewall rule allowing outbound HTTP is sufficient, forgetting that NAT is required to translate private source addresses to a routable public IP for return traffic to succeed.

How to eliminate wrong answers

Option A is wrong because an incorrect default gateway would prevent internal hosts from reaching any external destination, not just a specific web server, and the symptom is isolated to one external server. Option C is wrong because DNS resolution failure would manifest as a 'server not found' error when using a hostname, but the question states the external web server is accessed by IP address (203.0.113.50), so DNS is not involved. Option D is wrong because an ACL blocking the destination IP would be configured on the firewall, but the firewall already has a rule allowing outbound HTTP; if an ACL were blocking 203.0.113.50, it would contradict the existing permit rule or be a separate deny rule, but the most common and likely cause in a scenario with a single firewall and no mention of ACLs is the lack of NAT.

251
MCQeasy

Which of the following is the primary purpose of a security awareness program?

A.To teach employees about security best practices and reduce human error.
B.To evaluate the effectiveness of security technologies.
C.To enforce security policies through penalties.
D.To train employees on advanced technical security skills.
AnswerA

This is the core purpose of awareness programs.

Why this answer

The primary purpose of a security awareness program is to educate employees on security best practices and reduce human error, which is the leading cause of security incidents. Unlike technical controls, awareness programs target the human element by teaching users to recognize phishing attempts, handle sensitive data properly, and follow secure behaviors. This aligns with the NIST SP 800-50 framework, which defines awareness as a foundational component of an organizational security posture.

Exam trap

ISC2 often tests the distinction between 'awareness' (general, non-technical education for all users) and 'training' (in-depth, role-specific technical instruction), so candidates mistakenly choose D when they confuse the scope of awareness programs with advanced technical training.

How to eliminate wrong answers

Option B is wrong because evaluating the effectiveness of security technologies is the purpose of security testing and assessment (e.g., vulnerability scanning, penetration testing), not a security awareness program. Option C is wrong because enforcing security policies through penalties is a function of policy enforcement and disciplinary procedures, not the primary goal of awareness, which is education and behavior change. Option D is wrong because training employees on advanced technical security skills is the domain of specialized technical training (e.g., for IT staff), whereas awareness programs target all employees with general, non-technical knowledge.

252
Multi-Selecthard

Which THREE are security implications of using deprecated cryptographic protocols such as SSL 3.0 and TLS 1.0?

Select 3 answers
A.Susceptibility to downgrade attacks
B.Increased computational overhead
C.Compliance with regulations
D.Weak key exchange
E.Interoperability issues with modern systems
AnswersA, D, E

Attackers can force the use of weaker protocols.

Why this answer

Option A is correct because deprecated protocols like SSL 3.0 and TLS 1.0 are vulnerable to downgrade attacks, such as the POODLE attack (CVE-2014-3566). In a downgrade attack, an active man-in-the-middle forces the client and server to negotiate a weaker, deprecated protocol version, bypassing stronger security. This allows the attacker to exploit known weaknesses in the older protocol, such as padding oracle vulnerabilities in SSL 3.0.

Exam trap

ISC2 often tests the misconception that deprecated protocols are 'still secure enough' or that their only downside is performance overhead, but the real trap is that candidates confuse 'interoperability issues' (which are a practical concern) with 'security implications' (which are the core focus of the question).

253
MCQeasy

A company uses digital signatures to ensure the integrity and non-repudiation of internal contracts. The private key used for signing is stored in a hardware security module (HSM). A junior administrator asks why the HSM is necessary. What is the primary reason?

A.It reduces network latency during signing.
B.It enables symmetric key exchange for large files.
C.It allows the signing process to be faster.
D.It provides non-repudiation by protecting the private key.
AnswerD

Protecting the private key in a tamper-resistant device ensures that only the authorized user can sign, providing non-repudiation.

Why this answer

The primary reason for using an HSM is to protect the private key from unauthorized access or extraction. Non-repudiation relies on the assurance that only the legitimate signer could have used the private key; if the key is compromised, that assurance is lost. The HSM provides a tamper-resistant environment that performs signing operations internally, ensuring the private key never leaves the secure hardware.

Exam trap

The trap here is that candidates may think an HSM is used for performance or key exchange, but the SSCP exam emphasizes that its core purpose is to safeguard the private key to maintain non-repudiation and integrity.

How to eliminate wrong answers

Option A is wrong because an HSM does not reduce network latency; in fact, it may add slight latency due to hardware communication overhead. Option B is wrong because HSMs are used for asymmetric key operations (signing/encryption), not symmetric key exchange; symmetric keys are typically exchanged using asymmetric methods like Diffie-Hellman or RSA. Option C is wrong because HSMs are not primarily designed for speed; software-based signing can be faster, but HSMs prioritize security over raw performance.

254
MCQmedium

After a security incident, the CSIRT is conducting lessons learned. Which output is most directly used to update the risk management process?

A.Updated incident response plan.
B.Risk register updates.
C.Corrective actions.
D.Forensic report.
AnswerB

New threats or control failures from the incident should be documented in the risk register to inform future risk assessments.

Why this answer

The risk management process is directly updated by incorporating new risk information derived from incident analysis. Risk register updates (option B) capture newly identified risks, changes in risk likelihood or impact, and the effectiveness of existing controls, which are the primary outputs that feed back into risk treatment decisions.

Exam trap

The trap here is that candidates confuse operational outputs (corrective actions, updated IR plans) with the formal risk management artifact (risk register) that directly influences risk acceptance, mitigation, or transfer decisions.

How to eliminate wrong answers

Option A is wrong because updating the incident response plan is a corrective action to improve future response, not a direct input to the risk management process; the plan itself does not modify risk registers or risk assessments. Option C is wrong because corrective actions address specific incident root causes and may reduce risk, but they are operational fixes, not the formal risk documentation updates that directly feed the risk management process. Option D is wrong because a forensic report documents evidence and findings for legal or investigative purposes, but it does not directly update risk registers or risk treatment plans unless its findings are abstracted into risk entries.

255
MCQmedium

Based on the exhibit, which security threat is likely being attempted?

A.DNS poisoning
B.Man-in-the-middle attack
C.Brute-force attack
D.SQL injection
AnswerC

Multiple failed password attempts from a single source in a short time frame is characteristic of a brute-force attack.

Why this answer

The exhibit shows a large number of failed login attempts (e.g., 'Login failed' or 'Authentication error') from a single source IP within a short time window, which is the classic signature of a brute-force attack. This attack systematically tries multiple username/password combinations to gain unauthorized access, and the repeated failure messages in the logs confirm the attempt.

Exam trap

ISC2 often tests the distinction between brute-force attacks and other threats by embedding subtle clues like 'multiple failed logins' in logs, which candidates may misinterpret as a man-in-the-middle attack due to the presence of authentication errors, but the key is the volume and repetition of failures.

How to eliminate wrong answers

Option A is wrong because DNS poisoning involves corrupting DNS resolver caches with false IP mappings, which would show DNS query anomalies or spoofed responses, not repeated login failures. Option B is wrong because a man-in-the-middle attack intercepts and potentially alters communications between two parties, typically indicated by ARP spoofing, SSL certificate mismatches, or unusual traffic patterns, not a flood of authentication failures. Option D is wrong because SQL injection exploits input validation flaws to execute arbitrary SQL commands, which would manifest as database error messages or unexpected query results, not repeated login attempts.

256
Multi-Selectmedium

Which TWO of the following are symmetric encryption algorithms? (Select exactly two.)

Select 2 answers
A.DES
B.AES
C.RSA
D.ECC
E.SHA-256
AnswersA, B

DES is a symmetric cipher.

Why this answer

DES (Data Encryption Standard) is a symmetric encryption algorithm that uses a single key for both encryption and decryption. It operates on 64-bit blocks with a 56-bit key, and while now considered insecure due to its small key size, it remains a foundational symmetric cipher. AES (Advanced Encryption Standard) is also symmetric, using block sizes of 128 bits and key sizes of 128, 192, or 256 bits, and is the current standard for symmetric encryption.

