Systems Security Certified Practitioner SSCP (SSCP) — Questions 376450

504 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
Multi-Selectmedium

Which TWO of the following are functions of a network firewall?

Select 2 answers
A.Resolving domain names to IP addresses
B.Filtering traffic based on IP addresses and ports
C.Performing Network Address Translation (NAT)
D.Encrypting data at rest
E.Assigning IP addresses to hosts
AnswersB, C

Core function of a firewall.

Why this answer

Option B is correct because a network firewall's primary function is to enforce access control policies by filtering traffic based on Layer 3 (IP addresses) and Layer 4 (ports) information. This stateless or stateful inspection allows the firewall to permit or deny packets according to rules, such as allowing HTTP traffic (TCP port 80) from a specific source IP. This is a core security mechanism to segment networks and block unauthorized access.

Exam trap

The trap here is that candidates confuse optional features (like NAT or DHCP) with core firewall functions, or they mistake DNS resolution for a firewall capability, when the SSCP exam expects you to know that filtering based on IP/port is the fundamental purpose.

377
MCQmedium

After a ransomware attack, the recovery team must restore encrypted files from backups. The backups are stored on a separate network segment and were last verified three days ago. What should the team do FIRST?

A.Disconnect the infected systems from the network.
B.Verify the integrity and cleanliness of the backup.
C.Contact law enforcement.
D.Restore all files from the most recent backup.
AnswerB

Ensuring backup is clean prevents re-infection.

Why this answer

Before restoring, ensure the backup system is not compromised. Option B is correct. Option A may restore malware; Option C is premature; Option D is not a first step.

378
MCQmedium

A company's VPN logs show that a user's account authenticated from two different geographic locations within a span of 10 minutes. The distances between locations make physical travel impossible. The security team investigates and finds that the user's password is complex and not shared. What is the MOST likely explanation?

A.The VPN server has a configuration error causing incorrect location logging.
B.The user's session token was stolen and used by an attacker.
C.The user's account is being used by multiple people with permission.
D.The user is using a VPN service to mask their true location.
AnswerB

A stolen session token allows reuse from a different location.

Why this answer

Option D is correct because the session token was likely stolen and reused from a different location. Option A is wrong; if the user used a VPN, their VPN connection would show one IP. Option B is wrong; a configuration error would affect multiple users.

Option C is wrong; multiple people using the account would imply password sharing, which is denied.

379
Matchingmedium

Match each cryptography term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Same key for encryption and decryption

Key pair: public and private

One-way function producing fixed output

Ensures authenticity and non-repudiation

Why these pairings

These are fundamental cryptography concepts.

380
MCQhard

A network analyst reviews firewall logs and sees multiple SYN packets to various ports from the same external IP in a short time, with no subsequent ACK. What is the most likely cause?

A.Brute force password attack on SSH
B.Distributed denial-of-service (DDoS) attack
C.ICMP ping sweep
D.Port scan using SYN scan technique
AnswerD

SYN scan is a common reconnaissance method.

Why this answer

A SYN scan sends SYN packets to multiple ports; if a port is open, the target responds with SYN-ACK, but the scanner never completes the handshake (no ACK). The absence of ACK packets after the SYN packets indicates the scanner is not establishing connections, which is characteristic of a SYN scan, not a brute force or DDoS attack.

Exam trap

ISC2 often tests the distinction between a SYN scan and a DDoS attack; the trap is that candidates see 'multiple SYN packets' and immediately think 'SYN flood DDoS,' but a SYN flood typically uses spoofed IPs and aims to exhaust resources, whereas a single IP scanning various ports without ACKs indicates reconnaissance.

How to eliminate wrong answers

Option A is wrong because a brute force password attack on SSH would involve repeated SSH connection attempts (complete TCP handshakes) to port 22, not just SYN packets to various ports without ACKs. Option B is wrong because a DDoS attack typically floods with traffic from many sources (distributed) to overwhelm a target, not just a single external IP sending SYN packets to various ports without completing connections. Option C is wrong because an ICMP ping sweep uses ICMP Echo Request packets, not TCP SYN packets, to discover live hosts.

381
MCQhard

A security analyst is reviewing a script that performs automated backups. The script uses a hardcoded password to connect to the database. What is the most secure alternative?

A.Change the password manually every week.
B.Store the password in an environment variable.
C.Replace the password with SSH key authentication.
D.Retrieve the password from a secrets management service at runtime.
E.Use a more complex password.
AnswerD

Secrets management (e.g., HashiCorp Vault) provides secure, audited access to credentials.

Why this answer

Option D is correct because using a secrets management solution centrally stores and rotates credentials, avoiding hardcoding. Option A (complex password) is still hardcoded; B (SSH keys) work for remote servers, not DB authentication; C (changing password manually) is not automated; E (using environment variables) is better but still exposed in process memory.

382
MCQmedium

A company uses virtual machines for development. To ensure isolation between VMs on the same host, which control is most important?

A.Antivirus on each VM
B.Hypervisor patching
C.Strong passwords for VM consoles
D.Virtual network segmentation
AnswerD

Network segmentation isolates traffic between VMs.

Why this answer

Virtual network segmentation prevents VM-to-VM attacks by isolating traffic. Hypervisor patching is important for security but does not directly provide isolation. Strong passwords protect console access but not network traffic.

Antivirus protects within each VM but not between them.

383
MCQhard

An organization is migrating from on-premises servers to a cloud IaaS model. The security team must ensure that virtual machine (VM) images are hardened before deployment. Which of the following is the MOST effective control to ensure consistency and compliance with security baselines?

A.Perform vulnerability scans on each VM after deployment
B.Apply the latest OS patches to each VM immediately after deployment
C.Create a golden image that is hardened and approved for use, and deploy VMs from that image
D.Train administrators on hardening procedures and rely on manual configuration
AnswerC

A golden image enforces a consistent secure baseline from the start.

Why this answer

Creating a golden image that is hardened and approved for use ensures that every VM deployed from it inherits a consistent, pre-configured security baseline. This approach eliminates configuration drift and manual errors by baking security controls into the image before deployment, making it the most effective control for consistency and compliance.

Exam trap

The trap here is that candidates often choose vulnerability scanning or patching because they focus on security after deployment, missing the core principle that proactive, immutable infrastructure via golden images is the most reliable way to enforce consistent baselines at scale.

How to eliminate wrong answers

Option A is wrong because performing vulnerability scans after deployment is a detective control, not a preventive one; it identifies issues but does not ensure consistent hardening across all VMs. Option B is wrong because applying patches after deployment is reactive and does not guarantee that other hardening configurations (e.g., registry settings, service disabling, group policies) are consistently applied. Option D is wrong because relying on manual configuration by administrators introduces human error and inconsistency, making it impossible to maintain a uniform security baseline across multiple VMs.

