Systems Security Certified Practitioner SSCP (SSCP) — Questions 301375

504 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQeasy

Refer to the exhibit. Which component of the cipher suite provides perfect forward secrecy?

A.ECDHE
B.TLS 1.2
C.AES256-GCM
D.SHA384
AnswerA

ECDHE uses ephemeral keys, ensuring forward secrecy.

Why this answer

ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) provides perfect forward secrecy (PFS) because it generates a unique, ephemeral session key for each TLS session. If the long-term private key is compromised, past session keys cannot be derived, as the ephemeral keys are discarded after use. This is defined in RFC 4492 and is a core property of ephemeral Diffie-Hellman key exchange.

Exam trap

ISC2 often tests the distinction between the protocol version (TLS 1.2) and the cipher suite components that actually implement PFS, leading candidates to incorrectly select TLS 1.2 because they associate it with modern security features.

How to eliminate wrong answers

Option B (TLS 1.2) is wrong because TLS 1.2 is a protocol version, not a component that provides PFS; it can support PFS if ECDHE or DHE cipher suites are negotiated, but the protocol itself does not guarantee PFS. Option C (AES256-GCM) is wrong because AES256-GCM is a symmetric encryption and authenticated encryption algorithm (AEAD) that protects data confidentiality and integrity, but it does not influence key exchange or provide PFS. Option D (SHA384) is wrong because SHA384 is a hash function used for message authentication in HMAC or for integrity checks in TLS, and it has no role in establishing ephemeral keys or PFS.

302
MCQeasy

A system administrator needs to assign permissions to a new employee who will be performing database backups. The employee should only be able to execute the backup command but not read or modify the data. Which access control principle should be applied?

A.Need to know
B.Least privilege
C.Separation of duties
D.Defense in depth
AnswerB

Least privilege grants only the permissions required to perform the job.

Why this answer

The least privilege principle dictates that a user should be granted only the minimum permissions necessary to perform their job function. In this scenario, the employee needs only the ability to execute the backup command (e.g., using a tool like `pg_dump` or `mysqldump` with a read-only snapshot), not read or modify the underlying data files. Applying least privilege ensures the backup process can run without granting broader SELECT or FILE privileges that would allow data access or alteration.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'need to know' because both limit access, but least privilege focuses on the minimum permissions to perform an action (execute a command), while need to know focuses on whether the user requires access to specific data content.

How to eliminate wrong answers

Option A is wrong because 'need to know' is a confidentiality principle that restricts access to information based on whether the user requires that specific data to perform their duties, not the minimum permissions to execute a command; it does not address the granularity of execute-only versus read/modify. Option C is wrong because separation of duties divides critical tasks among multiple people to prevent fraud (e.g., the backup operator cannot also restore), but the question is about limiting the backup operator's own permissions, not splitting tasks. Option D is wrong because defense in depth is a layered security strategy using multiple controls (firewalls, IDS, encryption), not a principle for assigning a single user's permissions to a specific command.

303
MCQmedium

A database administrator notices unusual queries that seem to be trying to extract data via SQL injection. The application uses parameterized queries for most queries, but some dynamic queries are built using string concatenation. What is the BEST remediation?

A.Restrict database user permissions to only necessary tables
B.Implement strict input validation for all user inputs
C.Deploy a web application firewall (WAF) in front of the application
D.Rewrite all dynamic queries to use parameterized queries
AnswerD

Parameterized queries prevent interpretation of user input as SQL code.

Why this answer

Option A is correct because converting all dynamic queries to use parameterized queries eliminates the possibility of SQL injection. Option B is wrong because input validation alone is insufficient if concatenation is used. Option C is wrong because WAF is a detection/blocking control but not a code-level fix.

Option D is wrong because least privilege reduces impact but does not prevent injection.

304
MCQmedium

A security team uses a risk matrix with likelihood (Low, Medium, High) and impact (Low, Medium, High). A vulnerability scan finds a buffer overflow in a customer-facing web application. The application is not critical but has high availability requirements. The likelihood of exploitation is considered Medium due to internal network segmentation. What is the risk level?

A.Medium
B.Extreme
C.High
D.Low
AnswerC

Standard 3x3 risk matrix: Medium likelihood + High impact = High risk.

Why this answer

The risk level is High because the likelihood is Medium (due to internal network segmentation reducing but not eliminating the chance of exploitation) and the impact is High (the application has high availability requirements, so a buffer overflow could cause a denial of service or code execution, severely affecting availability). In a standard 3x3 risk matrix, Medium likelihood combined with High impact yields a High risk rating.

Exam trap

ISC2 often tests the misconception that internal network segmentation automatically lowers the risk to Medium or Low, but the high availability requirement elevates the impact, resulting in a High risk level despite the reduced likelihood.

How to eliminate wrong answers

Option A is wrong because Medium risk would require either Low likelihood with High impact, or Medium likelihood with Medium impact, but here the impact is High due to the application's high availability requirements. Option B is wrong because Extreme risk typically requires both High likelihood and High impact, or a combination like High likelihood with Medium impact in some matrices, but the likelihood is only Medium. Option D is wrong because Low risk would require Low likelihood and Low impact, or Low likelihood with Medium impact, but the impact is High and the likelihood is Medium.

305
MCQeasy

A small business wants to implement an access control system where employees can access files based on their department (e.g., HR, Finance). They want simplicity and ease of administration. Which access control model is BEST suited?

A.Mandatory Access Control (MAC)
B.Attribute-Based Access Control (ABAC)
C.Discretionary Access Control (DAC)
D.Role-Based Access Control (RBAC)
AnswerD

RBAC assigns permissions to roles, and users are assigned roles based on their department, providing a straightforward and manageable solution.

Why this answer

Role-Based Access Control (RBAC) is best suited because it maps access permissions directly to job functions (roles) such as HR or Finance, rather than to individual users. This simplifies administration: when an employee changes departments, the administrator simply updates their role assignment, and all associated permissions are automatically applied or revoked. RBAC is designed for environments where access decisions are based on organizational roles, providing a balance of security and ease of management.

Exam trap

The trap here is that candidates often confuse RBAC with DAC because both involve user-based permissions, but RBAC centralizes control through roles while DAC delegates control to individual resource owners, making RBAC the correct choice for department-based access.

How to eliminate wrong answers

Option A is wrong because Mandatory Access Control (MAC) uses system-enforced labels (e.g., security classifications like Top Secret) and is typically used in military or high-security environments, not for simple department-based access in a small business. Option B is wrong because Attribute-Based Access Control (ABAC) evaluates multiple attributes (e.g., time, location, resource type) using policy rules, which adds complexity and administrative overhead beyond what is needed for straightforward department-based access. Option C is wrong because Discretionary Access Control (DAC) allows individual users to control access to their own files (e.g., via file permissions), which does not scale well for department-wide access and can lead to inconsistent enforcement.

306
MCQhard

A financial services organization deploys a new web application that allows customers to check account balances and transfer funds. The application uses a RESTful API with JSON payloads. Shortly after deployment, the security team notices unusual traffic patterns: many requests contain excessively long JSON strings in the 'amount' field, and some of these requests return 500 Internal Server Errors. The application logs show that these requests cause high CPU usage on the application server. The developers confirm that the input validation only checks for negative numbers and characters. Which type of attack is most likely occurring, and what is the best immediate mitigation?

A.The attack is a brute-force attempt on the amount field; implement rate limiting.
B.The attack is cross-site scripting; sanitize output.
C.The attack is a Denial of Service using large payloads; implement input size limits and validation.
D.The attack is SQL injection; use parameterized queries.
AnswerC

Large JSON payloads can exhaust server resources; validation should restrict field sizes.

Why this answer

Option B is correct because the symptoms indicate a Denial of Service attack via large payloads that consume server resources. Input validation should reject oversized inputs. Option A is incorrect because brute force would not cause high CPU from large payloads.

Option C is incorrect because SQL injection would likely return specific error messages rather than 500s from CPU exhaustion. Option D is incorrect because XSS targets browser execution, not server CPU.

307
Multi-Selecthard

Which TWO protocols are used to secure email communication at the message level?

Select 2 answers
A.IPsec
B.PGP
C.S/MIME
D.SSL/TLS
E.SSH
AnswersB, C

Provides encryption and signing for email.

Why this answer

PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions) are the two primary protocols that secure email at the message level. They encrypt the entire email body and attachments, ensuring end-to-end confidentiality and integrity regardless of the transport path. PGP uses a web of trust model, while S/MIME relies on a hierarchical public key infrastructure (PKI) with X.509 certificates.

Exam trap

ISC2 often tests the distinction between transport-layer security (SSL/TLS) and message-level security (PGP/SMIME), so candidates mistakenly choose SSL/TLS because they associate it with email security (e.g., SMTPS), but it does not provide end-to-end message encryption.

308
MCQmedium

Which of the following encryption protocols should be used to secure wireless traffic in an enterprise environment?

A.WPA3-Enterprise
B.WEP
C.WPA3-PSK
D.WPA2-PSK
E.WPA2-Enterprise
AnswerA

Provides the strongest security with 802.1X authentication and GCMP-256 encryption.

Why this answer

WPA3-Enterprise is the correct choice because it provides the highest level of security for enterprise wireless networks, incorporating mandatory 192-bit Suite B cryptographic suites (AES-256 in GCM mode, HMAC-SHA384, and ECDHE key exchange) to protect against offline dictionary attacks, forward secrecy, and brute-force attempts. It also uses Simultaneous Authentication of Equals (SAE) for the handshake, replacing the vulnerable 4-way handshake of WPA2, and supports 802.1X/EAP authentication with RADIUS for centralized user management.

Exam trap

ISC2 often tests the distinction between 'PSK' and 'Enterprise' modes, trapping candidates who see 'WPA3' and assume it is always best, but the question's 'enterprise environment' requirement specifically demands the Enterprise mode (with 802.1X/RADIUS), not the PSK variant, even though both use SAE.

How to eliminate wrong answers

Option B (WEP) is wrong because it uses the insecure RC4 stream cipher with a static 40- or 104-bit key, making it trivially crackable with tools like aircrack-ng in minutes. Option C (WPA3-PSK) is wrong because it uses a pre-shared key (PSK) mode, which lacks the per-user authentication and centralized management required in an enterprise environment, and is more suited for small office/home office (SOHO) deployments. Option D (WPA2-PSK) is wrong because it relies on the vulnerable 4-way handshake with a pre-shared key, making it susceptible to offline dictionary attacks (e.g., using hashcat) and KRACK attacks, and it lacks enterprise-grade user authentication.

Option E (WPA2-Enterprise) is wrong because while it supports 802.1X/EAP, it uses the older 4-way handshake which is vulnerable to KRACK (CVE-2017-13077) and lacks forward secrecy and the stronger cryptographic suites mandated in WPA3-Enterprise.

309
MCQmedium

A security administrator needs to ensure that only authorized personnel can reset user passwords in Active Directory. Which of the following is the BEST method to delegate this responsibility without granting unnecessary privileges?

A.Place the personnel in the Account Operators group.
B.Add the personnel to the Domain Admins group.
C.Use Delegation of Control wizard to assign the 'Reset user passwords and force password change at next logon' permission.
D.Give the personnel physical access to the domain controller.
AnswerC

This provides exactly the needed permission without extra rights.