Exam trap

ISC2 often tests the distinction between symmetric and asymmetric algorithms, and the trap here is that candidates may confuse RSA or ECC (both asymmetric) with symmetric ciphers, or mistakenly think SHA-256 is an encryption algorithm because it is used in security contexts.

257
MCQeasy

A small business wants to identify vulnerabilities in its network. Which type of scan should they perform first to get an overview?

A.Vulnerability scan.
B.Stealth scan.
C.Full port scan.
D.Ping sweep.
AnswerD

A ping sweep quickly identifies which IP addresses are active, providing a starting point.

Why this answer

A ping sweep (ICMP Echo Request) is the correct first step because it quickly identifies which hosts are alive on the network, providing a baseline of active IP addresses. This overview allows the business to scope the subsequent vulnerability scan to only live targets, reducing noise and scan time. Without a ping sweep, a full port or vulnerability scan would waste resources scanning dead or unresponsive hosts.

Exam trap

The trap here is that candidates often confuse 'vulnerability scan' (a deep assessment of known weaknesses) with 'host discovery' (a lightweight enumeration of live systems), leading them to select Option A as the first step instead of the correct ping sweep.

How to eliminate wrong answers

Option A is wrong because a vulnerability scan is a deeper, more resource-intensive assessment that should be performed after identifying live hosts; starting with it would waste time and bandwidth scanning non-responsive IPs. Option B is wrong because a stealth scan (e.g., SYN scan) is a port scanning technique that attempts to evade detection, not a host-discovery method; it is inappropriate for an initial overview and may trigger IDS/IPS alerts unnecessarily. Option C is wrong because a full port scan (e.g., scanning all 65,535 TCP ports) is exhaustive and time-consuming, and should only be run against known live hosts to avoid excessive network traffic and false positives from dead targets.

258
MCQmedium

A security team discovers that a legacy system uses ECB mode to encrypt credit card numbers. What is the primary security concern with this mode?

A.Identical plaintext blocks produce identical ciphertext, revealing patterns
B.It is slow compared to other modes
C.It is vulnerable to padding oracle attacks
D.It does not provide integrity
AnswerA

This is the classic weakness of ECB.

Why this answer

ECB (Electronic Codebook) mode encrypts each plaintext block independently using the same key. This means identical plaintext blocks produce identical ciphertext blocks, which allows an attacker to detect patterns, data boundaries, and repetitions in the encrypted data. For credit card numbers, which often have predictable formats (e.g., BIN ranges, fixed lengths), this pattern leakage can reveal sensitive information without breaking the encryption key.

Exam trap

The trap here is that candidates often confuse ECB's lack of diffusion with performance issues or integrity flaws, but Cisco specifically tests whether you recognize that ECB's deterministic block mapping is its fundamental weakness, not speed or padding vulnerabilities.

How to eliminate wrong answers

Option B is wrong because ECB is actually one of the fastest modes—it processes blocks in parallel with no chaining overhead, so slowness is not a valid concern. Option C is wrong because padding oracle attacks exploit CBC mode (or other modes using PKCS#7 padding), not ECB; ECB does not use an initialization vector or chaining, so padding oracle attacks are not applicable. Option D is wrong because ECB does not inherently provide integrity, but that is not its primary security concern—the core issue is pattern leakage from deterministic encryption; integrity is a separate property typically addressed by MACs or authenticated encryption modes like GCM.

259
MCQhard

A company uses a federated identity system where partner employees access internal applications via SAML assertions. Recently, a partner employee who should have been terminated was still able to log in. Which missing control is the most likely root cause?

A.Just-in-time provisioning
B.Identity proofing
C.Session timeout
D.Single sign-on logout
AnswerA

JIT provisioning ensures accounts are created only when needed and removed when no longer necessary; missing this control leads to orphaned accounts.

Why this answer

Just-in-time (JIT) provisioning is the missing control because it ensures that user accounts are created and, more critically, disabled or removed in real-time based on the identity provider's (IdP) authoritative directory. Without JIT provisioning, the partner employee's account in the service provider (SP) remains active even after termination in the IdP, allowing continued access via valid SAML assertions. JIT provisioning would synchronize the account lifecycle by checking the IdP's user status at each authentication attempt and disabling the local account when the user is deactivated.

Exam trap

The trap here is that candidates confuse session management (session timeout or SSO logout) with account lifecycle management, assuming that ending a session or requiring re-authentication would prevent a terminated user from logging in again, when in fact the underlying account remains active in the SP.

How to eliminate wrong answers

Option B is wrong because identity proofing is the process of verifying a user's claimed identity during initial registration, which is unrelated to the ongoing lifecycle management of an existing user who should have been terminated. Option C is wrong because session timeout controls the duration of an active session after login, but it does not prevent a terminated user from initiating a new login session with a valid SAML assertion. Option D is wrong because single sign-on logout only terminates the current session across federated applications; it does not prevent a terminated user from authenticating again with a new SAML assertion if their account is still active in the SP.

260
MCQhard

During an audit, it is discovered that a contractor’s account has read access to a financial database even though the contractor’s project ended six months ago. Which type of access control failure is this?

A.Inadequate authorization
B.Insufficient authentication
C.Weak password policy
D.Poor account management
AnswerD

Accounts must be disabled when no longer needed.

Why this answer

The correct answer is D because the contractor's account retained access privileges after the project ended, which is a failure of the account lifecycle management process. Proper account management requires disabling or removing accounts when a user's role or affiliation changes, such as when a contract terminates. This is not an authorization or authentication issue, as the access was originally granted correctly but was not revoked in a timely manner.

Exam trap

The trap here is that candidates confuse 'inadequate authorization' (which is about granting excessive permissions) with 'poor account management' (which is about failing to revoke access when it is no longer needed), even though the original authorization was correct.

How to eliminate wrong answers

Option A is wrong because inadequate authorization refers to granting permissions that are too broad or inappropriate for a role, whereas here the access was appropriate during the project but not revoked afterward. Option B is wrong because insufficient authentication deals with verifying identity (e.g., weak MFA or passwordless login), not with the ongoing validity of an account after its purpose ends. Option C is wrong because a weak password policy concerns password complexity, length, or rotation rules, not the failure to deprovision an account after a project concludes.

261
MCQeasy

A company needs to encrypt large volumes of data at rest on a file server. Which type of cryptography is most appropriate for this task?

A.Asymmetric encryption
B.Public Key Infrastructure (PKI)
C.Symmetric encryption
D.Hash function
AnswerC

Symmetric encryption is fast and suitable for bulk data.

Why this answer

Symmetric encryption uses a single shared key for both encryption and decryption, making it significantly faster and more efficient than asymmetric encryption for bulk data encryption. For large volumes of data at rest on a file server, symmetric algorithms like AES-256 provide the necessary performance and security, as they are designed to handle high-throughput encryption with minimal computational overhead.

Exam trap

The trap here is that candidates confuse the role of asymmetric encryption (used for key exchange or small data) with bulk encryption, or mistakenly think PKI is an encryption method rather than a management framework, leading them to choose options that are technically valid in other contexts but inappropriate for large-scale data-at-rest encryption.

How to eliminate wrong answers

Option A is wrong because asymmetric encryption (e.g., RSA, ECC) is computationally intensive and orders of magnitude slower than symmetric encryption, making it impractical for encrypting large volumes of data at rest; it is typically used for key exchange or digital signatures. Option B is wrong because Public Key Infrastructure (PKI) is a framework for managing digital certificates and public keys, not an encryption algorithm itself; it supports asymmetric operations but does not directly encrypt bulk data. Option D is wrong because a hash function (e.g., SHA-256) is a one-way function that produces a fixed-size digest and is not reversible, so it cannot be used for encryption or decryption of data at rest.

262
MCQeasy

Which access control model is best suited for a military environment where data classification (Unclassified, Confidential, Secret, Top Secret) and subject clearance levels are the primary factors for access decisions?

A.Attribute-Based Access Control (ABAC)
B.Mandatory Access Control (MAC)
C.Discretionary Access Control (DAC)
D.Role-Based Access Control (RBAC)
AnswerB

MAC uses labels and clearance levels to enforce access, making it ideal for military and classified environments.