384
MCQmedium

A security analyst notices that an employee's account has been sending large amounts of data to an external IP address during non-business hours. The analyst suspects the employee's credentials have been compromised. What is the FIRST step the analyst should take according to incident response procedures?

A.Block the external IP address at the firewall.
B.Disable the employee's user account.
C.Contact law enforcement.
D.Inform the employee's manager.
AnswerB

This contains the incident by stopping the unauthorized activity.

Why this answer

Option A is correct because disabling the account immediately stops the malicious activity. Option B is wrong; blocking the IP may not stop the attacker if they have other methods. Option C is wrong; informing the manager is important but not the first action.

Option D is wrong; contacting law enforcement is premature.

385
MCQmedium

A security administrator receives an alert about a potential SYN flood attack on a web server. At which OSI layer does this attack occur?

A.Layer 7 (Application)
B.Layer 3 (Network)
C.Layer 2 (Data Link)
D.Layer 4 (Transport)
AnswerD

SYN flood exploits TCP's connection establishment process at the transport layer.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a barrage of SYN packets without completing the handshake, exhausting server resources. This attack targets the Transport Layer (Layer 4), where TCP operates, as defined in RFC 793. The security administrator's alert specifically involves TCP SYN segments, which are Layer 4 protocol data units.

Exam trap

The trap here is that candidates confuse the attack's effect on the application (e.g., web server unavailability) with the layer being attacked, incorrectly selecting Layer 7 instead of recognizing the TCP handshake at Layer 4.

How to eliminate wrong answers

Option A is wrong because Layer 7 (Application) deals with application protocols like HTTP, FTP, and SMTP, not the TCP handshake mechanics exploited in a SYN flood. Option B is wrong because Layer 3 (Network) handles IP addressing and routing, not the stateful connection establishment that SYN floods abuse. Option C is wrong because Layer 2 (Data Link) covers MAC addresses and frame delivery on a local network segment, with no involvement in TCP's connection-oriented behavior.

386
MCQmedium

A company uses a SOAR platform for incident response. Which factor is most critical for effective automation?

A.High-quality playbooks
B.Integration with all security tools
C.Low false positive rate
D.Real-time threat intelligence feeds
AnswerA

Playbooks define the automated response actions; without quality playbooks, automation is ineffective.

Why this answer

High-quality playbooks are the most critical factor because SOAR automation relies on predefined, tested, and context-rich workflows to orchestrate response actions. Without accurate playbooks that map to specific incident types, automated actions can misidentify threats, execute incorrect containment steps, or fail to adapt to evolving attack patterns, rendering integrations and feeds ineffective.

Exam trap

ISC2 often tests the misconception that more integrations or real-time data automatically improve automation, but the trap here is that without high-quality playbooks, even perfect integrations and feeds lead to chaotic or harmful automated responses.

How to eliminate wrong answers

Option B is wrong because integration with all security tools is not the most critical factor; while broad integration enables data collection and action execution, it is useless without well-defined playbooks to orchestrate those tools effectively. Option C is wrong because a low false positive rate is a prerequisite for any detection system, but SOAR automation specifically depends on playbook logic to handle alerts correctly, not just on alert quality. Option D is wrong because real-time threat intelligence feeds enrich context but do not drive automation; playbooks must incorporate that intelligence into decision trees and response steps for it to be actionable.

387
MCQeasy

When using CBC mode encryption, what is the purpose of the initialization vector (IV)?

A.To provide authentication
B.To increase the key length
C.To add randomness and prevent identical ciphertext for repeated plaintext
D.To enable parallel encryption
AnswerC

IV randomizes the first block, causing different ciphertexts.

Why this answer

Option C is correct because the initialization vector (IV) in CBC mode ensures that each encryption of the same plaintext with the same key produces a different ciphertext. The IV is XORed with the first plaintext block before encryption, introducing randomness that prevents patterns from being exposed in the ciphertext, which is critical for semantic security.

Exam trap

The trap here is that candidates confuse the IV's role in adding randomness with authentication or key extension, or they mistakenly think CBC supports parallel encryption because they overlook the sequential dependency of ciphertext blocks.

How to eliminate wrong answers

Option A is wrong because CBC mode provides no inherent authentication; it is a confidentiality-only mode, and authentication requires a separate MAC or an authenticated encryption mode like GCM or CCM. Option B is wrong because the IV does not increase the effective key length; the key length remains fixed, and the IV is a non-secret, random value used per message. Option D is wrong because CBC mode is inherently sequential—each ciphertext block depends on the previous one—so it cannot be parallelized during encryption; only decryption can be parallelized.

388
Multi-Selecthard

Which TWO of the following are appropriate actions when preserving digital evidence at a crime/incident scene?

Select 2 answers
A.Document all actions taken
B.Take photographs of the scene
C.Connect to the internet to check online resources
D.Use the system to check files
E.Power off the system immediately
AnswersA, B

Documentation ensures chain of custody and reproducibility.

Why this answer

Documenting all actions taken (Option A) is a fundamental principle of digital forensics, as it creates a verifiable chain of custody and ensures the integrity of evidence. This documentation includes timestamps, tools used, and any changes made to the system, which is critical for admissibility in legal proceedings. Without proper documentation, the evidence may be challenged as tampered or unreliable.

Exam trap

ISC2 often tests the misconception that immediately powering off a system is always the safest action, but in digital forensics, this can destroy volatile evidence and trigger data loss or corruption.

389
MCQeasy

An employee receives an email with an attachment claiming to be an invoice but contains a macro virus. What control would have blocked this?

A.User awareness training
B.Email attachment scanning
C.Spam filter
D.Macro security settings in Office
AnswerD

Macro settings can disable or restrict macro execution.

Why this answer

Macro security settings in Office can disable macros or require signed macros, preventing execution. Spam filter may not detect targeted phishing. Attachment scanning may miss zero-day variants.

User training reduces risk but does not technically block.

390
MCQeasy

A financial services company has recently deployed a new customer-facing web application on port 443. The application is essential for client transactions. Within the first week, the security team's monitoring system detected thousands of failed login attempts originating from a wide range of IP addresses across multiple countries. The attempts are using common usernames and passwords, indicating a coordinated brute-force attack. The company's perimeter firewall is configured with a default allow rule for inbound TCP traffic on port 443 to the web server's public IP address. The company operates with a small IT team and has a limited security budget. The web application is custom-developed and cannot be modified quickly. The security analyst must recommend a solution to mitigate the attack while maintaining availability for legitimate users. Which of the following is the most effective first step?