Why this answer

The Delegation of Control wizard allows granular assignment of specific Active Directory permissions, such as 'Reset user passwords and force password change at next logon', without granting broader administrative rights. This follows the principle of least privilege by limiting the delegated personnel to only the necessary task. Option C is correct because it directly addresses the requirement with a built-in, secure delegation mechanism.

Exam trap

The trap here is that candidates often assume built-in groups like Account Operators are the simplest delegation method, overlooking that they grant far more permissions than the specific task requires, which is a common violation of the principle of least privilege tested on the SSCP.

How to eliminate wrong answers

Option A is wrong because the Account Operators group can create, delete, and modify most user accounts and groups, which includes the ability to reset passwords but also grants excessive privileges beyond the required task. Option B is wrong because Domain Admins have full administrative control over the entire domain, including all user and computer objects, which is far more privilege than needed and violates least privilege. Option D is wrong because physical access to a domain controller does not inherently grant the ability to reset passwords; it could allow unauthorized actions but is not a controlled delegation method and introduces significant security risks.

310
MCQmedium

A software developer wants to ensure the authenticity and integrity of an API request but does not require non-repudiation. Which cryptographic method should be used?

A.Digital signature using RSA
B.Symmetric encryption with CBC mode
C.Hash-based message authentication code (HMAC)
D.Elliptic curve Diffie-Hellman (ECDH)
AnswerC

HMAC verifies authenticity and integrity without non-repudiation.

Why this answer

HMAC uses a shared secret key combined with a cryptographic hash function to produce a fixed-size authentication tag. This ensures both authenticity (the request came from a party knowing the key) and integrity (the data has not been altered) without providing non-repudiation, because the same key is shared between sender and receiver, so the receiver could also have generated the tag.

Exam trap

ISC2 often tests the distinction between authentication/integrity (HMAC) and non-repudiation (digital signatures), leading candidates to incorrectly choose digital signatures when non-repudiation is explicitly not required.

How to eliminate wrong answers

Option A is wrong because a digital signature using RSA provides non-repudiation (the sender cannot deny signing) and is computationally heavier than necessary when non-repudiation is not required. Option B is wrong because symmetric encryption with CBC mode provides confidentiality, not authenticity or integrity; CBC mode alone does not prevent an attacker from modifying ciphertext blocks. Option D is wrong because Elliptic Curve Diffie-Hllman (ECDH) is a key exchange protocol used to establish a shared secret over an insecure channel, not a method for authenticating or verifying the integrity of an API request.

311
MCQhard

A network engineer configures a VLAN hopping attack prevention by setting all unused switch ports to an unused VLAN and disabling trunking. What vulnerability is being mitigated?

A.STP manipulation
B.ARP spoofing
C.MAC flooding
D.DTP spoofing
E.DHCP starvation
AnswerD

DTP spoofing can turn an access port into a trunk, enabling VLAN hopping.

Why this answer

DTP spoofing is the correct answer because VLAN hopping attacks often exploit Dynamic Trunking Protocol (DTP) to negotiate a trunk link between a switch and an attacker's device, allowing the attacker to send and receive traffic on multiple VLANs. By disabling trunking on all unused ports and assigning them to an unused VLAN, the switch will not respond to DTP negotiation requests, preventing unauthorized trunk establishment.

Exam trap

ISC2 often tests the distinction between DTP spoofing (VLAN hopping via trunk negotiation) and double-tagging attacks (another VLAN hopping method), so candidates may confuse the two or incorrectly associate VLAN hopping with MAC flooding or ARP spoofing.

How to eliminate wrong answers

Option A is wrong because STP manipulation attacks target Spanning Tree Protocol to cause network loops or traffic redirection, not VLAN hopping. Option B is wrong because ARP spoofing involves sending forged ARP replies to associate an attacker's MAC with a legitimate IP address, which is a man-in-the-middle technique unrelated to trunk negotiation. Option C is wrong because MAC flooding overwhelms a switch's CAM table to force it into fail-open mode, causing frames to flood out all ports, but it does not involve trunking or VLAN tagging.

Option E is wrong because DHCP starvation exhausts the DHCP server's address pool by sending many fake DHCP requests, preventing legitimate clients from obtaining IP addresses, and has no connection to DTP or VLAN hopping.

312
MCQhard

During a penetration test, the tester captures traffic on a switch port that is part of a VLAN other than the native VLAN. The tester is able to receive traffic destined for the management VLAN. What configuration flaw is exploited?

A.Spanning tree protocol is enabled
B.Trunk port misconfiguration with native VLAN mismatch
C.Port security is not enabled
D.DHCP snooping is disabled
E.VLAN trunking protocol (VTP) is set to transparent mode
AnswerB

If the native VLAN on trunk matches management VLAN, frames can be double-tagged to hop VLANs.

Why this answer

The correct answer is B because the scenario describes a native VLAN mismatch on a trunk port. When two switches have different native VLANs configured on a trunk, they will not tag frames for their respective native VLANs. This allows an attacker on a non-native VLAN to receive traffic destined for the management VLAN (typically VLAN 1) by sending frames with no 802.1Q tag, which the receiving switch treats as belonging to its own native VLAN, effectively bypassing VLAN segmentation.

Exam trap

ISC2 often tests the native VLAN mismatch concept by describing a scenario where an attacker on a non-native VLAN receives management traffic, and candidates mistakenly choose options like 'VTP transparent mode' or 'STP enabled' because they confuse protocol behavior with security flaws.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) prevents loops, not VLAN hopping or traffic leakage; enabling STP does not cause or mitigate native VLAN mismatches. Option C is wrong because port security limits MAC addresses on an access port, but it does not prevent VLAN hopping attacks exploiting trunk misconfigurations. Option D is wrong because DHCP snooping filters untrusted DHCP messages and prevents rogue DHCP servers, but it does not address native VLAN mismatches or VLAN hopping.

Option E is wrong because VTP transparent mode simply forwards VTP advertisements without processing them; it does not cause or prevent the native VLAN mismatch vulnerability.

313
Multi-Selectmedium

Which TWO of the following are key components of an incident response plan (IRP) according to NIST SP 800-61?

Select 2 answers
A.Acquisition of forensic tools
B.Hardware inventory
C.Communication plan
D.Testing the plan
E.Annual budget
AnswersC, D

A communication plan is a required component of an IRP.

Why this answer

NIST SP 800-61 (Computer Security Incident Handling Guide) explicitly identifies the communication plan and testing the plan as key components of an incident response plan. The communication plan ensures all stakeholders (internal teams, legal, PR, external partners) are notified and coordinated during an incident, while testing validates the plan's effectiveness through exercises like tabletop or functional drills.

Exam trap

ISC2 often tests the distinction between components of the plan itself (like communication and testing) versus operational activities or supporting resources (like forensic tools or budgets), leading candidates to select items that are part of incident response but not key components of the plan.

314
Matchingmedium

Match each authentication factor to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Something you know

Something you have

Something you are

Something you do

Why these pairings

These are the four main authentication factor categories.

315
MCQhard

An organization experiences malware that injects code into legitimate processes. Which security feature should be enabled to prevent code execution in memory pages?

A.Encrypted File System (EFS)
B.Address Space Layout Randomization (ASLR)
C.Mandatory Access Control (MAC)
D.Data Execution Prevention (DEP)
AnswerD

DEP prevents execution from non-executable memory regions.

Why this answer

Data Execution Prevention (DEP) is a hardware and software security feature that marks memory pages as non-executable unless they explicitly contain executable code. By preventing code execution in data-only memory regions (such as the heap and stack), DEP stops malware that attempts to inject and run shellcode within legitimate processes, even if the process is compromised.

Exam trap

The trap here is that candidates often confuse ASLR with DEP, thinking randomization alone prevents code execution, but ASLR only makes addresses unpredictable while DEP actively blocks execution from non-executable pages.

How to eliminate wrong answers

Option A is wrong because Encrypted File System (EFS) protects data at rest by encrypting files on NTFS volumes, but it does not control memory execution permissions or prevent code injection into running processes. Option B is wrong because Address Space Layout Randomization (ASLR) randomizes the memory addresses of process components to make exploitation harder, but it does not enforce non-execution of memory pages; it works alongside DEP but is not a direct prevention mechanism against code execution in memory. Option C is wrong because Mandatory Access Control (MAC) enforces system-wide security policies based on labels and subjects, but it does not manage memory page execution permissions at the hardware or kernel level.

316
MCQeasy

An organization suspects a security incident. Which initial step should the incident response team take?

A.Contain the incident
B.Protect evidence
C.Identify the attacker
D.Notify law enforcement
AnswerB

Preserving volatile evidence is the first priority to support forensic analysis.

Why this answer

The initial step in incident response is to protect evidence (Option B) because preserving forensic data ensures the integrity of logs, memory dumps, and disk images for later analysis. According to NIST SP 800-61, the first priority after detection is to secure volatile data (e.g., RAM, network connections) before it is lost, which is critical for determining the scope and root cause of the incident.

Exam trap

The trap here is that candidates confuse the urgency of containment with the priority of evidence preservation, often selecting 'Contain the incident' because it seems immediately necessary, but the SSCP emphasizes that evidence must be secured first to support legal and forensic processes.

How to eliminate wrong answers

Option A is wrong because containment (e.g., isolating systems via VLAN segmentation or disabling network interfaces) should occur only after evidence has been preserved; premature containment can destroy volatile data like active network connections or running processes. Option C is wrong because identifying the attacker is a later analytical goal, not an initial step—focusing on attribution early can waste time and compromise evidence collection. Option D is wrong because notifying law enforcement is a strategic decision that typically occurs after the incident is confirmed and evidence is secured; premature notification may lead to legal complications or loss of control over the investigation.

317
MCQmedium

A healthcare organization uses an electronic health records (EHR) system that stores patient data in a relational database. The system is accessed by doctors and nurses via tablet devices on a wireless network. The security team has detected that some patient records were accessed outside of normal business hours from an IP address not belonging to the organization. The database logs show that the queries originated from the application server. The application logs indicate that the access was performed using a legitimate user account that had been disabled due to employee departure two weeks earlier. Which of the following is the most effective step to prevent recurrence?

A.Require multi-factor authentication for all remote access.
B.Enable audit logging on all database transactions.
C.Implement a process to disable user accounts within one hour of employee termination.
D.Segregate the wireless network from the internal network.
AnswerC

A timely account disable process prevents use of former employees' credentials.

Why this answer

Option A is correct because disabling the account should have been immediate upon employee departure; this is a failure of the account management process. Option B is incorrect while useful, does not address the root cause of the account still being active. Option C is incorrect because network segmentation would not prevent use of a valid account.

Option D is incorrect because MFA helps but if the account is still active, the attacker could have bypassed MFA if not enforced.

318
Multi-Selecthard

Which TWO of the following are effective measures to prevent buffer overflow attacks in software development?

Select 2 answers
A.Validate all input to ensure it meets length constraints
B.Implement stack canaries
C.Obfuscate the code to make exploitation harder
D.Enable Address Space Layout Randomization (ASLR)
E.Use functions that perform bounds checking (e.g., strncpy instead of strcpy)
AnswersB, E

Stack canaries detect if a buffer overflow has occurred by checking a known value.