Why this answer

Mandatory Access Control (MAC) enforces access based on labels (classification and clearance) and is used in military and government settings. Option B is correct. Option A (DAC) allows owners to set permissions, which is unsuitable for classified environments.

Option C (RBAC) uses roles, not classification levels. Option D (ABAC) is flexible but not the traditional model for military-grade security.

263
MCQeasy

A help desk technician needs to reset a user's password but should not be able to modify other user attributes. Which access control principle should be applied to enforce this restriction?

A.Need-to-know
B.Least privilege
C.Separation of duties
D.Mandatory access control
AnswerB

Least privilege grants only the minimal permissions required to perform a job, which directly applies to restricting the technician to password reset only.

Why this answer

Least privilege ensures that a user or process is granted only the minimum permissions necessary to perform their job function. In this scenario, the help desk technician needs the ability to reset passwords but must be restricted from modifying other user attributes, such as group membership or account expiration. By applying least privilege, the technician's account is assigned a role or permission set that specifically allows password reset operations (e.g., via Active Directory delegated permissions or a custom RBAC role) while explicitly denying write access to other user object properties.

Exam trap

ISC2 often tests least privilege by presenting a scenario where a user needs a specific action (like password reset) and candidates confuse it with separation of duties, which focuses on splitting tasks across multiple people rather than limiting the scope of a single user's permissions.

How to eliminate wrong answers

Option A is wrong because need-to-know is a confidentiality principle that restricts access to data based on the user's requirement to know that information to perform their duties, not a mechanism for limiting modification permissions on specific attributes. Option C is wrong because separation of duties divides critical tasks among multiple individuals to prevent fraud or error (e.g., one person requests a password reset and another approves it), but it does not directly limit the scope of permissions for a single technician. Option D is wrong because mandatory access control (MAC) enforces system-wide policies based on labels and clearances (e.g., Bell-LaPadula model), which is too rigid and not designed for granular attribute-level restrictions within a single user object.

264
MCQmedium

A security administrator needs to choose an encryption algorithm for a high-speed network where data is encrypted at the link layer. Which algorithm is most appropriate?

A.RSA
B.Diffie-Hellman
C.AES
D.SHA-256
AnswerC

AES is symmetric, fast, and suitable for link-layer encryption.

Why this answer

AES (Advanced Encryption Standard) is the most appropriate choice for link-layer encryption in high-speed networks because it is a symmetric block cipher designed for efficient hardware and software implementation, offering high throughput with low latency. Unlike asymmetric algorithms, AES operates with a single shared key, making it ideal for encrypting bulk data at the data link layer where speed and minimal overhead are critical.

Exam trap

The trap here is that candidates confuse encryption algorithms with key exchange or hashing functions, mistakenly choosing RSA or Diffie-Hellman for bulk encryption, or SHA-256 for confidentiality, when symmetric ciphers like AES are the correct choice for high-speed link-layer encryption.

How to eliminate wrong answers

Option A is wrong because RSA is an asymmetric encryption algorithm used primarily for key exchange and digital signatures, not for bulk data encryption; its computational overhead makes it unsuitable for high-speed link-layer encryption. Option B is wrong because Diffie-Hellman is a key exchange protocol, not an encryption algorithm; it establishes a shared secret but does not encrypt data itself. Option D is wrong because SHA-256 is a cryptographic hash function, not an encryption algorithm; it provides integrity and authentication but cannot encrypt or decrypt data.

265
MCQhard

During a security incident, the IR team discovers that an attacker used a valid user account to access sensitive data. The account had multifactor authentication (MFA) enabled. Which attack technique most likely bypassed the MFA?

A.Session hijacking
B.MFA fatigue attack
C.Man-in-the-middle (MITM) attack
D.Token theft from the endpoint
AnswerB

The attacker spams MFA requests until the user approves.

Why this answer

MFA fatigue attacks exploit user behavior by bombarding the victim with repeated push notifications until they inadvertently approve an authentication request. Since the attacker already has the valid credentials, they trigger the MFA prompt repeatedly, and the user eventually accepts, granting the attacker access without needing to compromise the MFA mechanism itself.

Exam trap

ISC2 often tests the distinction between technical bypasses (e.g., token theft, MITM) and social/behavioral bypasses (e.g., MFA fatigue), leading candidates to overcomplicate the attack when the simplest explanation—user error under pressure—is correct.

How to eliminate wrong answers

Option A is wrong because session hijacking steals an already-authenticated session token (e.g., via XSS or packet sniffing) and does not involve bypassing MFA at the authentication step; the MFA was already satisfied when the session was created. Option C is wrong because a man-in-the-middle attack intercepts credentials or tokens in transit (e.g., using a rogue access point or SSL stripping) but does not directly cause the user to approve an MFA prompt; it typically targets the authentication handshake, not the user's approval behavior. Option D is wrong because token theft from the endpoint requires physical or remote access to steal a stored OATH token or session cookie, which bypasses MFA by stealing the post-authentication artifact, not by tricking the user into approving a live MFA request.

266
MCQmedium

Refer to the exhibit. A security analyst reviews this AWS IAM policy and notices that delete operations on objects in the corporate-bucket are being denied unexpectedly. What is the most likely issue?

A.The Deny statement requires objects to be encrypted with AES256 for delete operations
B.The Allow statement is being overridden by the Deny, but the cause is the encryption requirement
C.The condition on the Deny statement is not matching any objects
D.The policy has a syntax error in the Condition element
AnswerA

The Deny uses a condition that denies delete if the object is NOT encrypted with AES256, effectively requiring encryption for deletion.

Why this answer

Option A is correct because the Deny statement includes a condition that requires objects to be encrypted with AES256 for all operations, including delete. Since the condition is not limited to specific actions, any delete request on an object that is not encrypted with AES256 will be denied, even if the Allow statement grants s3:DeleteObject permissions. This is a common misconfiguration where encryption requirements inadvertently block operations that do not involve encryption checks.

Exam trap

ISC2 often tests the nuance that a Deny statement with a condition can block operations that are not logically related to the condition (like delete being blocked by an encryption requirement), causing candidates to overlook that the condition applies to all actions in the Deny statement.

How to eliminate wrong answers

Option B is wrong because the Deny statement does not override the Allow statement due to encryption requirement; rather, the Deny explicitly denies all actions when the condition (encryption not AES256) is met, which is a valid policy evaluation. Option C is wrong because the condition on the Deny statement is matching objects that are not encrypted with AES256, which is the intended behavior; if it were not matching, the Deny would not apply and delete operations would succeed. Option D is wrong because the policy does not have a syntax error in the Condition element; the condition 'StringNotEquals' with 's3:x-amz-server-side-encryption' is syntactically correct and commonly used.

267
MCQmedium

A security administrator notices that a critical server's event log shows repeated failed login attempts from an internal IP address that normally does not generate any traffic. The administrator immediately blocks the IP at the firewall and resets the account password. However, the incident response team later determines that the attacker had already gained access to the server. What is the MOST likely reason the administrator's actions were insufficient?

A.The administrator did not preserve the log evidence for forensic analysis.
B.The administrator neglected to perform a full system scan for malware.
C.The administrator did not isolate the server from the network.
D.The administrator failed to notify the data owner about the incident.
AnswerC

Isolation prevents further access and contains the threat.

Why this answer

Option B is correct because isolating the server would have prevented further access by the attacker and preserved evidence. Option A is wrong because preserving logs is important but not the primary reason the actions were insufficient. Option C is wrong because a full system scan is a later step after containment.

Option D is wrong because notifying the data owner is an administrative step that does not directly address the security breach.

268
MCQmedium

Refer to the exhibit. What is the purpose of the 'group 14' parameter in the IKEv2 proposal?

A.Defines the integrity checking method
B.Specifies the encryption algorithm
C.Sets the Diffie-Hellman group for key exchange
D.Indicates the authentication method
AnswerC

Group 14 is a 2048-bit Diffie-Hellman group used for key exchange.