A.Implement IP blacklisting by manually adding offending IP addresses to the firewall's deny list
B.Change the web server port from 443 to a non-standard high port
C.Deploy a Web Application Firewall (WAF) configured with rate limiting and CAPTCHA challenges
D.Enable SSH access to the web server for administrative purposes
AnswerC

A WAF can automatically detect and mitigate brute-force patterns by rate-limiting requests from suspicious IPs, presenting CAPTCHAs to verify human users, and applying other application-layer controls without modifying the application.

Why this answer

Deploying a Web Application Firewall (WAF) with rate limiting and CAPTCHA is the most effective solution because it can identify and block malicious traffic patterns without requiring application changes. It operates at the application layer and can enforce policies such as rate limiting per IP, geolocation blocking, and CAPTCHA challenges, which directly mitigate brute-force attacks while minimizing impact on legitimate users. Other options are less effective: IP blacklisting is reactive and cannot handle distributed attacks; changing ports only provides obscurity; enabling SSH does not address the web application attack.

391
Multi-Selectmedium

Which TWO of the following are essential steps in a security incident response process according to the SSCP common body of knowledge? (Select the two best answers.)

Select 2 answers
A.Vulnerability scanning
B.Penetration testing
C.Eradication
D.Identification
E.Risk assessment
AnswersC, D

Eradication involves removing the incident artifacts and is a key phase.

392
Multi-Selectmedium

Which TWO of the following are best practices for password management?

Select 2 answers
A.Implement account lockout after a few failed attempts
B.Allow reuse of the last 5 passwords
C.Store passwords in plaintext for quick recovery
D.Share passwords via email for convenience
E.Enforce password complexity requirements
AnswersA, E

Lockout mitigates brute-force attacks.

Why this answer

Password complexity and account lockout are standard best practices. Storing passwords in plaintext and reusing passwords are poor practices.

393
Multi-Selecteasy

Which THREE characteristics are important for a password hashing algorithm?

Select 3 answers
A.Fixed output length
B.Salt usage
C.Reversible
D.Slow computation
E.Constant time comparison
AnswersB, D, E

Salt prevents rainbow table attacks.

Why this answer

B is correct because salting ensures that each password hash is unique even if two users have the same password, preventing precomputed rainbow table attacks. A salt is a random value concatenated with the password before hashing, and it must be stored alongside the hash for verification.

Exam trap

ISC2 often tests the misconception that fixed output length is a key requirement for password hashing, when in fact it is a generic property of all hash functions and not specific to password storage security.

394
MCQmedium

A user reports they can now access files in a shared drive that were previously denied. Upon investigation, the IT team discovers the user was added to a new group that has read/write permissions to the drive. This situation is best described as:

A.Separation of duties violation
B.Inconsistent access control list
C.Role explosion
D.Privilege creep
AnswerD

The user gained additional permissions through group membership, which is a classic example of privilege creep.

Why this answer

Privilege creep occurs when users accumulate more permissions over time than they need for their current role, often through group memberships. In this scenario, the user was added to a new group that granted read/write access to a shared drive, resulting in unintended elevated access. This is a classic example of privilege creep because the user's access rights expanded beyond what was originally authorized, violating the principle of least privilege.

Exam trap

The trap here is confusing privilege creep with role explosion, but privilege creep focuses on individual permission accumulation over time, while role explosion is about an excessive number of roles in the system design.

How to eliminate wrong answers

Option A is wrong because separation of duties is a control designed to prevent fraud or error by requiring multiple individuals to complete a sensitive task, not a situation where a user gains unintended access. Option B is wrong because an inconsistent access control list would imply conflicting or erroneous permissions on the resource itself, whereas here the permissions are consistent but the user was added to a group that legitimately has those permissions. Option C is wrong because role explosion refers to the proliferation of too many roles in an RBAC system, making management complex, not the gradual accumulation of permissions by a single user.

395
MCQeasy

A small business has 50 employees and uses a cloud-based email service. The IT manager receives a report that several employees have been receiving phishing emails that appear to come from the company's CEO. The emails request that employees purchase gift cards and send the codes urgently. Two employees have already complied, losing $500 total. The manager wants to prevent this from recurring. The company has a limited budget and no dedicated security staff. Which of the following actions should the manager take FIRST?

A.Create a policy prohibiting gift card purchases
B.Enable multi-factor authentication (MFA) on the CEO's email account
C.Conduct security awareness training for all employees
D.Set up email filtering rules to block emails with the CEO's name
AnswerB

MFA significantly reduces the risk of account takeover, which is the source of these phishing emails.

Why this answer

Implementing multi-factor authentication (MFA) on the CEO's account prevents attackers from using stolen credentials to send phishing emails. Option A is training, which is important but does not stop the current vector; B is a long-term policy; D is a technical control but does not prevent the initial account compromise.

396
MCQeasy

A company's backup strategy includes weekly full backups and daily differential backups. A ransomware attack occurred on Wednesday, corrupting data. The last full backup was Sunday. Which backup set should be restored first?

A.Wednesday differential backup
B.Sunday full backup
C.Monday differential backup
D.Tuesday differential backup
AnswerB

Full backup must be restored first as it contains the baseline data.

Why this answer

The correct restoration order is to first restore the Sunday full backup, because differential backups contain all changes since the last full backup. Without the full backup as a base, the differential backups cannot be applied. After restoring the full backup, you would then apply the most recent differential backup (Wednesday) to bring the data to the point just before the attack.

Exam trap

The trap here is that candidates often confuse differential backups with incremental backups, mistakenly thinking they need to restore all differentials in order, or they try to restore the most recent differential without the full backup first.

How to eliminate wrong answers

Option A is wrong because the Wednesday differential backup cannot be restored first; it must be applied after the full backup to provide the incremental changes. Option C is wrong because the Monday differential backup is not the most recent differential backup, and restoring it alone would miss changes made on Tuesday and Wednesday. Option D is wrong because the Tuesday differential backup, while more recent than Monday, still requires the full backup first and is not the final differential needed to reach Wednesday's state.

397
MCQhard

A network engineer is designing a secure WAN link between two offices using IPsec VPN. The company requires encryption of all traffic, authentication of both endpoints, and protection against replay attacks. Which combination of IPsec protocols and modes should be used?

A.AH in tunnel mode
B.AH in transport mode
C.ESP in tunnel mode
D.ESP in transport mode
AnswerC

ESP in tunnel mode encrypts and authenticates the entire packet, suitable for site-to-site VPNs.

Why this answer

ESP in tunnel mode encrypts and authenticates the entire original IP packet, providing confidentiality, integrity, and authentication for the entire payload. It also includes sequence numbers to protect against replay attacks, making it the correct choice for a secure WAN link between two offices.