Why this answer

Options B and D are correct. Option B (using bounds-checking functions) like strncpy instead of strcpy prevents overflows. Option D (stack canaries) detect buffer overflows before they overwrite return addresses.

Option A (ASLR) randomizes memory addresses but does not prevent overflow; it makes exploitation harder. Option C (input validation) helps but is not specific to buffer overflow; E (code obfuscation) does not prevent the vulnerability.

319
MCQhard

A security administrator is configuring a wireless network for a branch office. The office has legacy devices that only support WPA2-PSK. The administrator wants to provide the highest level of security while maintaining compatibility. Which configuration should be used?

A.WPA2-Enterprise with RADIUS
B.WPA2-PSK with AES (CCMP)
C.WPA3-SAE only
D.WPA2-PSK with TKIP
AnswerB

AES is the strongest encryption available for WPA2 and is supported by most devices.

Why this answer

WPA2-PSK with AES (CCMP) is correct because it provides the highest security level compatible with legacy devices that only support WPA2-PSK. AES-CCMP is the mandatory encryption protocol for WPA2, offering strong data confidentiality and integrity, whereas TKIP is deprecated due to known vulnerabilities. This configuration avoids the need for a RADIUS server (required by WPA2-Enterprise) and does not force an upgrade to WPA3, which legacy devices cannot support.

Exam trap

The trap here is that candidates often assume WPA2-Enterprise is always more secure than WPA2-PSK, but the question explicitly requires compatibility with legacy devices that only support WPA2-PSK, making WPA2-Enterprise an invalid choice despite its stronger authentication model.

How to eliminate wrong answers

Option A is wrong because WPA2-Enterprise with RADIUS requires an authentication server and is not supported by legacy devices that only support WPA2-PSK; it would break compatibility. Option C is wrong because WPA3-SAE is not supported by legacy WPA2-only devices, so it would render the network inaccessible to them. Option D is wrong because WPA2-PSK with TKIP uses the deprecated TKIP cipher, which is vulnerable to attacks like Michael and Beck-Tews, and provides weaker security than AES-CCMP.

320
MCQhard

Refer to the exhibit. What is the most likely cause of this error?

A.The root CA is not trusted
B.The certificate has been revoked
C.The certificate is expired
D.The certificate uses weak encryption
AnswerA

A self-signed certificate in the chain means the CA is not in the trust store.

Why this answer

The error 'The root CA is not trusted' occurs because the client device does not have the root CA certificate installed in its trusted root store. When a server presents a certificate chain, the client must be able to validate the chain up to a trusted root CA; if the root CA is missing or not trusted, the certificate chain is considered invalid, and the connection is rejected.

Exam trap

ISC2 often tests the distinction between certificate chain validation failures (root CA not trusted) versus other certificate errors (expired, revoked, weak key), and the trap here is that candidates confuse a missing root CA with a revoked or expired certificate, which produce different error messages.

How to eliminate wrong answers

Option B is wrong because a revoked certificate would produce a different error, such as 'certificate revoked' or a CRL/OCSP failure message, not a trust-related error. Option C is wrong because an expired certificate would generate a specific 'certificate expired' error, not a root CA trust issue. Option D is wrong because weak encryption (e.g., RSA 512-bit) would cause a security policy violation or cipher mismatch error, not a root CA trust failure.

321
MCQmedium

A security team is investigating a potential data exfiltration incident. They notice that a large amount of data was transferred to an external IP address during off-hours. What should be the first step?

A.Notify senior management of the incident.
B.Block the external IP address at the firewall.
C.Analyze the data transfer logs to determine the scope.
D.Isolate the affected system from the network.
AnswerD

Isolation stops the exfiltration immediately.

Why this answer

Option D is correct because the immediate priority in a suspected data exfiltration incident is to contain the threat and prevent further data loss. Isolating the affected system from the network stops ongoing communication with the external IP address, preserving the system state for forensic analysis. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.

Exam trap

The trap here is that candidates often choose to block the external IP (Option B) thinking it stops the attack, but Cisco tests the principle that containment must be at the host level to prevent the attacker from pivoting or using alternate C2 channels.

How to eliminate wrong answers

Option A is wrong because notifying senior management is a later step in the incident response process; the first action must be technical containment to stop the exfiltration. Option B is wrong because blocking the external IP address at the firewall does not stop the compromised system from using other IPs or protocols, and it may alert the attacker, destroying forensic evidence. Option C is wrong because analyzing data transfer logs to determine scope is part of the investigation phase, which should occur after containment to avoid further data loss while logs are being reviewed.

322
MCQmedium

A network administrator is unable to ping the server at 10.2.2.100 from a host on the 192.168.1.0/24 network. Based on the exhibit, what is the most likely cause?

A.The static route to 10.3.3.0 is misconfigured.
B.The gateway of last resort is missing.
C.The OSPF route for 10.2.2.0 is not in the routing table.
D.The OSPF neighbor relationship may be unstable, causing intermittent route flapping.
AnswerD

The route is learned but the age (00:05:12) may indicate recent instability.

Why this answer

The exhibit shows that the host on 192.168.1.0/24 cannot reach 10.2.2.100, but the routing table includes both a static route to 10.3.3.0 and an OSPF route to 10.2.2.0. Option D is correct because the symptom of intermittent reachability (sometimes ping works, sometimes not) combined with a known OSPF neighbor relationship points to route flapping, where the OSPF route for 10.2.2.0 is repeatedly added and removed due to an unstable neighbor adjacency, causing the ping to fail when the route is absent.

Exam trap

ISC2 often tests the distinction between a missing route (which would cause a complete failure) and an unstable route (which causes intermittent failure), tricking candidates into choosing a static answer like 'missing route' when the symptom of intermittent connectivity points to route flapping.

How to eliminate wrong answers

Option A is wrong because the static route to 10.3.3.0 is irrelevant to reaching 10.2.2.100; the destination is 10.2.2.0/24, not 10.3.3.0/24, so a misconfigured static route to a different subnet does not affect this connectivity. Option B is wrong because a missing gateway of last resort (default route) would only affect traffic to networks not explicitly in the routing table; here, the routing table already contains an OSPF route for 10.2.2.0/24, so a default route is unnecessary for this specific destination. Option C is wrong because the OSPF route for 10.2.2.0 is present in the routing table (as shown in the exhibit), so the issue is not that the route is missing entirely, but rather that it may be flapping due to an unstable OSPF neighbor relationship.

323
Multi-Selectmedium

Which TWO of the following are types of intrusion detection systems (IDS) based on the detection method?

Select 2 answers
A.Anomaly-based IDS
B.Host-based IDS
C.Rule-based IDS
D.Signature-based IDS
E.Network-based IDS
AnswersA, D

Detects deviations from baseline behavior.

Why this answer

Options B and D are correct. Signature-based detection matches known patterns, and anomaly-based detection identifies deviations from normal behavior. Option A is wrong because network-based refers to placement, not detection method.

Option C is wrong because host-based is also placement. Option E is wrong because rule-based is a subset of signature-based.

324
MCQmedium

A security analyst notices a sudden increase in failed login attempts from a single IP address across multiple user accounts. Which risk response strategy is most appropriate to implement immediately?

A.Risk mitigation by blocking the IP address
B.Risk remediation by changing all user passwords
C.Risk transfer
D.Risk acceptance
AnswerA

Blocking the source IP mitigates the ongoing brute-force attempt.

Why this answer

Option C is correct because blocking the IP address reduces the immediate risk of further unauthorized access. Option A is wrong because accepting risk is not appropriate when an active threat is present. Option B is wrong because transferring risk (e.g., cyber insurance) does not stop the ongoing attack.

Option D is wrong because remediation might involve patching or changing passwords, but this is not the immediate action; blocking is faster.

325
MCQmedium

A security administrator is reviewing backup procedures for a database server. The current backup policy mandates a full backup every Sunday and differential backups Tuesday through Friday. On Wednesday, a failure occurs, and the database is lost. The last successful full backup was completed on Sunday, and the last differential backup was completed on Tuesday. How many backup sets are needed to restore the database to its state as of Tuesday?

A.4
B.3
C.2
D.1
AnswerC

Full backup plus the latest differential backup.

Why this answer

To restore the database to its state as of Tuesday, you need the last full backup (Sunday) and the last differential backup (Tuesday). A differential backup contains all changes since the last full backup, so applying the Tuesday differential to the Sunday full backup recovers all data up to Tuesday. The Wednesday failure does not affect the Tuesday state, and no other backups are required.

Exam trap

The trap here is confusing differential backups with incremental backups, leading candidates to think they need all backups from Sunday through Tuesday (3 or 4 sets), when differential backups only require the last full and the most recent differential.

How to eliminate wrong answers

Option A is wrong because 4 backup sets would be needed only if you were using incremental backups (which require all backups since the last full), but the policy uses differential backups. Option B is wrong because 3 backup sets would be needed if you had to restore from Sunday full, Tuesday differential, and Wednesday differential (if it existed), but the Wednesday backup was never completed. Option D is wrong because 1 backup set (only the full backup) would restore the database to Sunday's state, not Tuesday's state, missing the changes captured in the Tuesday differential.

326
Multi-Selecthard

Which THREE of the following are considered cryptographic best practices for key management? (Select exactly 3.)

Select 3 answers
A.Separate keys used for encryption and digital signatures
B.Rotate keys periodically
C.Use hardware security modules (HSMs) for key storage
D.Publish symmetric keys on the company website for transparency
E.Store keys with the encrypted data for convenience
AnswersA, B, C

Using the same key for both purposes weakens security.

Why this answer

Option A is correct because using separate keys for encryption and digital signatures ensures that compromising one key does not affect the other. This separation aligns with the principle of key usage restrictions, as defined in NIST SP 800-57, which mandates distinct keys for different cryptographic operations to prevent misuse and maintain non-repudiation.

Exam trap

ISC2 often tests the misconception that convenience (like storing keys with data) is acceptable, when in fact it violates the core security principle of key separation and confidentiality.

327
Multi-Selecteasy

Which TWO of the following are examples of key risk indicators (KRIs)?

Select 2 answers
A.Number of unpatched critical vulnerabilities
B.Total number of employees
C.Percentage of systems with antivirus disabled
D.Average user satisfaction score
E.Number of security incidents this quarter
AnswersA, C

A high number indicates higher risk of exploitation.

Why this answer

Option A is correct because the number of unpatched critical vulnerabilities directly measures the organization's exposure to known exploits. A KRI must be quantifiable and predictive of risk; unpatched vulnerabilities are a leading indicator of potential breaches, as attackers actively scan for and exploit such weaknesses. This metric is commonly tracked in vulnerability management programs to prioritize remediation efforts.

Exam trap

ISC2 often tests the distinction between leading indicators (KRIs) and lagging indicators (outcome metrics), so candidates mistakenly select 'Number of security incidents this quarter' because it seems risk-related, but it is a historical outcome, not a predictive risk indicator.

328
Multi-Selecthard

Which THREE are required components of a core role-based access control (RBAC) system according to NIST? (Choose three.)

Select 3 answers
A.Constraints
B.Users
C.Permissions
D.Sessions
E.Roles
AnswersB, C, E

Users are the subjects that are assigned to roles.