Why this answer

In IKEv2 proposals, the 'group 14' parameter specifies the Diffie-Hellman (DH) group used for the key exchange process. DH group 14 corresponds to a 2048-bit modular exponentiation group, which provides the cryptographic strength for establishing a shared secret over an insecure channel. This is distinct from encryption, integrity, or authentication parameters.

Exam trap

The trap here is that candidates often confuse 'group' with an integrity or encryption algorithm because Cisco IOS uses the 'group' keyword in other contexts (e.g., OSPF), but in IKE proposals it specifically refers to the Diffie-Hellman group for key exchange.

How to eliminate wrong answers

Option A is wrong because integrity checking methods in IKEv2 are defined by the integrity algorithm (e.g., HMAC-SHA256), not by the DH group parameter. Option B is wrong because the encryption algorithm (e.g., AES-256) is specified by a separate 'encr' parameter in the IKEv2 proposal, not by 'group 14'. Option D is wrong because authentication methods (e.g., pre-shared keys, certificates) are configured independently, often under an 'authentication' or 'auth' parameter, and are not related to DH group selection.

269
MCQeasy

A security analyst receives an alert indicating a large number of failed login attempts from a single IP. The analyst blocks the IP. What should be done next?

A.Report to management
B.Update the firewall rules
C.Conduct a thorough investigation
D.Monitor for recurrence
AnswerC

Investigation is critical to understand if the attack was successful and if other systems are affected.

Why this answer

Option C is correct because blocking an IP address is an immediate containment action, but it does not confirm the root cause or scope of the incident. A thorough investigation is required to determine whether the failed logins were part of a brute-force attack, credential stuffing, or a misconfigured service, and to check for indicators of compromise (IoCs) such as successful logins from the same IP or lateral movement. Without investigation, the analyst risks missing a broader breach or violating incident response procedures like those outlined in NIST SP 800-61.

Exam trap

The trap here is that candidates assume blocking the IP is the final step, confusing containment with resolution, and overlook the mandatory investigation phase required by incident response frameworks like NIST SP 800-61 or SANS PICERL.

How to eliminate wrong answers

Option A is wrong because reporting to management is a step that typically occurs after the incident is fully analyzed and documented, not immediately after a containment action; premature reporting can lead to incomplete or misleading information. Option B is wrong because updating firewall rules is redundant if the IP was already blocked (likely via a firewall or IPS rule), and the priority is to investigate the incident rather than modify rules without understanding the attack vector. Option D is wrong because monitoring for recurrence is a passive step that should follow investigation and remediation; without understanding the cause, monitoring alone cannot prevent the same attack from succeeding via a different IP or method.

270
Multi-Selecthard

Which THREE of the following are common types of network attacks?

Select 3 answers
A.ARP spoofing
B.SYN flood
C.Pharming
D.DNS poisoning
E.SQL injection
AnswersA, B, D

An attack on the local network to intercept traffic.

Why this answer

ARP spoofing is a network attack where an attacker sends falsified Address Resolution Protocol (ARP) messages onto a local area network. This links the attacker's MAC address with the IP address of a legitimate host, enabling interception, modification, or blocking of traffic intended for that host. It is a classic Layer 2 attack that exploits the lack of authentication in ARP.

Exam trap

ISC2 often tests the distinction between network-layer attacks (like ARP spoofing, SYN flood, DNS poisoning) and application-layer attacks (like SQL injection), causing candidates to mistakenly classify SQL injection as a network attack because it involves network traffic.

271
MCQmedium

Refer to the exhibit. A security analyst reviews a Windows Security event log entry showing multiple logon failures for user 'admin' from IP 10.0.0.100 within 5 minutes. What type of attack is most likely occurring?

A.Brute force attack
B.Kerberos ticket replay
C.Pass-the-hash attack
D.Privilege escalation
AnswerA

Repeated logon attempts suggest brute force.

Why this answer

Multiple logon failures from a single IP indicate a brute force attack. Pass-the-hash uses captured hashes, not repeated failures. Kerberos ticket replay is different.

Privilege escalation is not indicated.

272
MCQmedium

A network engineer is troubleshooting a site-to-site VPN that is failing to establish. The pre-shared key is correct and both sides use IKEv2. The VPN logs show 'no proposal chosen'. What is the most likely cause?

A.Firewall blocking UDP port 500
B.Incorrect peer IP address
C.Mismatched encryption algorithms
D.Expired certificates
AnswerC

IKE negotiations require matching proposals; a mismatch in encryption, integrity, or DH group causes 'no proposal chosen'.

Why this answer

The 'no proposal chosen' error in IKEv2 indicates that the two VPN peers cannot agree on a common set of security parameters during the IKE_SA_INIT exchange. Since the pre-shared key is correct and both sides use IKEv2, the most likely cause is a mismatch in the encryption algorithms (e.g., AES-256 vs. AES-128), hash algorithms (e.g., SHA-256 vs.

SHA-1), or Diffie-Hellman groups (e.g., group 14 vs. group 2). This prevents the IKE security association from being established.

Exam trap

ISC2 often tests the distinction between 'no proposal chosen' (which points to a cryptographic parameter mismatch) and 'no response' or 'timeout' (which points to connectivity or firewall issues), leading candidates to incorrectly select firewall blocking when the error message clearly indicates a proposal negotiation failure.

How to eliminate wrong answers

Option A is wrong because a firewall blocking UDP port 500 would typically result in a timeout or 'no response' error, not a specific 'no proposal chosen' message, as the packets would not reach the peer. Option B is wrong because an incorrect peer IP address would cause a connection timeout or 'no route to host' error, as the packets would be sent to the wrong destination, not a proposal mismatch. Option D is wrong because expired certificates are not relevant in a pre-shared key (PSK) authentication scenario with IKEv2; certificate issues would generate authentication failures, not proposal mismatches.

273
MCQeasy

A university's IT department manages a network used by students and faculty. The security team notices an unusual increase in outbound traffic from the student dormitory network during late hours. Upon investigation, they discover that several student laptops are infected with malware that is attempting to connect to external command-and-control (C2) servers. The team needs to contain the incident quickly while minimizing impact on legitimate users. Which of the following is the BEST immediate containment measure?

A.Shut down the entire dormitory network
B.Disconnect the infected laptops from the network and take them offline for remediation
C.Block all outbound traffic from the dormitory subnet
D.Update the antivirus definitions on the infected laptops
AnswerB

This isolates the threat specifically, preserving network functionality for others.

Why this answer

Isolating the infected devices from the network stops the C2 communication and prevents further spread, while allowing other users to continue working. Option A may block all students; C is disruptive to everyone; D does not stop communication.

274
Multi-Selectmedium

Which TWO of the following are effective methods for monitoring risk in real-time?

Select 2 answers
A.User access reviews
B.Security information and event management (SIEM) systems
C.Quarterly vulnerability scanning
D.Annual penetration testing
E.Intrusion detection systems (IDS)
AnswersB, E

SIEM collects and analyzes logs in real-time.

Why this answer

Security information and event management (SIEM) systems aggregate and correlate logs from multiple sources in real-time, enabling immediate detection and response to security incidents. They provide continuous monitoring and alerting, which is essential for real-time risk management.

Exam trap

The trap here is that candidates confuse periodic review activities (like access reviews or vulnerability scans) with real-time monitoring, failing to recognize that only SIEM and IDS provide continuous, automated analysis of live data.

275
MCQhard

A medium-sized e-commerce company uses a SIEM with correlation rules. During peak sales hours, the SIEM generates an alert: multiple failed login attempts from internal IP 172.16.10.50 followed by a successful login to a critical database server. The account used is 'dbadmin', which normally only authenticates from the IT department subnet. The user 'dbadmin' reports that they had to try several passwords because they forgot theirs earlier. The incident responder is under pressure to quickly restore normal operations. Which course of action should the responder take?

A.Block the user's account immediately to prevent any further access.
B.Reset the user's password and enable multi-factor authentication (MFA).
C.Dismiss the alert as a false positive since the user explained the failed attempts.
D.Investigate the user's recent activity, check for abnormal logins, and look for lateral movement from the source IP.
AnswerD

Thorough investigation is warranted given the anomalous source IP and the critical nature of the target.