Exam trap

The trap here is that candidates often confuse AH with ESP, assuming AH provides encryption, or they incorrectly choose transport mode for site-to-site VPNs because they focus on endpoint authentication rather than the need to encapsulate the entire original packet for network-to-network communication.

How to eliminate wrong answers

Option A is wrong because AH (Authentication Header) provides integrity and authentication but does not encrypt traffic, failing the encryption requirement. Option B is wrong because AH in transport mode also lacks encryption and only protects the payload, not the original IP header, which is insufficient for a VPN tunnel between networks. Option D is wrong because ESP in transport mode encrypts only the payload, not the original IP header, and is typically used for end-to-end communication between hosts, not for site-to-site VPNs where tunnel mode is required to encapsulate the entire original packet.

398
MCQmedium

During a security audit, it is discovered that a legacy system uses SNMPv1 for network monitoring. Which of the following is the primary security concern?

A.Weak hashing
B.Community strings transmitted in cleartext
C.No access control
D.Lack of encryption
AnswerB

The community string serves as a password and is sent in plaintext, allowing interception and unauthorized access.

Why this answer

SNMPv1 transmits community strings (effectively passwords) in cleartext over the network. An attacker capturing network traffic can directly read the community string and gain unauthorized access to SNMP-managed devices. This lack of confidentiality is the primary security concern because it exposes the entire monitoring infrastructure to compromise.

Exam trap

The trap here is that candidates often confuse 'no access control' (Option C) with the lack of authentication, but SNMPv1 does have community strings as a form of access control; the real issue is that these strings are transmitted in cleartext, making them easily intercepted.

How to eliminate wrong answers

Option A is wrong because SNMPv1 does not use hashing for authentication; it relies on plaintext community strings, so 'weak hashing' is not a relevant concern. Option C is wrong because SNMPv1 does have a basic form of access control via read-only (RO) and read-write (RW) community strings, though it is rudimentary and easily bypassed once the community string is known. Option D is wrong because while SNMPv1 indeed lacks encryption, the question asks for the 'primary' security concern; the immediate exposure of community strings in cleartext is the most direct and exploitable vulnerability, making lack of encryption a secondary consequence.

399
Multi-Selectmedium

Which TWO of the following are examples of biometric authentication? (Choose two.)

Select 2 answers
A.Smart card
B.Retina scan
C.PIN
D.Fingerprint
E.Password
AnswersB, D

Retina scan is a biometric trait.

Why this answer

Retina scan is a biometric authentication method because it uses unique physiological characteristics of the eye's retinal blood vessel pattern to verify identity. Biometric authentication relies on measurable biological traits, and the retina's pattern is highly distinctive and difficult to replicate, making it a strong form of authentication.

Exam trap

ISC2 often tests the distinction between authentication factors (something you know, have, or are) and tricks candidates into selecting smart cards or PINs as biometrics because they are commonly associated with security, but they are not based on biological traits.

400
Drag & Dropmedium

Drag and drop the steps for configuring a Windows Firewall rule to allow inbound RDP traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Windows Firewall: create inbound rule for port 3389, allow connection, select profiles, name it.

401
MCQmedium

Refer to the exhibit. Which of the following is most likely a web browsing session?

A.192.168.1.100:49152 to 203.0.113.10:80
B.192.168.1.100:49154 to 74.125.224.72:443
C.192.168.1.100:49153 to 192.168.1.1:53
D.Both A and C
AnswerD

Both are web sessions (HTTP and HTTPS).

Why this answer

Option D is correct because both A and C represent typical web browsing sessions: A uses HTTP on port 80, and C uses DNS on port 53, which is essential for resolving domain names before a web request can be made. Web browsing inherently involves DNS queries to translate hostnames to IP addresses, making both sessions part of the browsing activity.

Exam trap

ISC2 often tests the misconception that web browsing only involves HTTP (port 80) and ignores the essential DNS resolution step, leading candidates to overlook DNS queries as part of the browsing session.

How to eliminate wrong answers

Option A is wrong because it is actually a valid web browsing session (HTTP on port 80), so it is not incorrect; the question asks for the most likely web browsing session, and A is correct. Option B is wrong because it uses HTTPS on port 443, which is also a valid web browsing session (secure web traffic), so it is not incorrect; the trap is that candidates might think only HTTP is web browsing, but HTTPS is equally valid. Option C is wrong because it is a DNS query (port 53) to a local router (192.168.1.1), which is a supporting service for web browsing but not the web browsing session itself; DNS resolution occurs before the actual HTTP/HTTPS request.

402
MCQmedium

Based on the exhibit, which type of attack is most likely being attempted?

A.Cross-site scripting (XSS)
B.SQL injection
C.Directory traversal
D.Buffer overflow
AnswerB

The parameter contains SQL syntax designed to drop a table, which is characteristic of a SQL injection attack.

Why this answer

The exhibit shows a URL parameter containing SQL injection syntax (DROP TABLE users;). The %22%3B%20 sequence decodes to "; " which is used to break out of a SQL query. The destination is an internal host (10.0.0.100), likely a web application server.

A status code of 500 indicates a server error, possibly due to the malicious input. Thus, SQL injection (Option D) is correct. The other options do not match the pattern.

403
MCQhard

A company is implementing a risk monitoring program. Which of the following is the best key performance indicator (KPI) to measure the effectiveness of the vulnerability management process?

A.Mean time to remediate (MTTR) critical vulnerabilities
B.Percentage of systems with up-to-date patches
C.Number of vulnerability scans performed per month
D.Number of vulnerabilities discovered per scan
AnswerA

MTTR directly measures how quickly critical risks are addressed.

Why this answer

Mean time to remediate (MTTR) critical vulnerabilities directly measures how quickly the organization closes the window of exposure for the highest-risk flaws. This KPI reflects the efficiency of the remediation workflow—from detection through patching or compensating control deployment—and is a standard metric in frameworks like NIST SP 800-40 and the CVSS scoring system. A lower MTTR indicates a more effective vulnerability management process because it reduces the time attackers have to exploit known weaknesses.

Exam trap

The trap here is that candidates often confuse activity metrics (like scan frequency or patch coverage) with outcome metrics (like remediation speed), leading them to choose a KPI that sounds operational but does not directly measure the effectiveness of the vulnerability management process.

How to eliminate wrong answers

Option B is wrong because the percentage of systems with up-to-date patches is a compliance-oriented metric that does not account for the severity or criticality of vulnerabilities; a system could be fully patched against low-severity issues while still harboring an unpatched critical vulnerability. Option C is wrong because the number of vulnerability scans performed per month measures activity volume, not process effectiveness; frequent scans are useless if findings are not remediated promptly. Option D is wrong because the number of vulnerabilities discovered per scan is a measure of the attack surface or scan coverage, not the effectiveness of remediation; a high discovery count could indicate a thorough scan but says nothing about how quickly or completely those vulnerabilities are fixed.