Why this answer

Option B (Users) is correct because in NIST's RBAC model (INCITS 359-2012), users are the human actors who are assigned to roles. The core components of RBAC are users, roles, and permissions; users are the subjects that ultimately receive permissions through their role membership. Without users, there is no entity to which roles and permissions can be assigned.

Exam trap

ISC2 often tests the distinction between core and advanced RBAC components, and the trap here is that candidates mistakenly include constraints or sessions as mandatory because they are commonly discussed in security policies, but NIST explicitly defines them as optional extensions to the core model.

329
MCQhard

Based on the exhibit, if the user attempts to upload (put) a file to the S3 bucket corporate-data, what is the result?

A.Allowed because the bucket policy likely allows public puts
B.Denied because the explicit deny overrides any allow
C.Denied because PutObject is not explicitly allowed
D.Allowed because the policy also allows GetObject
AnswerB

The explicit deny for PutObject overrides any potential allows, so the request is denied.

Why this answer

The correct answer is B because the bucket policy includes an explicit deny statement that denies s3:PutObject for the user's principal. In AWS IAM and resource-based policies, an explicit deny always overrides any allow, regardless of other permissions. Therefore, even if other statements allow PutObject, the explicit deny blocks the upload.

Exam trap

The trap here is that candidates often assume an explicit allow for PutObject would override a deny, but AWS's explicit deny always wins, making the presence of any deny statement the decisive factor.

How to eliminate wrong answers

Option A is wrong because the bucket policy does not allow public puts; it contains an explicit deny that overrides any potential allow. Option C is wrong because the issue is not the absence of an explicit allow but the presence of an explicit deny, which takes precedence. Option D is wrong because GetObject permission is irrelevant to PutObject; each action is evaluated independently, and the explicit deny for PutObject still applies.

330
MCQeasy

Refer to the exhibit. An analyst sees these logs and is concerned about a potential attack. What is the most likely scenario?

A.Denial of service (DoS)
B.SSH brute force
C.Successful RDP connection
D.Port scan
AnswerC

The full handshake and FIN indicate a normal RDP session to port 3389.

Why this answer

The log shows a successful RDP connection (source IP 10.0.0.5, destination port 3389, with 'Session established' or similar success indicator). RDP is a common target for lateral movement after initial compromise, and a single successful connection from an external IP to an internal host is a strong indicator of an attacker gaining remote access, not a brute force attempt (which would show multiple failures) or a scan (which would show many ports).

Exam trap

The trap here is that candidates see a single connection to a common service and assume it is a brute force or scan, but the key is the 'successful' indicator—brute force attacks show failures, and scans show multiple attempts, not a single established session.

How to eliminate wrong answers

Option A is wrong because a denial of service attack would show a flood of traffic, high packet rates, or resource exhaustion indicators, not a single successful session log. Option B is wrong because an SSH brute force would target port 22, not 3389, and would show numerous failed authentication attempts before any success, not a single established session. Option D is wrong because a port scan would show connection attempts to multiple ports (e.g., SYN packets to a range of ports) from the same source, not a single successful connection to one specific port.

331
MCQeasy

When implementing a digital signature, which key is used to create the signature?

A.Receiver's private key
B.Sender's private key
C.Sender's public key
D.Receiver's public key
AnswerB

The private key is used to sign documents.

Why this answer

In a digital signature scheme, the sender uses their own private key to create the signature. This ensures non-repudiation because only the sender possesses that private key, and the corresponding public key can verify the signature. The process involves encrypting a hash of the message with the sender's private key, as specified in standards like PKCS#1 and RFC 8017.

Exam trap

The trap here is that candidates often confuse the roles of keys in encryption versus signing, mistakenly thinking the receiver's private key or the sender's public key is used to create the signature because they associate 'private' with secrecy and 'public' with sharing, without understanding the specific asymmetric operations required for non-repudiation.

How to eliminate wrong answers

Option A is wrong because the receiver's private key is used for decryption in asymmetric encryption, not for creating a digital signature; using it would allow anyone with the receiver's public key to forge the signature. Option C is wrong because the sender's public key is used to verify the signature, not create it; using it to sign would allow anyone to create a valid signature since the public key is widely known. Option D is wrong because the receiver's public key is used for encrypting messages to the receiver, not for signing; it cannot provide non-repudiation as the sender does not possess the corresponding private key.

332
MCQeasy

After a security incident, the CISO asks for a report detailing which assets were affected, the attack vector, and the financial impact. Which of the following best describes this report?

A.Lessons learned report
B.Incident response plan
C.Risk register
D.Business impact analysis (BIA)
AnswerA

A lessons learned report captures post-incident details and improvements.

Why this answer

A lessons learned report is a post-incident document that captures what happened during a security incident, including affected assets, the attack vector, and financial impact. It is used to improve future incident response processes and is distinct from operational plans or risk assessments.

Exam trap

ISC2 often tests the distinction between proactive planning documents (incident response plan, BIA) and reactive post-incident reports (lessons learned), leading candidates to confuse the BIA's financial impact analysis with the incident-specific financial impact in the lessons learned report.

How to eliminate wrong answers

Option B is wrong because an incident response plan is a pre-defined set of procedures for detecting, responding to, and recovering from incidents, not a post-incident summary of specific impacts. Option C is wrong because a risk register is a living document that logs identified risks, their likelihood, and mitigation status, not a retrospective report on a single incident. Option D is wrong because a business impact analysis (BIA) identifies critical business functions and their recovery priorities, not the details of a specific security event.

333
MCQmedium

A company's security policy requires that employees must change their passwords every 60 days. However, help desk tickets show that many users are locked out after forgetting their new passwords. Which of the following would BEST balance security and usability?

A.Require users to use a password manager
B.Extend the password change interval to 90 days
C.Disable account lockout after failed attempts
D.Implement single sign-on (SSO) for all applications
AnswerD

SSO reduces password fatigue and thus forgotten passwords.

Why this answer

Single sign-on (SSO) reduces the number of passwords users must remember to one set of credentials, which decreases the likelihood of forgotten passwords and lockouts. By centralizing authentication, SSO allows the organization to enforce a strong password policy (e.g., 60-day rotation) while improving usability, as users only need to manage a single password. This balances security (centralized control, stronger authentication) with usability (fewer password resets).

Exam trap

The trap here is that candidates may choose to extend the password change interval (Option B) thinking it reduces user burden, but the SSCP exam emphasizes that usability improvements must not weaken security controls like password rotation frequency or account lockout policies.

How to eliminate wrong answers

Option A is wrong because requiring a password manager does not reduce the number of passwords users must remember or change; it only stores them, and users may still forget the master password or fail to update stored passwords, leading to continued lockouts. Option B is wrong because extending the password change interval to 90 days reduces security by increasing the window of exposure for compromised credentials, and it does not address the root cause of forgotten passwords (users still have multiple passwords to remember). Option C is wrong because disabling account lockout removes a critical security control that prevents brute-force attacks, violating security policy and increasing risk of unauthorized access.

334
MCQmedium

A security analyst notices unusual outbound traffic from a server in the DMZ to an external IP address on port 4444. The server runs a web application. Which action should the analyst take first?

A.Disconnect the server from the network.
B.Reboot the server to clear any malware.
C.Check the server's running processes and established connections.
D.Block the outbound traffic at the firewall.
AnswerC

This provides immediate visibility into potential compromise without destroying evidence.

Why this answer

Option C is correct because the first step in incident response is to gather forensic evidence and understand the scope of the compromise. Checking running processes and established connections allows the analyst to identify the malicious process, its parent, and the active command-and-control (C2) channel on port 4444, which is commonly associated with reverse shells or backdoor traffic. This data is volatile and must be captured before any disruptive action like disconnection or reboot, which would destroy evidence.

Exam trap

The trap here is that candidates often choose to immediately block or disconnect, confusing containment with the first step of incident response, which must always be evidence preservation and scoping.

How to eliminate wrong answers

Option A is wrong because immediately disconnecting the server from the network destroys volatile evidence (e.g., active network connections, memory-resident malware) and may alert the attacker, hindering forensic analysis. Option B is wrong because rebooting clears memory-resident malware and volatile forensic data, such as running processes and network connections, making root cause analysis impossible. Option D is wrong because blocking outbound traffic at the firewall without first investigating the source may disrupt the attacker's C2 channel, but it also prevents the analyst from observing the attacker's actions and collecting evidence; it should be done only after evidence is preserved.

335
MCQmedium

After an incident, the team identifies that the incident was caused by a missing security patch. Which of the following is the MOST effective way to prevent recurrence?

A.Conduct phishing simulations
B.Increase network monitoring
C.Implement a patch management policy
D.Update the incident response plan
AnswerC

A policy ensures patches are applied in a timely manner, preventing recurrence.

Why this answer

A missing security patch indicates a failure in the vulnerability management lifecycle. Implementing a patch management policy ensures that patches are systematically identified, tested, and deployed, directly addressing the root cause. This is the most effective preventive measure because it establishes a recurring process to close known vulnerabilities before they can be exploited.

Exam trap

The trap here is that candidates often confuse reactive measures (monitoring, response plans) with proactive prevention, or they mistakenly think user training (phishing simulations) addresses a technical configuration failure.

How to eliminate wrong answers

Option A is wrong because phishing simulations address social engineering attacks, not missing patches; they test user awareness, not system configuration. Option B is wrong because increasing network monitoring improves detection of ongoing attacks but does not prevent exploitation of unpatched vulnerabilities. Option D is wrong because updating the incident response plan improves future response efficiency but does not prevent the initial cause—the missing patch—from recurring.

336
Multi-Selecteasy

A network administrator is implementing segmentation to limit the spread of malware. Which two technologies can achieve network segmentation? (Choose two.)

Select 2 answers
A.Firewalls
B.VPN
C.NAT
D.Subnetting
E.VLANs
AnswersA, E

Firewalls can segment by controlling traffic between network zones.

Why this answer

Firewalls are correct because they can enforce network segmentation by controlling traffic between network segments based on security policies. By placing firewalls at segment boundaries, administrators can filter traffic using rules that inspect source/destination IP addresses, ports, and application-layer data, thereby limiting the lateral spread of malware.

Exam trap

The trap here is that candidates often confuse subnetting with segmentation, not realizing that subnetting alone provides no traffic filtering or isolation without a firewall or router ACL, and that VPNs are for secure tunneling, not internal network partitioning.

337
MCQeasy

A network administrator implements the firewall rules above. What is the effect of this rulebase?

A.HTTP and HTTPS traffic from all networks is blocked
B.HTTP and HTTPS traffic from the 10.0.0.0/8 network is allowed
C.All traffic from the 10.0.0.0/8 network is blocked
D.The deny rule is redundant because permit rules exist
AnswerB

The permit rules (1 and 2) are listed before the deny rule, so they match first.

Why this answer

Option A is correct because the permit rules come before the deny rule; traffic from the 10.0.0.0/8 network is explicitly denied by Rule 3, but only after being permitted by Rules 1 and 2? Actually, firewall rules are processed top-down; first match applies. So for a web request from 10.0.1.1 to destination port 80, Rule 1 matches and permits it, so the deny rule is not evaluated. Therefore, traffic from the 10.0.0.0/8 network is allowed for HTTP and HTTPS because the permit rules are first.