Why this answer

Given the alert details and the user's explanation, the responder should investigate further for signs of lateral movement or compromise. Dismissing (A) ignores potential credential stuffing. Resetting password and enabling MFA (B) is good but may not detect ongoing malicious activity.

Blocking the account (D) could be too disruptive if it's a false positive. Investigating (C) allows confirmation and containment if needed.

276
MCQeasy

Based on the exhibit, what type of attack is most likely occurring?

A.Brute-force attack
B.Pass-the-hash attack
C.Dictionary attack
D.Password spraying attack
AnswerD

Password spraying attempts one or a few common passwords across many accounts, matching the pattern.

Why this answer

The exhibit shows a single username being targeted with multiple passwords from a list, which is characteristic of a dictionary attack. However, the correct answer is password spraying attack because the scenario likely involves trying a single common password against many usernames, not many passwords against one user. In password spraying, the attacker uses a small set of common passwords across many accounts to avoid account lockout thresholds, which matches the exhibit's pattern of low-and-slow attempts.

Exam trap

The trap here is confusing dictionary attacks (many passwords, one user) with password spraying (one password, many users), as both use a wordlist but differ in the attack vector and lockout avoidance strategy.

How to eliminate wrong answers

Option A is wrong because a brute-force attack tries all possible character combinations systematically, not a curated list of likely passwords, and would generate far more attempts than shown. Option B is wrong because a pass-the-hash attack uses captured NTLM or Kerberos hashes to authenticate without knowing the plaintext password, which is unrelated to trying passwords from a list. Option C is wrong because a dictionary attack focuses on many passwords against a single username, whereas the exhibit shows a single password attempt across multiple usernames, which is the hallmark of password spraying.

277
MCQhard

A security analyst reviews a firewall log showing an internal IP attempting outbound connections to multiple external IPs on port 443. The analyst suspects command and control. Which additional data source would be MOST useful for confirmation?

A.NetFlow data
B.System event logs
C.DNS logs
D.Antivirus logs
AnswerC

DNS logs can show domain resolutions, often used by C2 to obfuscate IPs.

Why this answer

DNS logs are the most useful additional data source because C2 traffic often uses domain generation algorithms (DGAs) or connects to known malicious domains. By correlating the outbound connections on port 443 with DNS queries, the analyst can identify suspicious domain lookups that precede the connections, revealing the C2 infrastructure. Unlike NetFlow or system logs, DNS logs directly show the domain names being resolved, which is a key indicator of C2 activity.

Exam trap

The trap here is that candidates often choose NetFlow data (Option A) because it shows traffic flows, but they overlook that DNS logs directly reveal the domain names being resolved, which is critical for identifying C2 domains that may not appear in NetFlow's IP-only view.

How to eliminate wrong answers

Option A is wrong because NetFlow data provides metadata about traffic flows (source/destination IPs, ports, and volume) but does not include the domain names or DNS queries, making it less effective for identifying C2 domains. Option B is wrong because system event logs record local OS events (e.g., process creation, logins) and do not directly capture network-level DNS queries or outbound connection destinations. Option D is wrong because antivirus logs focus on file-based malware detections and may miss network-only C2 activity, especially if the malware is fileless or uses encrypted channels.

278
MCQhard

You are the security administrator for a mid-sized financial services company. The company uses Active Directory (AD) for identity management and has implemented role-based access control (RBAC) for its core banking application. Recently, the company acquired a smaller firm and is integrating its employees into AD. During the integration, you notice that many of the new employees have been assigned multiple roles that grant them access to sensitive financial data, despite their job descriptions indicating they need only limited access. Additionally, some users who left the acquired company have not been disabled in AD. The company's security policy mandates the principle of least privilege and requires that access reviews be conducted quarterly, but no review has been performed in the past year. You have been tasked with remediating these issues. Which of the following approaches is the MOST effective initial step to address the immediate risk of excessive access?

A.Conduct a comprehensive access recertification review for all users in the acquired company.
B.Implement multifactor authentication (MFA) for all users in the acquired company.
C.Roll back all user permissions to the default role and then re-add each user based on their job function.
D.Immediately disable all user accounts from the acquired company that have not been logged in within the last 90 days.
AnswerD

This quickly removes dormant accounts that may have excessive privileges.

Why this answer

Option D is the most effective initial step because it immediately reduces the attack surface by disabling accounts that are likely orphaned (no login in 90 days), directly addressing the immediate risk of excessive access from former employees. This aligns with the principle of least privilege and is a quick, high-impact remediation that can be performed before a full access review or recertification.

Exam trap

The trap here is that candidates often choose a comprehensive review (Option A) as the 'best practice' without recognizing that immediate risk mitigation (disabling orphaned accounts) must precede a full recertification to prevent further exposure during the review process.

How to eliminate wrong answers

Option A is wrong because conducting a comprehensive access recertification review is a longer-term process that does not address the immediate risk of orphaned accounts or excessive permissions; it should follow initial containment. Option B is wrong because implementing MFA strengthens authentication but does not reduce excessive access or remove orphaned accounts; it addresses a different risk (unauthorized access via compromised credentials) rather than the immediate risk of already-assigned excessive permissions. Option C is wrong because rolling back all user permissions to a default role and re-adding them is disruptive, time-consuming, and may cause business interruption; it also assumes a clean baseline that may not exist and does not prioritize the highest-risk accounts (orphaned ones) first.

279
Multi-Selectmedium

Which TWO are valid reasons to revoke a user's access? (Choose two.)

Select 2 answers
A.User is terminated
B.User changes job roles
C.User password expires
D.User completes quarterly training
E.User updates personal information
AnswersA, B

Termination requires immediate revocation of all access.

Why this answer

Option A is correct because when a user is terminated, their access must be immediately revoked to prevent unauthorized access to systems and data. This is a fundamental principle of access control, ensuring that former employees cannot exploit their credentials. Revocation typically involves disabling the user account, removing group memberships, and invalidating any active sessions or tokens.

Exam trap

The trap here is that candidates confuse password expiration (a temporary lockout that can be resolved) with revocation (a permanent or indefinite removal of access rights), and they may think that completing training or updating personal info could justify revocation, but these are normal user lifecycle events that do not indicate a security risk.

280
Multi-Selecthard

Which three statements are true regarding mandatory access control (MAC) systems? (Select THREE)

Select 3 answers
A.Multilevel security is enforced
B.Subjects have clearance levels
C.Access decisions are based on security labels
D.The owner of an object can change its security label
E.Users can grant permissions to other users
AnswersA, B, C

MAC systems are designed to enforce multilevel security, allowing information at different classifications to be processed on the same system.

Why this answer

Mandatory Access Control (MAC) enforces system-wide policy based on security labels assigned to subjects and objects. Multilevel security (MLS) is a core MAC property where data at different classification levels (e.g., Secret, Top Secret) is isolated and access is governed by the system, not users. Subjects (users/processes) are assigned clearance levels, and objects have security labels; access decisions compare these labels using rules like the Bell-LaPadula model (no read up, no write down).

Exam trap

The trap here is that candidates confuse MAC with Discretionary Access Control (DAC), where owners can change permissions and grant access, leading them to incorrectly select options D or E as true for MAC.

281
MCQhard

A security analyst reviews firewall logs and sees multiple 'ACL drop' entries for a specific internal IP trying to connect to a database server on port 1433. The rule base has an explicit permit for this traffic. What is the most likely reason for the drops?

A.The firewall rule is disabled
B.The database server is down
C.An earlier deny rule matches the traffic before the permit rule
D.The internal IP is on a blacklist
AnswerC

Rule ordering is critical; a preceding deny rule that matches the same traffic will cause drops even if a later permit exists.

Why this answer

The most likely reason for the ACL drops despite an explicit permit rule is that an earlier deny rule in the firewall rule base matches the traffic before the permit rule. Firewalls process ACL rules sequentially from top to bottom; the first matching rule determines the action. If a deny rule appears before the permit rule and matches the source IP, destination port, or other criteria, the traffic is dropped before reaching the permit entry.