404
MCQhard

An administrator notices that a certificate used for code signing is about to expire. The certificate is signed by a trusted root CA. What is the correct procedure to ensure continued trust?

A.Continue using the expired certificate until a new one is obtained
B.Extend the validity period of the existing certificate by modifying the certificate
C.Switch to a self-signed certificate
D.Request a new certificate from the same CA before expiration
AnswerD

This ensures continuity and trust from the same root.

Why this answer

The correct procedure is to request a new certificate from the same trusted root CA before the current certificate expires. This ensures that the new certificate is signed by the same trusted root, maintaining the chain of trust without interruption. Continuing to use an expired certificate would break trust validation, as clients and operating systems reject expired code-signing certificates to prevent execution of untrusted code.

Exam trap

The trap here is that candidates may think extending the validity period or using a self-signed certificate is acceptable, but Cisco tests the understanding that only a certificate from the same trusted CA preserves the existing chain of trust without requiring manual trust configuration.

How to eliminate wrong answers

Option A is wrong because using an expired certificate violates trust models; code-signing certificates are validated for expiration, and expired certificates cause signature verification failures, leading to warnings or blocked execution. Option B is wrong because certificate validity periods cannot be extended by modifying the certificate; the validity is cryptographically bound by the CA's signature, and any alteration invalidates the signature. Option C is wrong because switching to a self-signed certificate breaks the chain of trust; self-signed certificates are not trusted by default and require manual installation on every client, which is impractical for code signing.

405
Multi-Selecthard

Which THREE of the following are key objectives of data classification?

Select 3 answers
A.Identify and protect sensitive information
B.Reduce storage costs by identifying duplicate data
C.Establish a foundation for risk management decisions
D.Determine the encryption algorithm to use
E.Comply with legal and regulatory requirements
AnswersA, C, E

Classification determines sensitivity and required protections.

Why this answer

Data classification is a foundational security control that directly supports the identification and protection of sensitive information. By categorizing data based on its sensitivity and criticality, organizations can apply appropriate security controls, such as access controls and encryption, to safeguard confidential data from unauthorized disclosure or modification.

Exam trap

ISC2 often tests the distinction between the objectives of data classification and the subsequent actions or technologies that classification enables, leading candidates to mistakenly select options like 'determine encryption algorithm' as a direct objective.

406
Multi-Selecthard

Which THREE of the following are valid methods for enforcing separation of duties in an IT environment? (Select the three best answers.)

Select 3 answers
A.Sharing administrative passwords among team members
B.Having the same person approve and implement a change
C.Implementing a two-person rule for critical changes
D.Monitoring and logging all privileged actions
E.Using role-based access control (RBAC) to assign permissions
AnswersC, D, E

The two-person rule requires approval from a second person, enforcing separation.

Why this answer

Option C is correct because the two-person rule requires two authorized individuals to perform a critical change, ensuring that no single person has both the authority and the ability to execute a high-risk action. This directly enforces separation of duties by dividing the task into two distinct roles, such as one person approving and another implementing the change, which prevents fraud or errors from a single compromised account.

Exam trap

The trap here is that candidates may confuse monitoring and logging (Option D) as a direct enforcement method rather than a detective control, or think that RBAC (Option E) alone enforces separation of duties without considering that RBAC must be combined with workflow rules to prevent role conflicts.

407
Multi-Selecteasy

Which THREE of the following are standard phases of the incident response lifecycle?

Select 3 answers
A.Preparation
B.Containment, Eradication, and Recovery
C.Auditing
D.Budgeting
E.Detection and Analysis
AnswersA, B, E

Preparation is the first phase, involving planning and training.

Why this answer

Option A is correct because Preparation is the foundational phase of the incident response lifecycle, as defined by NIST SP 800-61 Rev. 2. This phase involves establishing policies, creating incident response plans, forming a CSIRT, and provisioning tools (e.g., SIEM, forensic workstations) before any incident occurs. Without proper preparation, all subsequent phases are significantly less effective.

Exam trap

ISC2 often tests candidates by including plausible-sounding business or audit terms (like Auditing or Budgeting) as distractors, expecting test-takers to confuse supporting activities with formal lifecycle phases defined in NIST or SANS frameworks.

408
Matchingmedium

Match each security control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Firewall

IDS

Backup restoration

Warning signs

Why these pairings

These are common examples of security control categories.

409
MCQmedium

A security analyst is troubleshooting a network issue where users on VLAN 10 cannot reach a server on VLAN 20. The router has an ACL applied to the interface connected to VLAN 10. Which step should the analyst take first to isolate the problem?

A.Review the ACL configuration on the router interface
B.Run a traceroute from a user machine to the server
C.Check the ARP table for the server's MAC address
D.Verify the VLAN configuration on the switch
AnswerA

The ACL on the router interface can block traffic between VLANs; this is the first logical step.

Why this answer

The ACL applied to the router interface connected to VLAN 10 is the most likely cause of the connectivity issue, as it can explicitly permit or deny traffic from VLAN 10 to VLAN 20. Reviewing the ACL configuration first allows the analyst to quickly determine if the traffic is being blocked by a deny statement or missing permit entry, which is a common and immediate cause of such inter-VLAN routing failures. This step is the most efficient because it directly addresses the access control mechanism at the routing boundary.

Exam trap

ISC2 often tests the principle of starting with the most likely cause at the Layer 3/4 boundary (the ACL) rather than jumping to lower-layer troubleshooting like ARP or VLAN verification, which would be premature when an ACL is explicitly present.

How to eliminate wrong answers

Option B is wrong because running a traceroute from a user machine to the server would show where packets are dropped, but it does not identify the specific ACL rule causing the drop; it only confirms the symptom, not the root cause. Option C is wrong because checking the ARP table for the server's MAC address is irrelevant to ACL filtering; ARP resolves IP to MAC addresses at Layer 2, while ACLs operate at Layer 3/4 on the router. Option D is wrong because verifying the VLAN configuration on the switch would only confirm that VLANs 10 and 20 exist and are correctly assigned to ports, but it does not address the router's ACL, which is the explicit access control mechanism applied to the routed interface.

410
MCQmedium

During incident response, a team member uses a tool to capture memory from a compromised Windows system. Which of the following best describes the order of volatility?

A.Network connections, memory, disk
B.Disk, memory, network
C.Memory, network, disk
D.Memory, disk, network connections
AnswerA

Network connections change rapidly, memory is less volatile, disk is most persistent.