Option B is wrong because it ignores rule order. Option C is wrong because the rules are not redundant. Option D is wrong because traffic to other ports is implicitly denied (default deny), but the question asks about effect.

338
Multi-Selecteasy

Which TWO protocols are considered insecure and should be replaced with secure alternatives? (Choose two.)

Select 2 answers
A.IPsec
B.Telnet
C.HTTPS
D.SNMPv3
E.FTP
AnswersB, E

Telnet sends data in plaintext.

Why this answer

Telnet (B) is insecure because it transmits all data, including login credentials, in cleartext over TCP port 23. It lacks encryption and authentication mechanisms, making it vulnerable to packet sniffing and man-in-the-middle attacks. Secure alternatives like SSH (port 22) should be used instead.

Exam trap

ISC2 often tests the distinction between secure and insecure versions of protocols, where candidates mistakenly think SNMPv3 or IPsec are insecure because they confuse them with older versions (SNMPv1/v2c) or assume all VPN protocols are vulnerable.

339
MCQeasy

A company wants to ensure that data transmitted between its two branch offices remains confidential. Which cryptographic goal is primarily being addressed?

A.Availability
B.Non-repudiation
C.Integrity
D.Confidentiality
AnswerD

Confidentiality is the goal of keeping data secret, achieved via encryption.

Why this answer

Confidentiality ensures that data is accessible only to authorized parties, typically achieved through encryption. In this scenario, the company wants to prevent unauthorized interception of data between branch offices, which is the core goal of confidentiality. Technologies such as IPsec VPNs or TLS are used to encrypt the data in transit, directly addressing this requirement.

Exam trap

The trap here is that candidates often confuse confidentiality with integrity, mistakenly thinking that protecting data from modification also prevents it from being read, but encryption alone does not guarantee integrity unless combined with a MAC or authenticated encryption mode like GCM.

How to eliminate wrong answers

Option A is wrong because availability ensures that systems and data are accessible when needed, often through redundancy or fault tolerance, not by protecting data from eavesdropping. Option B is wrong because non-repudiation provides proof of origin or delivery of data, typically via digital signatures, and does not prevent unauthorized reading of the data. Option C is wrong because integrity ensures that data has not been altered during transit, often using hashing or MACs, but does not protect against unauthorized viewing of the data.

340
MCQmedium

A system administrator receives an alert from the SIEM indicating a possible brute-force attack on a server. The logs show 100 failed logins in 2 minutes from a single source. Which of the following is the best immediate action to verify and respond?

A.Immediately disable the user account that was targeted most
B.Check firewall logs for the source IP and block it in the firewall
C.Reset all user passwords and enable multi-factor authentication
D.Ignore the alert because it is likely a false positive
AnswerB

This confirms the attack and stops it at network perimeter.

Why this answer

Option B is correct because the immediate priority is to stop the ongoing attack by blocking the source IP at the firewall. Checking firewall logs confirms the source IP and ensures the block is applied to the correct address, preventing further authentication attempts. This aligns with the principle of containment before remediation in incident response.

Exam trap

The trap here is that candidates confuse immediate containment (blocking the source IP) with long-term remediation (resetting passwords or disabling accounts), leading them to choose a reactive user-focused action instead of a network-level control to stop the attack in progress.

How to eliminate wrong answers

Option A is wrong because disabling the targeted user account does not stop the brute-force attack; the attacker can simply target another account or continue with different usernames, and it may disrupt legitimate user access without addressing the source. Option C is wrong because resetting all passwords and enabling MFA is a long-term remediation step, not an immediate action; it is premature without first verifying the attack and containing it, and it could cause widespread disruption. Option D is wrong because ignoring the alert assumes a false positive without verification; 100 failed logins in 2 minutes from a single source is a strong indicator of a brute-force attack and requires investigation, not dismissal.

341
Multi-Selecthard

Which THREE of the following are appropriate techniques for securely disposing of magnetic hard disk drives that contain sensitive data? (Choose three.)

Select 3 answers
A.Low-level format
B.Shredding
C.Quick format
D.Overwriting with random patterns
E.Degaussing
AnswersB, D, E

Physical destruction renders the drive unreadable.

Why this answer

Shredding (B) physically destroys the platters, making data recovery impossible regardless of the magnetic state. This is a definitive disposal method for sensitive data on magnetic hard disk drives.

Exam trap

The trap here is that candidates often confuse 'low-level format' or 'quick format' with secure erasure, not realizing these methods leave recoverable data on the platters.

342
Multi-Selectmedium

Which TWO of the following are characteristics of a Mandatory Access Control (MAC) system?

Select 2 answers
A.Access decisions are based on security labels.
B.Access is determined by the owner of the object.
C.It uses roles to assign permissions.
D.Users can change permissions on their own objects.
E.It is commonly used in military environments.
AnswersA, E

MAC relies on labels assigned to subjects and objects to determine access.

Why this answer

Option A is correct because Mandatory Access Control (MAC) systems use security labels (e.g., classifications like Top Secret, Secret, Confidential) attached to subjects and objects. The operating system or reference monitor enforces access decisions based on these labels and a set of rules (e.g., the Bell-LaPadula model's simple security property and *-property), not at the discretion of users or owners. This ensures that access is determined by a central policy, typically implemented via labels in systems like SELinux or Trusted Solaris.

Exam trap

The trap here is that candidates often confuse MAC with DAC or RBAC, mistakenly thinking that owners or roles can override label-based policies, when in fact MAC strictly enforces system-wide rules that neither users nor owners can modify.

343
MCQmedium

A company experiences a security breach where an attacker gained access to the network through a compromised vendor account. Which of the following controls would have BEST prevented this attack?

A.Install a network-based intrusion detection system.
B.Require vendors to sign an NDA.
C.Create a separate VLAN for vendor access.
D.Enable multi-factor authentication for vendor accounts.
AnswerD

MFA makes it harder for attackers to use stolen credentials.

Why this answer

Multi-factor authentication (MFA) for vendor accounts is the best preventive control because it adds an additional layer of security beyond just a password. Even if the attacker compromises the vendor's credentials, MFA requires a second factor (e.g., a one-time code from a token or biometric) to authenticate, effectively blocking unauthorized access. This directly addresses the attack vector of credential theft, which was the root cause of the breach.

Exam trap

The trap here is that candidates often confuse network segmentation (VLANs) with access control, mistakenly believing that isolating vendor traffic on a separate VLAN prevents credential-based attacks, when in fact VLANs do not authenticate users or validate the legitimacy of the account being used.

How to eliminate wrong answers

Option A is wrong because a network-based intrusion detection system (NIDS) is a detective control that monitors traffic for suspicious patterns after the attack has begun, not a preventive control that stops initial access via compromised credentials. Option B is wrong because a non-disclosure agreement (NDA) is a legal contract that addresses confidentiality after access is granted, not a technical control that prevents unauthorized access through a compromised account. Option C is wrong because creating a separate VLAN for vendor access segments network traffic but does not prevent an attacker from using stolen credentials to authenticate into that VLAN; VLANs provide network isolation, not authentication security.

344
MCQmedium

You are a security analyst at a financial institution. The company uses a role-based access control (RBAC) system for its internal banking application. Recently, the compliance team discovered that a teller, who should only have access to customer account information for their branch, was able to view account details for customers in other branches. The RBAC system assigns roles based on job titles. You review the configuration and find that the 'Teller' role has a permission that allows viewing all customer accounts, regardless of branch. The company wants to enforce branch-level restrictions. Which of the following is the best approach to address this issue?

A.Implement attribute-based access control (ABAC) to incorporate branch location as an attribute.
B.Use mandatory access control (MAC) with labels for each customer account.
C.Create separate roles for each branch, such as 'Teller_Branch1', 'Teller_Branch2', etc.
D.Modify the 'Teller' role to remove the permission to view all accounts.
AnswerA

ABAC adds context like branch to RBAC, providing necessary restrictions.

Why this answer

Adding an attribute for branch location and using ABAC in conjunction with RBAC allows fine-grained control. Option A is correct. B would create many roles, C is not granular, and D is not relevant.

345
Drag & Dropmedium

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes require global config mode and must specify the destination network, subnet mask, and next-hop address or exit interface.

346
Multi-Selecthard

Which TWO of the following are key indicators of a potential data exfiltration attempt?

Select 2 answers
A.Large number of failed login attempts from multiple accounts
B.Unusual outbound traffic to a known malicious IP address
C.Multiple firewall rule changes in a short period
D.Successful logins from unusual geolocations for multiple users
E.Sudden increase in database read operations by a single user account
AnswersB, E

This is a direct indicator of data being sent to an external threat actor.

Why this answer

Unusual outbound traffic to a known bad IP (A) and a sudden increase in database read operations from a single user (D) are both strong indicators of data exfiltration. Failed logins (B) and unusual geolocations (C) are more indicative of credential abuse or lateral movement, while firewall rule changes (E) could be part of normal administration or a precursor to exfiltration but are not direct indicators.

347
Multi-Selectmedium

Which THREE activities are part of the post-incident phase?

Select 3 answers
A.Lessons learned meeting
B.Conduct root cause analysis
C.Notify affected customers
D.Reimage infected computers
E.Update incident response plan
AnswersA, B, E

Post-incident review includes identifying improvements.

Why this answer

Options A, B, and D are correct. Lessons learned meetings, updating the IR plan, and conducting root cause analysis are post-incident activities. Reimaging is eradication, and notifying customers is part of response, though post-incident review may include notification timing.

348
Multi-Selecthard

Which THREE of the following are characteristics of a stateful firewall?

Select 3 answers
A.Is generally slower than a stateless firewall
B.Maintains a state table of active connections
C.Can make decisions based on traffic patterns
D.Operates only at the network layer (Layer 3)
E.Performs deep packet inspection (DPI)
AnswersA, B, C

Stateful inspection requires more processing.

Why this answer

Stateful firewalls maintain a state table that tracks the state of active connections, allowing them to make decisions based on the context of traffic patterns, such as the TCP three-way handshake. This additional processing overhead generally makes them slower than stateless firewalls, which only inspect packet headers individually without connection tracking.

Exam trap

ISC2 often tests the misconception that stateful firewalls perform deep packet inspection, but DPI is a separate capability of NGFWs, while stateful firewalls focus on session-layer tracking.

349
Multi-Selecteasy

Which TWO of the following are best practices for securing a wireless network? (Choose two.)

Select 2 answers
A.Disable SSID broadcast
B.Set a short, simple pre-shared key for convenience
C.Use WEP encryption
D.Enable MAC address filtering
E.Use WPA3 encryption
AnswersA, E

Hiding SSID reduces visibility to casual scanners.

Why this answer

Disabling SSID broadcast prevents the access point from including the network name in beacon frames, making the network less visible to casual scanning tools. However, it is not a security measure because the SSID is still transmitted in probe requests and responses, and can be easily discovered using packet capture tools like Wireshark or airodump-ng. It is considered a best practice only as a minor obscurity layer, not a replacement for strong encryption.

Exam trap

ISC2 often tests the misconception that disabling SSID broadcast is a strong security measure, when in reality it is only a minor obscurity technique that does not prevent determined attackers from discovering the network.