Exam trap

The trap here is that candidates assume an explicit permit rule guarantees traffic flow, but they forget that ACLs are processed top-down and an earlier deny rule can override a later permit rule.

How to eliminate wrong answers

Option A is wrong because if the firewall rule were disabled, the traffic would not match any rule and would be subject to the default implicit deny, but the logs specifically show 'ACL drop' entries, which indicate a rule explicitly denied the traffic. Option B is wrong because a down database server would cause connection timeouts or TCP RSTs, not ACL drops; ACL drops occur at the firewall layer before any server interaction. Option D is wrong because blacklists are typically implemented as separate threat intelligence feeds or dynamic block lists, not as standard ACL rules; if the IP were on a blacklist, it would still be matched by an earlier deny rule, not by a separate 'blacklist' mechanism in the ACL.

282
Multi-Selecthard

Which THREE steps are essential during the identification phase of incident response?

Select 3 answers
A.Eradicate the threat
B.Notify stakeholders
C.Monitor logs and alerts
D.Determine scope of incident
E.Classify incident severity
AnswersC, D, E

Continuous monitoring is key to detecting anomalies.

Why this answer

Options A, B, and D are correct because identification involves monitoring logs and alerts (A), determining the scope and impact (B), and classifying the severity (D). Option C is part of eradication. Option E is part of communication, which may occur but is not essential to identification.

283
MCQeasy

Which wireless encryption protocol is currently considered the most secure for home use?

A.WPA2-Enterprise
B.WPA3-Personal
C.WEP (Wired Equivalent Privacy)
D.WPA2-PSK
AnswerB

WPA3-Personal is the latest standard with enhanced security.

Why this answer

WPA3-Personal is currently the most secure wireless encryption protocol for home use because it replaces the Pre-Shared Key (PSK) model with Simultaneous Authentication of Equals (SAE), which provides forward secrecy and protects against offline dictionary attacks. Unlike WPA2, WPA3 mandates the use of GCMP-256 encryption and disables legacy TKIP, ensuring robust confidentiality and integrity for home networks.

Exam trap

ISC2 often tests the misconception that WPA2-Enterprise is inherently more secure than WPA3-Personal for all environments, but the question specifically asks for home use, where WPA3-Personal's SAE and forward secrecy provide superior security without the complexity of a RADIUS server.

How to eliminate wrong answers

Option A is wrong because WPA2-Enterprise is designed for corporate environments with a RADIUS server for 802.1X authentication, not for typical home use, and it does not offer the forward secrecy or SAE improvements of WPA3. Option C is wrong because WEP (Wired Equivalent Privacy) uses the RC4 stream cipher with a static key and is trivially broken in minutes using tools like aircrack-ng, making it completely insecure. Option D is wrong because WPA2-PSK relies on a pre-shared key and the 4-way handshake, which is vulnerable to offline dictionary attacks (e.g., using captured handshakes and tools like Hashcat), and it lacks the forward secrecy and SAE protection of WPA3.

284
MCQhard

A security analyst reviews log files and sees multiple failed SSH attempts from various IP addresses. The analyst implements a rate-limiting rule on the firewall to block IPs after 5 failed attempts in 10 minutes. This is an example of which type of security control?

A.Compensating
B.Preventive
C.Detective
D.Deterrent
E.Corrective
AnswerB

Rate-limiting blocks attacks before they succeed.

Why this answer

Rate-limiting SSH attempts by blocking IPs after 5 failed attempts in 10 minutes is a preventive control because it actively stops unauthorized access before it can occur. By enforcing a threshold on the firewall, the control reduces the attack surface against brute-force attacks, directly preventing further authentication attempts from suspicious sources.

Exam trap

The trap here is that candidates confuse 'preventive' with 'deterrent' because both aim to stop attacks, but preventive controls physically block the action (e.g., firewall rule) while deterrent controls only discourage it (e.g., warning banner).

How to eliminate wrong answers

Option A is wrong because compensating controls are alternative measures that provide equivalent protection when a primary control cannot be implemented (e.g., using out-of-band authentication instead of a smart card), not a proactive block on SSH attempts. Option C is wrong because detective controls identify and log malicious activity after it happens (e.g., IDS alerts), whereas this firewall rule blocks attempts in real time. Option D is wrong because deterrent controls discourage attackers through fear of consequences (e.g., warning banners), but they do not physically or logically prevent the action.

Option E is wrong because corrective controls remediate damage after an incident (e.g., restoring from backup), not preemptively limiting failed logins.

285
MCQmedium

A financial services firm with 500 servers and 2000 workstations uses an internal public key infrastructure (PKI) for authentication and secure communication. The root CA certificate is self-signed and stored on an offline root CA server. Recently, the root CA server was physically stolen from a locked data center. Although the server was encrypted, forensic analysis confirms that the root CA private key was extracted. The security team must immediately revoke trust in the compromised root CA and issue new certificates to all devices. The environment includes Active Directory and Group Policy. Which approach best ensures all systems trust the new CA hierarchy and obtain valid certificates with minimal disruption?

A.Generate a new root CA, sign new subordinate CAs, distribute the new root via Group Policy, and re-issue all end-entity certificates.
B.Publish a certificate revocation list (CRL) and wait for existing certificates to expire.
C.Generate a new root CA certificate and key, then re-issue all subordinate CA certificates without re-issuing end-entity certificates.
D.Enable OCSP stapling on all web servers to check revocation status in real time.
AnswerA

This ensures all systems trust the new CA hierarchy and have valid certificates.

Why this answer

Option A is correct because the root CA private key has been compromised, requiring the entire PKI hierarchy to be rebuilt from scratch. A new self-signed root CA must be generated, new subordinate CAs signed under it, and all end-entity certificates re-issued to devices. Distributing the new root CA certificate via Active Directory Group Policy ensures that all domain-joined systems trust the new hierarchy automatically, minimizing manual intervention and disruption.

Exam trap

The trap here is that candidates may think re-issuing only subordinate CAs (Option C) is sufficient, overlooking that end-entity certificates signed by the compromised root remain untrusted and must also be replaced to restore a valid chain of trust.

How to eliminate wrong answers

Option B is wrong because publishing a CRL only revokes trust in the compromised root CA but does not establish a new trusted hierarchy; waiting for existing certificates to expire leaves systems vulnerable and without valid certificates for an extended period. Option C is wrong because re-issuing subordinate CA certificates without re-issuing end-entity certificates leaves all existing end-entity certificates signed by the compromised root CA still in use, which are untrusted and cannot be validated. Option D is wrong because OCSP stapling is a revocation checking mechanism, not a method to replace a compromised root CA or issue new certificates; it does not address the need to establish a new trust anchor.

286
MCQhard

You are the security administrator for a healthcare organization that uses a Windows Active Directory domain. The organization has recently implemented a new electronic health record (EHR) system that requires users to authenticate before accessing patient data. The EHR system uses Kerberos for authentication. Users report that they can access the EHR system from their office workstations, but when they attempt to access it remotely via VPN, they receive an 'Access Denied' error. The VPN uses RADIUS for authentication and assigns IP addresses from a separate subnet. The EHR server is in the same domain as the workstations. You verify that the users are able to connect to the VPN successfully and can access other internal resources. What is the most likely cause of the issue?

A.The EHR server is not joined to the domain.
B.The VPN does not forward Kerberos traffic to the domain controller.
C.The remote user's system clock is not synchronized with the domain controller.
D.The user's account is not in the EHR application's access group.
AnswerC

Kerberos requires time sync; VPN issues often corrupt time sync.

Why this answer

Kerberos authentication is highly sensitive to time skew; the default maximum tolerance is 5 minutes (RFC 4120). When users connect via VPN, their system clocks may drift from the domain controller's time, especially if they are not synchronized with the domain's time source. This time difference causes Kerberos to reject the ticket request, resulting in an 'Access Denied' error even though the VPN connection itself is successful.

Exam trap

The trap here is that candidates focus on network connectivity or VPN configuration (like port forwarding) rather than the time synchronization requirement of Kerberos, assuming that successful VPN connection implies all authentication protocols will work seamlessly.