Why this answer

Option A is correct because the order of volatility dictates that the most volatile data (network connections) should be captured first, followed by memory, and finally disk. Network connections change constantly and are lost when the system is powered off, while memory (RAM) persists until power loss, and disk is the least volatile as it retains data even after shutdown. This sequence ensures critical evidence is preserved before it disappears.

Exam trap

The trap here is that candidates often confuse volatility with importance, assuming disk (which contains persistent data) is more critical to capture first, when in fact the most volatile data (network connections) must be prioritized to prevent loss.

How to eliminate wrong answers

Option B is wrong because it places disk before memory, but disk is less volatile than memory and should be captured last; capturing disk first risks losing transient network and memory data. Option C is wrong because it places memory before network connections, but network connections are more volatile than memory and must be captured first to avoid losing active session data. Option D is wrong because it places disk before network connections, ignoring that network connections are the most volatile and must be captured before both memory and disk.

411
MCQeasy

Which of the following is the primary purpose of a risk register?

A.To record all security incidents after they occur
B.To track changes made to system configurations
C.To document and track identified risks and their treatment
D.To automatically detect vulnerabilities in the network
AnswerC

Correct purpose of a risk register.

Why this answer

The primary purpose of a risk register is to document and track identified risks along with their treatment plans, including risk owners, likelihood, impact, and mitigation status. This aligns with the Risk Identification, Monitoring and Analysis domain, where the risk register serves as a central repository for risk management activities throughout the system development life cycle.

Exam trap

The trap here is that candidates confuse the risk register with an incident log or vulnerability scanner output, but the risk register is specifically a forward-looking planning document for managing identified risks, not a reactive or automated detection tool.

How to eliminate wrong answers

Option A is wrong because a risk register is a proactive tool for documenting potential risks before they occur, not a reactive log for recording security incidents after they happen (incident response logs serve that purpose). Option B is wrong because tracking changes to system configurations is the function of a change management system or configuration management database (CMDB), not a risk register. Option D is wrong because automatic vulnerability detection is performed by vulnerability scanners (e.g., Nessus, OpenVAS) or SIEM tools, not by a risk register, which is a manual or semi-automated documentation and tracking artifact.

412
MCQhard

A security engineer needs to select a hashing algorithm for storing user passwords in a database. Which of the following is the most secure choice?

A.SHA-256
B.MD5
C.bcrypt
D.SHA-1
E.PBKDF2
AnswerC

bcrypt is designed for password hashing, includes salt, and is deliberately slow.

Why this answer

Option D is correct because bcrypt is specifically designed for password hashing with a cost factor to resist brute-force. Option A (MD5) is broken; B (SHA-1) is weak; C (SHA-256) is fast and suitable for integrity, not passwords; E (PBKDF2) is also good, but bcrypt is often preferred due to built-in salt and adaptive cost.

413
Multi-Selectmedium

Which TWO of the following are characteristics of mandatory access control (MAC)?

Select 2 answers
A.The system enforces access decisions based on policies
B.Security labels are assigned to subjects and objects
C.Access decisions are based on the user’s discretion
D.It is commonly used in commercial environments
E.Users can grant access to other users
AnswersA, B

MAC is system-enforced, not user-controlled.

Why this answer

Mandatory access control (MAC) enforces access decisions based on centrally defined policies, not at the discretion of individual users. The system compares security labels assigned to subjects (e.g., users, processes) and objects (e.g., files, resources) to determine if access is allowed. This ensures that even the owner of an object cannot override the policy, which is a core characteristic of MAC.

Exam trap

The trap here is that candidates often confuse MAC with DAC, mistakenly thinking that MAC allows users to set permissions or that it is common in commercial environments, when in fact MAC is policy-driven and used in high-security contexts.

414
MCQmedium

Refer to the exhibit. A security analyst reviews the firewall configuration for a Windows workstation on a private network. What is the MOST significant weakness?

A.Inbound connections are set to Block by default
B.Default outbound connections are set to Allow, potentially allowing malware to communicate out
C.The rule 'RDP (UDP-In)' is set to Block and enabled, which blocks legitimate RDP traffic
D.The rule 'File and Printer Sharing (Echo Req)' is disabled, preventing network discovery
AnswerB

Allowing all outbound by default is a security weakness.

Why this answer

Option B is correct because Remote Desktop (TCP-In) rule is disabled (Enabled: No), so RDP is not allowed in, which might be intended but the issue is that the rule 'RDP (UDP-In)' is set to Block and Enabled: Yes, which blocks UDP RDP traffic. However, the question asks for 'most significant weakness'. The configuration shows inbound connections are blocked by default, but the RDP (UDP-In) rule is blocking UDP RDP.

This could be a problem if RDP is needed. But option B points out that the rule for UDP RDP is blocking, which might block legitimate traffic if RDP uses UDP. Actually, the exhibit shows 'RDP (UDP-In) Block Yes' meaning it is blocking UDP RDP.

Option A is incorrect because the default inbound is block, which is good. Option C is correct? Wait, let's analyze: The weakness is that outbound connections are allowed by default, which is typical but could be a weakness if not controlled. Option D is incorrect because File and Printer Sharing rule is disabled, which is good for security.

The most significant weakness is allowing all outbound connections by default, which could allow malware to communicate out. Option C says 'Default outbound connections are set to Allow, potentially allowing malware to communicate out.' That is a common weakness. Option B is also plausible but blocking UDP RDP might be intentional.

However, many organizations block UDP RDP to prevent vulnerabilities. But outbound allow is a bigger concern. So I'll go with C.

But to align with typical exam, outbound allow default is a common weakness. So option C is correct.

415
MCQhard

An organization uses role-based access control (RBAC). After a merger, a user account from the acquired company is migrated into the parent company's domain. The user is assigned to multiple roles, but is unable to access a critical application that requires a specific role. The administrator verified that the user's account is enabled and the application server is reachable. What is the MOST likely cause?

A.The user's group memberships are conflicting with the required role.
B.The user's account was not assigned the required role.
C.There is a firewall rule blocking traffic from the user's IP range.
D.The application's session timeout is set too low.
AnswerB

Without the role, the user lacks the necessary permissions.

Why this answer

In RBAC, access is granted based on the roles explicitly assigned to a user account. Since the administrator confirmed the account is enabled and the application server is reachable, the most likely cause is that the required role was not assigned to the migrated user. Without that role assignment, the user lacks the necessary permissions to access the critical application, regardless of other roles held.

Exam trap

The trap here is that candidates may assume group membership conflicts (Option A) cause access denial in RBAC, but RBAC roles are independent and additive—conflicts do not occur; the real issue is the missing role assignment.

How to eliminate wrong answers

Option A is wrong because RBAC does not have conflicting group memberships; roles are additive and do not conflict with each other—if the required role were assigned, access would be granted. Option C is wrong because the administrator verified the application server is reachable, which implies network connectivity is not blocked; a firewall rule would prevent reachability, not just application access. Option D is wrong because a low session timeout would cause the user to be logged out after inactivity, not prevent initial access to the application.