350
Multi-Selectmedium

Which TWO of the following are key components of a Business Impact Analysis (BIA)?

Select 2 answers
A.Recovery time objective.
B.Vulnerability assessment.
C.Criticality analysis.
D.Likelihood estimation.
E.Threat modeling.
AnswersA, C

RTO specifies the maximum acceptable downtime for a process.

Why this answer

A Recovery Time Objective (RTO) is a key component of a Business Impact Analysis (BIA) because it defines the maximum acceptable downtime for a business process or system after a disruption. The BIA identifies critical functions and their dependencies, and RTO is derived from the financial and operational impact of downtime, directly informing recovery strategy and resource allocation.

Exam trap

ISC2 often tests the distinction between BIA components (RTO, criticality analysis) and risk assessment components (vulnerability assessment, likelihood, threat modeling), causing candidates to conflate impact analysis with risk analysis.

351
MCQmedium

A security analyst reviews a cryptographic implementation and notices that the same initialization vector (IV) is used repeatedly with the same key in CBC mode. What is the primary risk?

A.Loss of confidentiality
B.Loss of authentication
C.Non-repudiation is compromised
D.Loss of integrity
AnswerA

IV reuse can lead to identical ciphertext blocks for identical plaintext, revealing patterns.

Why this answer

In CBC (Cipher Block Chaining) mode, the initialization vector (IV) is XORed with the first plaintext block before encryption. Reusing the same IV with the same key means that identical plaintext blocks will produce identical ciphertext blocks, revealing patterns in the data. This directly breaks confidentiality, as an attacker can detect repeated plaintext segments, infer message structure, or even recover plaintext through known-plaintext attacks.

Exam trap

The trap here is that candidates often confuse confidentiality with integrity or authentication, mistakenly thinking IV reuse primarily enables data tampering (integrity) or impersonation (authentication), when in fact the core cryptographic weakness is the exposure of plaintext patterns, directly violating confidentiality.

How to eliminate wrong answers

Option B is wrong because loss of authentication refers to the inability to verify the origin or identity of the sender, which is not directly caused by IV reuse; CBC mode does not provide authentication by itself (that requires a MAC). Option C is wrong because non-repudiation is a property that prevents a party from denying an action, typically provided by digital signatures, not by CBC mode or IV usage. Option D is wrong because loss of integrity means data has been tampered with undetected; while IV reuse can enable certain attacks (e.g., bit-flipping), the primary and most immediate risk is the exposure of plaintext patterns, i.e., loss of confidentiality.

352
MCQmedium

A company implements a DMZ to host public services. Which of the following is the best practice for securing the DMZ?

A.Allow all traffic from the internet to the DMZ
B.Disable logging on DMZ firewalls
C.Use separate firewall rules for inbound and outbound traffic
D.Place the DMZ behind the internal firewall
E.Use the same subnet for DMZ and internal network
AnswerC

Allows strict control over traffic flows.

Why this answer

Option C is correct because DMZ security relies on strict separation of inbound and outbound traffic rules. Inbound rules should permit only necessary traffic (e.g., HTTP/HTTPS to web servers) from the internet to the DMZ, while outbound rules should restrict DMZ-initiated connections to the internal network, typically allowing only established sessions or specific protocols. This prevents an attacker who compromises a DMZ host from using it as a pivot to access internal resources.

Exam trap

The trap here is that candidates often confuse the DMZ's placement (thinking it should be behind the internal firewall for extra protection) with the need for separate rule sets, but the correct placement is between two firewalls (or a single firewall with three interfaces) with distinct inbound and outbound rules to enforce isolation.

How to eliminate wrong answers

Option A is wrong because allowing all traffic from the internet to the DMZ defeats the purpose of a DMZ, which is to expose only specific services while blocking all other traffic. Option B is wrong because disabling logging on DMZ firewalls eliminates the ability to detect and investigate security incidents, violating fundamental security monitoring practices. Option D is wrong because placing the DMZ behind the internal firewall would expose the internal network to direct internet traffic if the DMZ is compromised, negating the isolation a DMZ provides.

Option E is wrong because using the same subnet for DMZ and internal network removes network segmentation, allowing broadcast traffic and potential lateral movement between zones.

353
MCQhard

An organization is implementing a jump server architecture for managing critical servers. Which additional control BEST reduces the risk of lateral movement if the jump server is compromised?

A.Enable verbose logging on all target servers.
B.Require multi-factor authentication for all jump server logins.
C.Implement SSH key-based authentication with agent forwarding restricted to specific target hosts.
D.Use a separate VLAN for management traffic.
AnswerC

Restricts which hosts can be accessed from the jump server, reducing lateral movement.

Why this answer

Option C is correct because restricting SSH agent forwarding to specific target hosts prevents an attacker who compromises the jump server from using forwarded credentials to authenticate to arbitrary internal systems. This containment limits lateral movement by ensuring that even if the jump server is breached, the attacker cannot reuse SSH keys to pivot to non-approved targets.

Exam trap

The trap here is that candidates often choose multi-factor authentication (Option B) thinking it prevents all post-compromise risks, but MFA only protects the initial login, not lateral movement after the jump server is already compromised.

How to eliminate wrong answers

Option A is wrong because verbose logging on target servers is a detective control that records activity after the fact; it does not prevent an attacker from moving laterally from a compromised jump server. Option B is wrong because multi-factor authentication for jump server logins protects the initial access to the jump server but does not restrict lateral movement once an attacker has already compromised that server. Option D is wrong because a separate VLAN for management traffic segments network traffic but does not prevent an attacker who already controls the jump server from using its SSH agent or credentials to reach other hosts within that VLAN.

354
MCQeasy

A small business uses a wireless network for employees and guests. The network uses WPA2-PSK with a single SSID, and the guest network is separate but broadcasts the same SSID. Recently, employees report intermittent connection drops and slow internet speeds. A site survey shows multiple access points from neighboring businesses operating on channels 1, 6, and 11. The business's access points are set to auto-channel selection. What is the most likely cause of the issue?

A.RADIUS server misconfiguration
B.Rogue access point
C.Channel interference due to overlapping channels
D.Weak PSK passphrase
AnswerC

Auto-channel selection often leads to channel overlap with neighboring networks, causing interference and performance degradation.

Why this answer

The correct answer is C. With multiple neighboring access points operating on channels 1, 6, and 11, and the business's access points set to auto-channel selection, the most likely cause is channel interference. Auto-channel selection may not dynamically avoid co-channel or adjacent-channel overlap, leading to contention, retransmissions, and degraded performance.

The separate guest network broadcasting the same SSID can also cause client confusion and increased collisions.

Exam trap

The trap here is that candidates may confuse WPA2-PSK with WPA2-Enterprise and assume a RADIUS misconfiguration is involved, or they may overlook that auto-channel selection does not dynamically mitigate interference from neighboring APs on the same non-overlapping channels.

How to eliminate wrong answers

Option A is wrong because RADIUS server misconfiguration is irrelevant to WPA2-PSK, which uses a pre-shared key for authentication, not 802.1X/EAP; RADIUS is only used in WPA2-Enterprise mode. Option B is wrong because a rogue access point would typically present a different SSID or security configuration, and the symptoms of intermittent drops and slow speeds are more consistent with channel congestion than an unauthorized device; a rogue AP would more likely cause authentication failures or security alerts. Option D is wrong because a weak PSK passphrase does not cause intermittent connection drops or slow speeds; it would either allow connection (if correct) or prevent it (if incorrect), and performance issues are unrelated to passphrase strength.

355
MCQhard

Based on the TLS connection output, what is a potential security vulnerability?

A.The certificate has expired
B.The key exchange is ephemeral, reducing security
C.The cipher suite uses AES-128, which is too weak
D.The certificate uses SHA-1 for the signature algorithm
AnswerD

SHA-1 is deprecated due to collision attacks.

Why this answer

The signature algorithm sha1WithRSAEncryption is deprecated for certificates; SHA-1 is weak and should not be used. Options A, B, D are incorrect: the certificate is not expired (no date shown), AES-128 is acceptable, and ECDHE provides forward secrecy.

356
MCQeasy

An organization is migrating its on-premises applications to a cloud provider. Which of the following security controls should be implemented to protect data at rest in the cloud?

A.Implement multi-factor authentication for all users.
B.Configure network segmentation using VPCs.
C.Use access keys for API authentication.
D.Enable CloudTrail or equivalent audit logging.
E.Enable server-side encryption on storage services.
AnswerE

Server-side encryption encrypts data at rest automatically.

Why this answer

Option B is correct because enabling server-side encryption (SSE) ensures data is encrypted when stored by the cloud provider. Option A (network segmentation) protects in transit; C (access keys) are for authentication; D (MFA) is for user identity; E (audit logs) are detective.

357
MCQhard

A healthcare organization stores patient records in a database that is encrypted at rest using AES-256-CBC. The encryption key is stored in a plaintext configuration file on the database server, with file permissions set to read-only for the database service account and administrators. During an internal audit, the security team flags this as a critical vulnerability because the key is co-located with the encrypted data. The system administrator argues that the file permissions are sufficient to prevent unauthorized access. Separately, the organization must comply with HIPAA requirements for encryption key management. Which remediation most effectively addresses the vulnerability and meets compliance requirements?

A.Change the encryption algorithm from AES-256-CBC to AES-256-GCM.
B.Implement file integrity monitoring (FIM) on the configuration file to alert on unauthorized access.
C.Move the encryption key to a hardware security module (HSM) accessible only via authenticated API calls.
D.Encrypt the configuration file containing the key with a second AES-256 key stored in the same directory.
AnswerC

An HSM provides tamper-resistant key storage and meets compliance requirements.

Why this answer

Option C is correct because moving the encryption key to a hardware security module (HSM) physically separates the key from the encrypted data, eliminating the co-location vulnerability. HSMs provide tamper-resistant key storage and enforce access controls via authenticated API calls, which aligns with HIPAA requirements for proper key management and protection of electronic protected health information (ePHI).

Exam trap

The trap here is that candidates often confuse encryption algorithm improvements (like GCM) or monitoring controls (like FIM) with proper key management, failing to recognize that co-location of the key with the data is the core vulnerability that must be addressed by physical or logical separation.

How to eliminate wrong answers

Option A is wrong because changing the cipher mode from CBC to GCM addresses data integrity and authentication, not the fundamental issue of key storage co-location or access control. Option B is wrong because file integrity monitoring (FIM) only detects unauthorized access or changes after the fact; it does not prevent an attacker who gains access to the server from reading the plaintext key from the configuration file. Option D is wrong because encrypting the configuration file with a second key stored in the same directory merely adds a layer of obfuscation; the second key remains co-located and accessible, so an attacker who compromises the server can retrieve both keys.

358
MCQmedium

A healthcare organization is implementing an access control system to ensure that employees can only access patient records necessary for their job functions. Which model best enforces this principle?

A.Role-Based Access Control (RBAC)
B.Rule-Based Access Control (RuBAC)
C.Discretionary Access Control (DAC)
D.Mandatory Access Control (MAC)
AnswerA

RBAC assigns permissions to roles based on job functions, and users are assigned to roles, effectively enforcing least privilege.