How to eliminate wrong answers

Option A is wrong because the EHR server is explicitly stated to be in the same domain as the workstations, and users can access it from office workstations, confirming domain membership. Option B is wrong because the VPN successfully forwards other traffic (users can access other internal resources), and Kerberos traffic uses UDP/TCP port 88, which is typically allowed through VPN tunnels; the issue is not traffic forwarding but authentication failure. Option D is wrong because the error occurs during authentication, not authorization; if the user were not in the EHR application's access group, they would likely receive a different error (e.g., 'Access Denied' after successful authentication) or be prompted for credentials again, not fail at the Kerberos ticket-granting step.

287
MCQeasy

Based on the exhibit, which type of attack is most likely occurring?

A.Denial of service.
B.Brute force attack.
C.Dictionary attack.
D.Man-in-the-middle.
AnswerB

Multiple rapid failed attempts for the same user from one IP is characteristic of brute force.

Why this answer

The exhibit shows a high number of failed authentication attempts (e.g., 1000+ failures) from a single source IP within a short time window, targeting a specific user account. This pattern is characteristic of a brute force attack, where an attacker systematically tries many password combinations to gain unauthorized access. Unlike a dictionary attack, which uses a predefined list of likely passwords, a brute force attack exhaustively tests all possible combinations, as indicated by the sheer volume of attempts.

Exam trap

The trap here is that candidates may confuse a brute force attack with a dictionary attack, but the key differentiator is the exhaustive, non-selective nature of the attempts versus the use of a precompiled wordlist.

How to eliminate wrong answers

Option A is wrong because a denial of service (DoS) attack aims to overwhelm system resources or disrupt service availability, not to repeatedly attempt authentication. Option C is wrong because a dictionary attack uses a curated list of common passwords or phrases, not the exhaustive, high-volume attempts shown in the exhibit. Option D is wrong because a man-in-the-middle (MITM) attack involves intercepting or altering communications between two parties, not directly targeting authentication endpoints with repeated login attempts.

288
MCQmedium

A system administrator notices that a user's account has been locked out multiple times within an hour. The admin reviews the logs and finds repeated failed login attempts from an unusual IP address. What is the BEST immediate action to mitigate further risk?

A.Disable the user account
B.Delete the failed login log entries
C.Implement a firewall rule to block the IP address
D.Reset the user's password
AnswerA

Disabling the account immediately stops further authentication attempts, preventing unauthorized access.

Why this answer

Disabling the account stops any further unauthorized access while the situation is investigated. Option A is a weak password after lockout; B removes logs needed for investigation; D misidentifies the issue as a DoS attack.

289
Multi-Selectmedium

Which TWO are benefits of network segmentation using VLANs? (Choose two.)

Select 2 answers
A.Increased available bandwidth
B.Improved security through traffic isolation
C.Reduced broadcast traffic
D.Elimination of routing requirements
E.Simplified IP address management
AnswersB, C

Traffic in one VLAN cannot directly reach another VLAN.

Why this answer

VLANs segment a network into separate broadcast domains at Layer 2. By isolating traffic between VLANs, they prevent unauthorized access and contain potential threats, which directly improves security. Additionally, because each VLAN is its own broadcast domain, broadcast frames are confined to that VLAN, reducing overall broadcast traffic on the network.

Exam trap

ISC2 often tests the misconception that VLANs increase bandwidth, when in fact they only reduce unnecessary traffic (like broadcasts) but do not add physical throughput.

290
MCQmedium

A hospital is implementing an access control system for its electronic health record (EHR) system. The system must comply with HIPAA regulations, which require that access to patient records is limited to personnel who need it to perform their job duties. The hospital has many roles: doctors, nurses, lab technicians, and administrative staff. Each role can access different types of records. The system currently uses a DAC model where each user sets permissions on their own files. However, a recent risk assessment identified that some nurses have been sharing their accounts with each other to access records outside their unit. The hospital wants to implement a more restrictive model that enforces access based on job roles and prevents sharing of accounts. Which access control model should the hospital adopt?

A.Attribute-Based Access Control (ABAC)
B.Mandatory Access Control (MAC) with clearance labels
C.Discretionary Access Control (DAC)
D.Role-Based Access Control (RBAC) with mandatory account uniqueness
AnswerD

RBAC restricts access based on roles, and requiring unique accounts ensures no sharing; this combination directly addresses the problem.

Why this answer

Option D is correct because Role-Based Access Control (RBAC) enforces access permissions based on job roles, directly aligning with HIPAA's need-to-know principle. Mandatory account uniqueness prevents account sharing by requiring each user to have a unique identifier, eliminating the ability to share credentials. This combination provides a more restrictive, policy-driven model than DAC, which allowed users to set their own permissions and led to unauthorized access.

Exam trap

The trap here is that candidates may choose ABAC (Option A) because it seems more flexible and modern, but they overlook that RBAC with mandatory account uniqueness directly addresses the account-sharing issue and is the simplest, most compliant model for role-based healthcare access under HIPAA.

How to eliminate wrong answers

Option A is wrong because Attribute-Based Access Control (ABAC) uses attributes (e.g., time, location, patient relationship) to grant access, which is more granular than needed and does not inherently enforce mandatory account uniqueness to prevent sharing. Option B is wrong because Mandatory Access Control (MAC) with clearance labels is designed for classified environments (e.g., military) using security labels and clearances, not for healthcare roles; it would require labeling all patients and users, which is impractical and does not directly address account sharing. Option C is wrong because Discretionary Access Control (DAC) is the current model that allows users to set permissions on their own files, which led to the account-sharing problem; it is the opposite of the restrictive model needed.

291
MCQeasy

Which of the following is the primary purpose of network segmentation?

A.Increase bandwidth
B.Improve network performance
C.Simplify IP address management
D.Enhance security by isolating sensitive systems
E.Reduce hardware cost
AnswerD

Segmentation limits the scope of attacks and protects sensitive data.

Why this answer

Option B is correct because network segmentation enhances security by isolating sensitive systems and limiting lateral movement. Option A is incorrect because segmentation does not directly increase bandwidth. Option C is incorrect while performance may improve due to reduced broadcast domains, security is the primary goal.

Option D is incorrect because segmentation can complicate IP management. Option E is incorrect because segmentation often increases hardware cost.

292
Multi-Selectmedium

Which TWO of the following are effective controls to prevent buffer overflow attacks? (Choose two.)

Select 2 answers
A.Input validation to reject long inputs
B.Address Space Layout Randomization (ASLR)
C.Code obfuscation
D.Non-executable stack (NX bit)
E.Stack canaries
AnswersB, D

ASLR randomizes memory addresses, making it harder to predict target addresses.

Why this answer

Address Space Layout Randomization (ASLR) is a memory protection technique that randomizes the base addresses of executable modules, heap, and stack regions. This makes it significantly harder for an attacker to predict the memory addresses needed to inject and execute shellcode, thereby mitigating many buffer overflow exploits that rely on fixed address references.

Exam trap

ISC2 often tests the misconception that input validation alone is sufficient to prevent buffer overflows, or that stack canaries are a primary control rather than a detection mechanism, leading candidates to select them instead of the memory protection controls ASLR and NX bit.

293
MCQeasy

During a risk assessment, the team identifies that a critical database server is not included in the backup schedule. Which risk term best describes this condition?

A.Threat
B.Risk
C.Exploit
D.Vulnerability
AnswerD

The missing backup is a weakness that could lead to data loss.

Why this answer

A vulnerability is a weakness in a system that can be exploited by a threat. The database server missing from the backup schedule represents a weakness in the organization's data protection and disaster recovery posture, making it susceptible to data loss. This absence of a control (backup) is a classic example of a vulnerability, not an active threat or an exploit.

Exam trap

ISC2 often tests the distinction between a vulnerability (a weakness) and a threat (a potential danger), tricking candidates into selecting 'Threat' because they associate the missing backup with a potential data loss event, rather than recognizing it as the underlying weakness.