416
MCQhard

An organization implements a policy that the same individual cannot both create a purchase order and approve it in the financial system. Which security principle does this control primarily enforce?

A.Job rotation
B.Least privilege
C.Need-to-know
D.Separation of duties
AnswerD

Separation of duties divides critical functions among multiple users to prevent fraud and errors.

Why this answer

Separation of duties (SoD) is the security principle that prevents a single individual from performing conflicting tasks, such as creating and approving a purchase order. By splitting these responsibilities, the organization reduces the risk of fraud, errors, and unauthorized transactions, ensuring that no single person has unchecked control over a critical financial process.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege, but least privilege only limits permissions to the minimum needed, whereas separation of duties specifically prevents a single user from executing two conflicting functions that could enable fraud or error.

How to eliminate wrong answers

Option A is wrong because job rotation is a practice where employees periodically switch roles to cross-train and reduce monotony, not a control that enforces dual-authority over a single transaction. Option B is wrong because least privilege limits users to only the permissions necessary for their job, but it does not inherently prevent the same person from both creating and approving a purchase order if both actions fall within their role. Option C is wrong because need-to-know restricts access to information based on job necessity, not the segregation of conflicting duties within a process.

417
MCQhard

A security engineer is configuring a firewall to block all inbound traffic except for specific services. Which of the following design principles is being applied?

A.Separation of duties
B.Default deny
C.Defense in depth
D.Least privilege
AnswerD

Least privilege ensures entities have only the access needed to perform their functions.

Why this answer

The correct answer is D, Least Privilege, because the security engineer is configuring the firewall to block all inbound traffic except for specific services. This aligns with the principle of least privilege, which dictates that only the minimum necessary access should be granted—in this case, only allowing specific services through while denying everything else by default. The firewall rule set explicitly permits only required ports (e.g., TCP/443 for HTTPS) and implicitly denies all other traffic, ensuring that no unnecessary access is permitted.

Exam trap

The trap here is that candidates confuse the 'default deny' mechanism (a firewall policy stance) with the 'least privilege' design principle, but the question asks for the overarching principle, not the specific implementation method.

How to eliminate wrong answers

Option A is wrong because separation of duties is a control designed to prevent fraud or error by requiring multiple individuals to complete a sensitive task (e.g., one person configures the firewall, another audits the rules), not a principle about traffic filtering. Option B is wrong because default deny is a specific firewall policy stance (deny all traffic unless explicitly allowed), not a design principle; the question asks for the principle being applied, and default deny is a mechanism that implements least privilege. Option C is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewall, IDS, antivirus), not a single firewall configuration that blocks all inbound traffic except specific services.

418
MCQmedium

A security analyst notices that a web application is vulnerable to SQL injection. The application uses parameterized queries for most inputs but concatenates user input directly into a query for a legacy module. Which is the BEST immediate remediation?

A.Disable the legacy module until a full rewrite is completed.
B.Rewrite the legacy module to use parameterized queries.
C.Deploy a web application firewall (WAF) to block SQL injection patterns.
D.Implement input validation to reject special characters.
AnswerB

Parameterized queries prevent SQL injection by separating code from data.

Why this answer

Option B is correct because parameterized queries (prepared statements) are the definitive defense against SQL injection, as they separate SQL logic from user data by design. Rewriting the legacy module to use parameterized queries eliminates the root cause of the vulnerability at the code level, ensuring that user input is never concatenated into the SQL statement. This is the most secure and permanent fix, as it directly addresses the injection point in the application layer.

Exam trap

ISC2 often tests the misconception that a WAF or input validation is sufficient to prevent SQL injection, but the trap here is that only parameterized queries (or stored procedures with parameterized calls) eliminate the vulnerability at the code level, making them the best immediate remediation over compensating controls.

How to eliminate wrong answers

Option A is wrong because disabling the legacy module is a reactive, temporary workaround that disrupts business functionality and does not fix the underlying insecure coding practice; it should only be considered if the module cannot be secured immediately, but the question asks for the 'best immediate remediation,' which is a permanent code fix. Option C is wrong because a WAF is a compensating control that can be bypassed with advanced SQL injection techniques (e.g., encoding, out-of-band attacks) and does not address the root cause; it should be used as a defense-in-depth layer, not as a primary remediation. Option D is wrong because input validation (e.g., rejecting special characters) is unreliable and can be circumvented by attackers using alternative injection vectors (e.g., numeric fields, second-order injection) and may break legitimate input; it is not a substitute for parameterized queries.

419
MCQmedium

A security analyst reviews the exhibit. The internal IP 10.0.0.1 is a web server, and 203.0.113.5 is an external IP. What is the most likely issue?

A.The web server may be exfiltrating data to an external host
B.The external IP is scanning the web server for vulnerabilities
C.The web server is experiencing a DDoS attack from the external IP
D.An internal user is browsing a malicious website
AnswerA

Increasing outgoing data to a single external host is suspicious of data exfiltration.

Why this answer

The exhibit shows a high volume of outbound traffic from internal IP 10.0.0.1 (the web server) to external IP 203.0.113.5 on port 443 (HTTPS). This pattern is consistent with data exfiltration, where a compromised web server sends sensitive data to an external command-and-control (C2) server. The traffic is initiated by the internal server, not inbound, which rules out scanning or DDoS attacks.

Exam trap

The trap here is that candidates confuse the direction of traffic—assuming any external IP communicating with a web server must be an attacker scanning or attacking, rather than recognizing that the server itself may be the compromised source of outbound data.

How to eliminate wrong answers

Option B is wrong because vulnerability scanning typically involves inbound probes (e.g., SYN scans) from the external IP to the web server, not sustained outbound data flows. Option C is wrong because a DDoS attack would show a flood of inbound traffic from many sources, not a single external IP sending or receiving a steady outbound stream. Option D is wrong because an internal user browsing a malicious website would generate outbound traffic from a client workstation, not from a web server IP like 10.0.0.1.

420
MCQeasy

A company has 200 employees using a Windows Active Directory environment. The security administrator receives multiple alerts that user accounts are being locked out every 15 minutes. The help desk confirms that users who report the issue are able to log in successfully after unlocking their accounts, but they get locked out again shortly after. The administrator checks the domain controller security logs and sees many failed logon attempts with a specific service account name 'svc_backup' from multiple workstations. The svc_backup account is used for a backup application that runs scheduled tasks. What should the administrator do to resolve the issue?