Why this answer

Role-Based Access Control (RBAC) is the correct model because it assigns permissions based on job roles, ensuring employees only access patient records necessary for their duties. In healthcare, RBAC aligns with the principle of least privilege by mapping roles (e.g., nurse, doctor, billing) to specific data access, as defined in standards like NIST SP 800-53. This directly enforces the requirement that access is tied to job functions, not individual discretion or system-wide rules.

Exam trap

ISC2 often tests the distinction between RBAC and Rule-Based Access Control, where candidates mistakenly choose RuBAC because they confuse 'rules' with 'roles,' not realizing RuBAC applies static conditions to all users rather than dynamic role assignments.

How to eliminate wrong answers

Option B (Rule-Based Access Control) is wrong because it uses global rules (e.g., time-of-day or IP-based conditions) applied uniformly to all users, not role-specific job functions, making it too coarse for granular patient record access. Option C (Discretionary Access Control) is wrong because it allows data owners to grant access at their discretion, violating the mandatory job-function restriction and risking unauthorized sharing of patient records. Option D (Mandatory Access Control) is wrong because it enforces system-wide labels (e.g., classification levels like 'Confidential') rather than job roles, which is overly rigid and does not map to specific healthcare job functions.

359
MCQmedium

Based on the exhibit, what is the most likely cause of the web application outage?

A.Network connectivity issue between web and DB
B.Application pool memory leak
C.SQL Server service is down
D.Database server disk failure
AnswerC

The 'Connection refused' error on port 1433 indicates the SQL Server is not listening or is down.

Why this answer

The exhibit shows that the web application is returning HTTP 500 errors, which typically indicate a server-side issue. Since the web server can connect to the database server (as shown by the successful ping), but the application fails, the most likely cause is that the SQL Server service is down, preventing the application from executing queries. This aligns with the correct answer C.

Exam trap

The trap here is that candidates assume a successful ping implies full database availability, but ping only tests network layer connectivity, not the application layer service (SQL Server).

How to eliminate wrong answers

Option A is wrong because the exhibit shows a successful ping from the web server to the database server, indicating network connectivity is intact. Option B is wrong because a memory leak in the application pool would cause gradual performance degradation or application crashes, not an immediate HTTP 500 error with successful network connectivity. Option D is wrong because a disk failure would likely cause SQL Server to log errors or fail to start, but the exhibit does not show disk-related symptoms; the immediate cause is the SQL Server service being down, not the underlying storage.

360
MCQeasy

After containing a malware outbreak, the incident response team needs to ensure the malware is completely removed from all systems. Which phase of the incident response process is this?

A.Post-Incident
B.Eradication
C.Detection
D.Recovery
AnswerB

Eradication involves removing malware and closing vulnerabilities.

Why this answer

The eradication phase is specifically focused on removing the root cause of the incident, such as deleting malware files, registry keys, and disabling malicious services from all affected systems. After containment (which stops the spread), eradication ensures the threat is completely eliminated before recovery begins. This aligns with the NIST SP 800-61 incident response lifecycle, where eradication follows containment and precedes recovery.

Exam trap

The trap here is confusing eradication with recovery, as candidates often think 'removing malware' is part of getting systems back online, but recovery only begins after the threat is fully eradicated to avoid restoring infected data.

How to eliminate wrong answers

Option A is wrong because the post-incident phase occurs after recovery and involves lessons learned, documentation, and forensic analysis, not active removal of malware. Option C is wrong because detection is the initial phase where the incident is identified through alerts or anomalies, not the phase for removing the threat. Option D is wrong because recovery focuses on restoring systems to normal operation (e.g., restoring from clean backups, reconnecting to networks) after the malware has already been eradicated.

361
MCQhard

A financial institution uses a quantitative risk analysis to evaluate a new online payment system. The asset value is $5 million, the exposure factor is 40%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

A.$1,000,000
B.$800,000
C.$2,000,000
D.$2,500,000
AnswerA

Correct calculation: SLE = $5M × 0.4 = $2M; ALE = $2M × 0.5 = $1M.

Why this answer

The annualized loss expectancy (ALE) is calculated as single loss expectancy (SLE) multiplied by the annualized rate of occurrence (ARO). SLE is asset value ($5,000,000) times exposure factor (40%) = $2,000,000. Then ALE = $2,000,000 × 0.5 = $1,000,000.

This quantitative risk analysis formula is standard in financial risk assessments for payment systems.

Exam trap

ISC2 often tests the distinction between SLE and ALE, trapping candidates who stop after calculating SLE ($2,000,000) and forget to multiply by the ARO (0.5).

How to eliminate wrong answers

Option B ($800,000) is wrong because it incorrectly multiplies the asset value by the ARO without applying the exposure factor (i.e., $5,000,000 × 0.5 × 0.4? No, it's $5,000,000 × 0.4 × 0.5 = $1,000,000; $800,000 suggests a miscalculation like using 0.4 × 0.5 = 0.2 then $5,000,000 × 0.2 = $1,000,000? Actually $800,000 would come from $5,000,000 × 0.4 × 0.4 or similar error). Option C ($2,000,000) is wrong because it represents the SLE only (asset value × exposure factor) and fails to multiply by the ARO of 0.5. Option D ($2,500,000) is wrong because it incorrectly multiplies the asset value by the ARO only ($5,000,000 × 0.5) and ignores the exposure factor entirely.

362
Matchingmedium

Match each access control model to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Owner sets permissions

System-enforced labels

Roles determine access

Attributes and policies

Why these pairings

These are the four primary access control models.

363
MCQeasy

An administrator wants to ensure that users cannot share passwords. Which control is most effective at reducing the risk of password sharing?

A.Account lockout policies
B.Multifactor authentication
C.Password complexity
D.Password history
AnswerB

MFA requires a second factor that is often physical or biometric, making it difficult to share credentials.

Why this answer

Multifactor authentication (MFA) is the most effective control because it requires users to present two or more distinct factors (e.g., something you know, something you have, something you are) to authenticate. Even if a user shares their password (something you know), an attacker cannot authenticate without the second factor (e.g., a one-time passcode from a hardware token or biometric). This directly reduces the risk of password sharing by making the shared credential insufficient for access.

Exam trap

The trap here is that candidates often choose password complexity or account lockout policies because they associate them with 'stronger security,' but they fail to recognize that these controls do not address the specific threat of voluntary password sharing, which MFA directly mitigates by adding an independent authentication factor.

How to eliminate wrong answers

Option A is wrong because account lockout policies (e.g., locking after 5 failed attempts) are designed to prevent brute-force attacks, not to prevent users from voluntarily sharing their passwords; a shared password still works until the account is locked. Option C is wrong because password complexity (e.g., requiring uppercase, numbers, symbols) only makes passwords harder to guess or crack, but does nothing to stop a user from sharing that complex password with another person. Option D is wrong because password history (e.g., remembering the last 10 passwords) prevents users from reusing old passwords, but it has no effect on sharing the current password with others.

364
MCQeasy

An organization wants to protect endpoints from ransomware that encrypts files and demands payment. Which control should be implemented FIRST?

A.Deploy email spam filtering
B.Implement application whitelisting
C.Conduct user security awareness training
D.Enable file-level backup to a separate location
AnswerB

Blocks unauthorized executables from running.

Why this answer

Option B is correct because application whitelisting blocks unauthorized executables, including ransomware, from running. Option A is wrong because email filtering can reduce but not block all ransomware delivery. Option C is wrong because user training is important but not a technical control that immediately prevents execution.

Option D is wrong because backups help recovery but do not prevent infection.

365
MCQmedium

A new employee needs access to the CRM, email, and file servers. The security policy requires that access privileges are granted based on job function. Which process should be used?

A.The employee completes a request form detailing the access they need
B.The IT department grants full access to all systems and later reviews
C.The identity management team assigns the employee to a role that includes the necessary permissions
D.The employee's supervisor decides which access is appropriate and informs IT
AnswerC

Role-based access control aligns with job functions.

Why this answer

Option C is correct because role-based access control (RBAC) assigns permissions based on job functions, not individual requests or ad-hoc approvals. By placing the employee into a predefined role (e.g., 'Sales Rep'), the identity management team ensures that the CRM, email, and file server permissions are granted consistently and in compliance with the security policy. This process enforces the principle of least privilege and simplifies auditing.

Exam trap

The trap here is that candidates often choose the supervisor's approval (Option D) because it seems logical, but the SSCP exam emphasizes automated role-based assignment over manual approval to enforce consistent, policy-driven access control.

How to eliminate wrong answers

Option A is wrong because allowing the employee to self-select access needs violates the principle of least privilege and bypasses the job-function-based policy; it introduces risk of over-provisioning. Option B is wrong because granting full access upfront and reviewing later is a 'trust but verify' model that contradicts the security policy's requirement to grant access based on job function, and it creates a window of excessive privilege. Option D is wrong because while the supervisor may understand the role, the decision should be automated through role assignment rather than relying on a manual, subjective decision that could lead to inconsistent or excessive permissions.

366
MCQeasy

During an incident, the IR team needs to collect volatile data. Which order should they follow?

A.Hard disk, memory, network connections, running processes
B.Network connections, running processes, memory, hard disk
C.Running processes, memory, network connections, hard disk
D.Memory, running processes, network connections, hard disk
AnswerD

Memory is the most volatile and should be captured first.

Why this answer

Option D is correct because volatile data must be collected in order of decreasing volatility to minimize data loss. Memory (RAM) is the most volatile, followed by running processes, network connections, and finally the hard disk, which is non-volatile. This order ensures that transient evidence (e.g., encryption keys, active network sessions) is captured before it disappears.

Exam trap

ISC2 often tests the order of volatility (OOV) principle, and the trap here is that candidates mistakenly think running processes are more volatile than memory, or they confuse the order by prioritizing network connections over process state.

How to eliminate wrong answers

Option A is wrong because it starts with the hard disk, which is non-volatile, and delays collection of memory and network connections, risking loss of critical transient data. Option B is wrong because it places network connections before running processes and memory, but network connections depend on process state and can change rapidly; memory should be captured first to preserve process artifacts. Option C is wrong because it lists running processes before memory, but memory contains the actual process data (e.g., code, variables) that must be captured before processes are terminated or altered.

367
MCQmedium

Which access control mechanism most likely failed to prevent this unauthorized privilege escalation?

A.Sudoers configuration
B.Account lockout policy
C.Password policy
D.SELinux
AnswerB

An account lockout policy would have locked the account after a threshold of failed attempts, preventing the eventual successful login.

Why this answer

An account lockout policy is designed to prevent brute-force attacks by locking an account after a specified number of failed login attempts. In the context of unauthorized privilege escalation, a lockout policy would not prevent a user who already has valid credentials from escalating privileges through other means, such as exploiting a misconfigured sudoers file or a kernel vulnerability. Therefore, the failure of the account lockout policy is the most likely mechanism that allowed the escalation, as it does not control what an authenticated user can do after login.

Exam trap

ISC2 often tests the misconception that account lockout policies are a catch-all defense against unauthorized access, when in fact they only prevent brute-force login attempts and do not control actions taken by an already authenticated user.