How to eliminate wrong answers

Option A is wrong because a threat is a potential event or actor (like a ransomware attack or a natural disaster) that could cause harm, not the absence of a backup. Option B is wrong because risk is the potential for loss or damage when a threat exploits a vulnerability; the missing backup is the vulnerability itself, not the calculated risk. Option C is wrong because an exploit is a specific method or code used to take advantage of a vulnerability (e.g., a SQL injection payload), not the condition of being unbacked.

294
Multi-Selecthard

Which THREE of the following are key steps in performing a business impact analysis (BIA)?

Select 3 answers
A.Assigning likelihood ratings to threats
B.Selecting backup and recovery solutions
C.Assessing the financial and operational impact of disruptions
D.Identifying critical business processes
E.Determining maximum tolerable downtime (MTD)
AnswersC, D, E

Impact analysis is central to BIA.

Why this answer

Option C is correct because assessing the financial and operational impact of disruptions is a core step in a business impact analysis (BIA). The BIA focuses on quantifying the consequences of losing business functions, including revenue loss, regulatory fines, and reputational damage, rather than evaluating threat likelihood or selecting recovery solutions.

Exam trap

ISC2 often tests the distinction between BIA steps (impact-focused) and risk assessment steps (likelihood-focused), so candidates mistakenly include threat likelihood ratings as a BIA step.

295
Multi-Selecteasy

A security analyst notices unusual outbound traffic from a server. Which TWO actions should be taken immediately as part of the incident response process?

Select 2 answers
A.Conduct a full vulnerability scan on the system.
B.Isolate the affected system from the network.
C.Reimage the system to remove any malware.
D.Capture memory and network traffic for analysis.
E.Notify law enforcement authorities.
AnswersB, D

Isolation is a critical immediate step to contain the incident.

Why this answer

Isolating the affected system (A) prevents further damage or data exfiltration. Capturing memory and network traffic (D) preserves volatile evidence for analysis. Reimaging (B) is premature before investigation.

Notifying law enforcement (C) is not an immediate step. Vulnerability scanning (E) is part of post-incident analysis, not immediate.

296
MCQmedium

The security team discovers that a user in the finance department can read files in the human resources share. The share permissions on the HR folder are set to deny all except the HR group, and the user is not a member of HR. What is the most likely cause?

A.The user is logging on locally to the server where the files are stored
B.The user is an administrator on the file server
C.The user is using a different file server for HR files
D.The user's token includes a group that has been explicitly denied
AnswerA

Share permissions only apply to network access; local access is governed by NTFS permissions alone, which may allow the user.

Why this answer

When a user logs on locally to the file server, Windows evaluates NTFS permissions directly, bypassing share permissions entirely. Share permissions only apply to network access via SMB, so a local logon allows the user to read files if NTFS permissions grant access, even if share permissions deny all except the HR group.

Exam trap

ISC2 often tests the distinction between share permissions and NTFS permissions, specifically that share permissions only apply to network access, not local logons, leading candidates to overlook the local logon scenario.

How to eliminate wrong answers

Option B is wrong because being an administrator on the file server does not automatically grant read access to files if the NTFS permissions explicitly deny the user or their groups; administrators can take ownership or override permissions, but the most likely cause in this scenario is local logon, not administrative privilege. Option C is wrong because using a different file server would not grant access to files on the original HR share; the user would need appropriate permissions on that specific server. Option D is wrong because if the user's token included a group explicitly denied, that deny would block access, not allow it; the scenario describes the user being able to read files despite not being in the HR group.

297
MCQmedium

An organization wants to implement an access control model where data owners decide who can access resources. Which model should they choose?

A.Attribute-Based Access Control (ABAC)
B.Mandatory Access Control (MAC)
C.Role-Based Access Control (RBAC)
D.Discretionary Access Control (DAC)
AnswerD

DAC allows data owners to grant access to others at their discretion.

Why this answer

Discretionary Access Control (DAC) is the correct model because it allows data owners (the users who create or own the resource) to decide who can access their resources. In DAC, the owner sets permissions (e.g., read, write, execute) on objects like files or directories, typically using Access Control Lists (ACLs). This directly matches the requirement where data owners control access decisions.

Exam trap

ISC2 often tests the misconception that 'data owners decide' implies a role-based or attribute-based model, but the key distinction is that DAC explicitly grants ownership-based control, while RBAC and ABAC centralize decisions with administrators or policies.

How to eliminate wrong answers

Option A is wrong because Attribute-Based Access Control (ABAC) uses policies based on attributes (e.g., user role, time, location) evaluated by a central policy engine, not by the data owner. Option B is wrong because Mandatory Access Control (MAC) enforces system-wide policies set by a central authority (e.g., security labels like Top Secret), and users (including data owners) cannot override these rules. Option C is wrong because Role-Based Access Control (RBAC) assigns permissions based on predefined roles (e.g., 'Manager'), and access decisions are made by administrators, not by the data owner.

298
MCQhard

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. Which risk is most directly introduced by this policy?

A.Unauthorized deletion of objects
B.Lack of encryption at rest
C.Inability to audit access
D.Exposure of bucket contents to the public
AnswerD

The ListBucket action with Principal "*" allows anyone to enumerate objects.

Why this answer

The S3 bucket policy grants public access via a Principal of '*' and an Effect of 'Allow' for the 's3:GetObject' action, which means any unauthenticated user on the internet can read objects in the bucket. This directly exposes the bucket contents to the public, making option D correct.

Exam trap

ISC2 often tests the distinction between read access (GetObject) and write/delete access (PutObject, DeleteObject), so candidates may mistakenly think any public access implies deletion risk, but the policy explicitly only allows reading.

How to eliminate wrong answers

Option A is wrong because the policy only allows 's3:GetObject' (read) and does not include 's3:DeleteObject' or any write/delete actions, so unauthorized deletion is not introduced. Option B is wrong because the policy does not address encryption settings at all; encryption at rest is a separate configuration (e.g., SSE-S3, SSE-KMS) and is not impacted by this access control policy. Option C is wrong because the policy does not disable or affect CloudTrail or other audit logging; auditing remains possible regardless of this policy, though the policy itself does not enable or disable it.

299
MCQmedium

An alert shows a successful login from an unusual geographic location. Which of the following is the BEST initial response?

A.Disable the user account
B.Contact the user to verify the login
C.Block the source IP address
D.Reset the user's password
AnswerA

Immediate containment to stop ongoing unauthorized access.

Why this answer

Option A is correct because disabling the account immediately prevents further unauthorized access while the incident is investigated. Option B is premature without confirmation of compromise. Option C may be done after disabling.

Option D is too slow as the first step.

300
MCQeasy

An organization uses smart cards combined with a PIN to access secure facilities. This is an example of which type of authentication factor?

A.Token-based authentication
B.Single-factor authentication
C.Two-factor authentication
D.Biometric authentication
AnswerC

Combining something you have (smart card) with something you know (PIN) is a classic definition of two-factor authentication.

Why this answer

Smart cards are a possession factor (something you have), and the PIN is a knowledge factor (something you know). Combining both satisfies the requirement for two distinct authentication factors, making this a textbook example of two-factor authentication (2FA). This is not single-factor because two separate categories of credentials are used, and it is not biometric because no physical characteristic is measured.

Exam trap

The trap here is that candidates often confuse 'something you have' (possession factor) with 'something you know' (knowledge factor) and mistakenly classify the combination as single-factor because they think the smart card alone is the authentication, ignoring that the PIN adds a second distinct factor.

How to eliminate wrong answers

Option A is wrong because token-based authentication typically refers to a device that generates a one-time password (OTP) or cryptographic token, not a smart card with a PIN; while a smart card can be considered a token, the combination with a PIN specifically makes it two-factor, not merely token-based. Option B is wrong because single-factor authentication uses only one category of credential (e.g., just a password or just a smart card), but here both a smart card (possession) and a PIN (knowledge) are required, so it is multi-factor. Option D is wrong because biometric authentication relies on unique physical traits such as fingerprints, iris patterns, or voice recognition, not on a smart card and PIN combination.

Page 3

Page 4 of 7

Page 5

All pages