How to eliminate wrong answers

Option A is wrong because the sudoers configuration directly controls which users can execute commands with elevated privileges; if it were misconfigured (e.g., allowing a user to run all commands as root without a password), it could be the mechanism that failed, but the question asks which mechanism most likely failed to prevent the escalation, and a lockout policy is unrelated to post-authentication privilege escalation. Option C is wrong because a password policy (e.g., complexity, length, history) only affects the strength of user passwords and does not prevent an authorized user from escalating privileges after successful authentication. Option D is wrong because SELinux is a mandatory access control (MAC) system that enforces security policies at the kernel level, and while it can limit privilege escalation, its failure would be due to misconfiguration or being in permissive mode, not because of a lockout policy; the lockout policy is the least relevant to the escalation event.

368
MCQhard

A helpdesk ticket reports that users can browse internal web servers but cannot access external websites. The IT team checks firewall logs and sees dropped packets with the DF flag set. What is the most likely cause?

A.The firewall is blocking outbound TCP port 80 and 443.
B.A firewall is blocking ICMP 'fragmentation needed' messages, preventing Path MTU Discovery.
C.The DNS server is not resolving external domain names.
D.The switch port connecting the firewall is set to the wrong VLAN.
AnswerB

This is a classic problem where DF packets are dropped because the firewall blocks ICMP type 3 code 4 messages.

Why this answer

The DF (Don't Fragment) flag being set in dropped packets indicates that packets are too large to traverse a network path without fragmentation, but the firewall is blocking the ICMP 'fragmentation needed' (Type 3, Code 4) messages. Without these ICMP messages, Path MTU Discovery (PMTUD) fails, causing the sending host to believe the packet was delivered when it was actually dropped. This prevents external websites from loading while internal servers (likely on the same MTU-friendly network) remain accessible.

Exam trap

The trap here is that candidates often assume the DF flag indicates a firewall rule explicitly blocking fragmented packets, rather than recognizing it as a symptom of missing ICMP feedback in the PMTUD process.

How to eliminate wrong answers

Option A is wrong because blocking outbound TCP ports 80 and 443 would prevent all HTTP/HTTPS traffic, not just external websites, and the DF flag behavior is unrelated to port blocking. Option C is wrong because DNS resolution failure would prevent name resolution for both internal and external sites, but users can browse internal web servers, indicating DNS is working. Option D is wrong because a wrong VLAN on the switch port would cause complete connectivity loss to the firewall, not selective dropping of packets with the DF flag.

369
Multi-Selecthard

Which THREE of the following are common methods for implementing multifactor authentication (MFA)?

Select 3 answers
A.Retina scan and facial recognition
B.Password and SMS code
C.Smart card and PIN
D.Password and security question
E.Fingerprint and smart card
AnswersB, C, E

Something you know (password) + something you have (phone for SMS).

Why this answer

Option B is correct because it combines something you know (password) with something you have (SMS code sent to a registered device). This satisfies the MFA requirement of using at least two distinct authentication factors, making it significantly more secure than single-factor password-only authentication.

Exam trap

ISC2 often tests the distinction between using multiple instances of the same factor (e.g., two biometrics or two passwords) versus using factors from different categories, which is the core requirement for true MFA.

370
MCQmedium

You work for a hospital that has recently transitioned to an electronic health record (EHR) system. The system stores protected health information (PHI) and must comply with HIPAA. The hospital's security policy requires that all access to PHI be logged and that any unauthorized access be detected promptly. The IT department has implemented logging on the EHR system, but the security team is overwhelmed by the volume of logs and cannot review them in a timely manner. Additionally, there have been incidents where employees accessed patient records without a legitimate need, but these were only discovered months later during random audits. The hospital needs to improve its detection capabilities. Which of the following is the most effective solution?

A.Deploy a Security Information and Event Management (SIEM) system with automated alerting.
B.Retain logs for a longer period to allow more thorough audits.
C.Assign additional staff to manually review logs on a daily basis.
D.Increase the verbosity of logging to capture more details.
AnswerA

SIEM aggregates logs, detects anomalies, and alerts in real time, improving detection.

Why this answer

A SIEM system aggregates logs from the EHR system and applies correlation rules to detect patterns indicative of unauthorized access, such as an employee viewing records outside their department or during off-hours. It generates real-time alerts, enabling the security team to respond promptly rather than relying on manual log review. This directly addresses the problem of being overwhelmed by log volume and delayed detection.

Exam trap

The trap here is that candidates may think increasing log verbosity or retention improves detection, but without automated analysis, more data only worsens the signal-to-noise ratio and delays incident discovery.

How to eliminate wrong answers

Option B is wrong because retaining logs for a longer period does not improve detection speed; it only preserves evidence for later audits, which still occur months after the incident. Option C is wrong because assigning additional staff to manually review logs is not scalable and would still be overwhelmed by the high volume of logs, leading to delayed or missed detections. Option D is wrong because increasing log verbosity would generate even more log data, exacerbating the existing problem of log overload without providing automated analysis or alerting.

371
MCQeasy

A security analyst is reviewing logs and finds multiple failed login attempts from an external IP address followed by a successful login. Which type of attack is most likely occurring?

A.Password spraying
B.Brute force attack
C.Credential stuffing
D.Social engineering
AnswerB

Multiple attempts from a single source indicate brute force.

Why this answer

A brute force attack involves systematically trying all possible password combinations until the correct one is found. The log pattern of multiple failed attempts from a single external IP followed by a success is the classic signature of a brute force attack, as the attacker iterates through a password list or character space against the same username.

Exam trap

The trap here is that candidates confuse 'brute force' with 'credential stuffing' because both involve multiple login attempts, but credential stuffing uses known breached credentials (often from different IPs) and shows a higher initial success rate, whereas brute force targets a single account with many guesses from one IP.

How to eliminate wrong answers

Option A is wrong because password spraying involves trying a small set of common passwords against many usernames, not multiple failed attempts from a single IP against one account. Option C is wrong because credential stuffing uses previously breached username/password pairs from other services, which would typically show a high success rate or rapid failures, not a long sequence of failures from one IP. Option D is wrong because social engineering relies on manipulating users (e.g., phishing or pretexting) to reveal credentials, not on automated login attempts visible in logs.

372
MCQeasy

A security analyst is reviewing the access control policy and notices that some users have been granted 'write' access to a directory that contains sensitive financial reports. Which principle of information security is being violated?

A.Non-repudiation
B.Least privilege
C.Availability
D.Confidentiality
AnswerB

Granting more access than needed violates least privilege.

Why this answer

The principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. Granting 'write' access to a directory containing sensitive financial reports to users who do not require that level of access violates this principle, as it introduces unnecessary risk of unauthorized modification or data leakage.

Exam trap

The trap here is that candidates may confuse the violation of least privilege with a breach of confidentiality, but the question specifically highlights the granting of unnecessary write permissions, which is a direct violation of the least privilege principle, not merely a confidentiality issue.

How to eliminate wrong answers

Option A is wrong because non-repudiation ensures that a party cannot deny having performed an action, typically achieved through digital signatures or audit logs, and is not directly related to the level of access granted. Option C is wrong because availability ensures that systems and data are accessible when needed, often addressed through redundancy and fault tolerance, not by restricting write permissions. Option D is wrong because confidentiality protects data from unauthorized disclosure, which is a concern here, but the specific violation described is the granting of excessive permissions (write access) rather than the exposure of data itself; the core principle being violated is least privilege, not confidentiality.

373
MCQeasy

An organization uses role-based access control (RBAC). An employee transfers from the Sales department to the Marketing department. What is the most secure way to update the employee's access?

A.Remove the Sales role and then add the Marketing role
B.Add the Marketing role and remove the Sales role after 30 days
C.Modify the Sales role to include Marketing permissions
D.Create a new custom role with combined permissions
AnswerA

This ensures no overlapping permissions.

Why this answer

In RBAC, access is determined by the roles assigned to a user. The most secure method is to remove the old role (Sales) first to eliminate any residual permissions, then add the new role (Marketing). This ensures the employee does not retain access to Sales resources during the transition, adhering to the principle of least privilege.

Exam trap

The trap here is that candidates may think adding the new role first ensures continuity of access, but the most secure approach is to remove the old role first to prevent any period of dual access.

How to eliminate wrong answers

Option B is wrong because adding the Marketing role before removing the Sales role creates a 30-day window where the employee has permissions from both departments, violating least privilege and increasing the risk of unauthorized access. Option C is wrong because modifying the Sales role to include Marketing permissions would grant those permissions to all Sales users, not just the transferring employee, leading to privilege creep and potential data leakage. Option D is wrong because creating a new custom role with combined permissions is unnecessary and inefficient; it complicates role management and may inadvertently grant the employee access to both departments' resources if the Sales role is not removed.

374
Multi-Selecthard

Which THREE of the following are essential elements of an effective incident response plan? (Choose three.)

Select 3 answers
A.Containment, eradication, and recovery
B.Detection and analysis
C.Public relations and media notification
D.Cyber insurance purchasing
E.Preparation and training
AnswersA, B, E

These steps limit damage, remove threats, and restore operations.

Why this answer

The incident response plan lifecycle, as defined by NIST SP 800-61, includes four core phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. Options A, B, and E directly map to these essential phases, ensuring the organization can detect an incident, contain it to prevent spread, eradicate the root cause, recover normal operations, and continuously improve through training and preparation.

Exam trap

The trap here is that candidates confuse supporting activities (like PR or insurance) with the mandatory operational phases defined in the NIST incident response lifecycle, leading them to select non-essential business functions instead of the core technical steps.

375
MCQmedium

A company uses role-based access control (RBAC). A user is assigned to the 'Sales' role, which grants access to CRM and reporting, and also to the 'Sales Manager' role, which grants additional access to team reports. However, the user cannot access team reports. What is the most likely cause?

A.An access control list on the report folder explicitly denies the 'Sales' role
B.The user account has been disabled
C.RBAC role hierarchy is not configured
D.The user's session is not properly managed
AnswerC

Without a hierarchy, the user's permissions are the union of both roles; if the system only uses the first role's permissions, team reports are inaccessible.

Why this answer

In RBAC, role hierarchy allows roles to inherit permissions from other roles. Without a configured hierarchy, the 'Sales Manager' role does not automatically inherit permissions from the 'Sales' role, and the user may not have direct permission to access team reports if that permission is only assigned to the 'Sales Manager' role but the user's effective permissions are not properly combined. The most likely cause is that the RBAC role hierarchy is not configured, so the user's membership in both roles does not result in the union of their permissions.

Exam trap

The trap here is that candidates assume assigning a user to multiple roles automatically grants the combined permissions of all roles, but without a configured role hierarchy or permission aggregation, the user may only have permissions from the primary role or the system may require explicit inheritance.

How to eliminate wrong answers

Option A is wrong because an explicit deny on the report folder would block access regardless of role membership, but the scenario states the user cannot access team reports despite being assigned the 'Sales Manager' role, which suggests the issue is with permission inheritance, not an explicit deny. Option B is wrong because if the user account were disabled, the user would not be able to access any resources, not just team reports, and the question implies the user can access CRM and reporting. Option D is wrong because session management issues would typically cause authentication or authorization failures across all resources, not a specific permission problem with team reports, and RBAC permissions are evaluated at the time of access request, not tied to session state.

Page 4

Page 5 of 7

Page 6

All pages