A.Disable the svc_backup account until the backup vendor releases a patch
B.Change the password for svc_backup and update the backup application with the new password
C.Create a new service account with a different name and grant it the same permissions
D.Increase the account lockout threshold to prevent lockouts
AnswerB

This resolves the root cause - the service account's password is likely stale or incorrect, causing repeated authentication failures.

Why this answer

The repeated lockouts are caused by a service account (svc_backup) being used with an incorrect or expired password. The most effective solution is to reset the password for that account and update it in the backup application. Disabling the account or increasing the lockout threshold does not fix the root cause.

Creating a new account without addressing the password mismatch will not stop the current account from being used.

421
Drag & Dropmedium

Drag and drop the steps for a typical TLS 1.3 handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

TLS 1.3 reduces round trips: ClientHello, ServerHello, EncryptedExtensions, Finished from server, Finished from client.

422
MCQhard

An organization wants to implement a cryptographic solution that ensures forward secrecy for its internal communications. Which key exchange method should be used?

A.RSA key exchange
B.Elliptic Curve Diffie-Hellman (ECDH)
C.Diffie-Hellman Ephemeral (DHE)
D.Static Diffie-Hellman
AnswerC

DHE generates temporary keys each session, so compromise of long-term keys does not expose past sessions.

Why this answer

DHE (Diffie-Hellman Ephemeral) generates a fresh, temporary key pair for each session and never reuses the private key, ensuring that compromise of a long-term key does not expose past session keys. This provides forward secrecy because the ephemeral keys are destroyed after the session ends, making it computationally infeasible to decrypt recorded traffic even if the server's static key is later compromised.

Exam trap

ISC2 often tests the distinction between 'Diffie-Hellman' (which can be static) and 'Diffie-Hellman Ephemeral' (DHE) — the trap is that candidates see 'Diffie-Hellman' and assume forward secrecy, forgetting that only the ephemeral variant provides it.

How to eliminate wrong answers

Option A is wrong because RSA key exchange uses the server's static private key to decrypt the premaster secret; if that private key is later compromised, all past sessions can be decrypted, so it does not provide forward secrecy. Option B is wrong because Elliptic Curve Diffie-Hellman (ECDH) alone is a static-static or static-ephemeral variant unless the ephemeral (ECDHE) version is specified; the question asks for a method that ensures forward secrecy, and standard ECDH without the 'E' does not guarantee ephemeral keys. Option D is wrong because Static Diffie-Hellman uses fixed, long-term keys for both parties, meaning compromise of either static private key allows decryption of all past and future sessions, thus providing no forward secrecy.

423
Multi-Selectmedium

Which TWO of the following are essential components of a secure configuration baseline for a new server deployment?

Select 2 answers
A.Disable all unnecessary services and ports
B.Apply the latest security patches to the operating system
C.Enable only error logging, not audit logging
D.Assign the same strong password to all local accounts
E.Use default passwords for all service accounts
AnswersA, B

Reduces attack surface.

Why this answer

Options B and D are correct. Disabling unused services reduces attack surface, and applying the latest patches closes known vulnerabilities. Option A is wrong because default passwords are insecure and should be changed.

Option C is wrong because logging can be disabled but it is often needed for monitoring; keeping logs is generally recommended. Option E is wrong because using a single password for all accounts violates least privilege.

424
MCQhard

Refer to the exhibit. User bob, a member of the projectdev group, attempts to create a new file in /data/project but gets 'Permission denied'. What is the most likely reason?

A.The group permission (r-x) and the mask (rwx) combine to limit bob to read and execute only
B.Bob is not the owner of the directory
C.Bob's effective permissions are limited by the user:alice entry
D.The 'other' permission is '---', blocking all access for users not in the file's user or group
AnswerA

The effective group permission is determined by the ACL group entry (r-x) and the mask (rwx) – the more restrictive is applied, resulting in r-x, which lacks write.

Why this answer

The directory /data/project has group permissions set to r-x (read and execute) for the projectdev group, and the umask is set to rwx (000), meaning no bits are masked. However, the group permission explicitly denies write access. Since bob is a member of projectdev, his effective permissions are limited to read and execute, preventing file creation.

Exam trap

ISC2 often tests the misconception that the 'other' permission applies to group members, when in fact group permissions take precedence for users in the group, and the umask only affects newly created files, not the directory's existing permissions.

How to eliminate wrong answers

Option B is wrong because ownership of the directory is irrelevant; bob's group membership grants him group-level permissions, which are the limiting factor. Option C is wrong because the user:alice entry is an ACL that applies specifically to user alice, not to bob, and does not affect bob's permissions. Option D is wrong because the 'other' permission applies only to users who are not the owner and not in the group; bob is in the projectdev group, so group permissions apply, not 'other'.

425
MCQhard

An organization's risk register shows a high risk for phishing attacks. Which controls are considered detective controls for this risk?

A.Security awareness training.
B.Email filtering.
C.User reporting mechanism.
D.Multi-factor authentication.
AnswerC

User reporting detects phishing attacks that have reached users, enabling response.

Why this answer

A user reporting mechanism is a detective control because it enables users to identify and report suspected phishing emails after they have been received, allowing the security team to investigate and respond. Unlike preventive controls that block attacks, detective controls discover incidents that have already occurred, such as a user recognizing a malicious link or attachment in their inbox.

Exam trap

ISC2 often tests the distinction between preventive and detective controls, and the trap here is that candidates confuse 'user reporting' as a reactive or corrective control rather than recognizing it as a detective control that identifies an ongoing or past incident.

How to eliminate wrong answers

Option A is wrong because security awareness training is a preventive/deterrent control that educates users to avoid falling for phishing, not a control that detects attacks after they occur. Option B is wrong because email filtering is a preventive control that blocks phishing emails before they reach the user's inbox, not a detective measure that identifies incidents post-delivery. Option D is wrong because multi-factor authentication is a preventive control that protects accounts even if credentials are compromised, not a detective control that identifies phishing attempts or compromises.

426
MCQhard

A company runs a critical web application on an internal server that authenticates users against a Microsoft SQL Server database. The application was developed by a vendor that is no longer in business, and the source code is unavailable. The current authentication process stores user passwords using reversible encryption. The security team has identified this as a high-risk vulnerability. They propose implementing a database-level trigger that hashes the password column during INSERT and UPDATE operations, and modifying the application's stored procedures to compare hashed values during login. However, after implementation, users report that they cannot log in. The authentication logs show that the password comparison always fails. The database administrator confirms that the trigger is working and that new user registrations store the SHA-256 hash. What is the most likely cause of the login failures?

A.The trigger does not hash the password during UPDATE operations that are performed by the same user.
B.The application is using a different hashing algorithm than the trigger.
C.The stored procedure for login is still comparing the plain-text password with the hash.
D.The trigger hashes the password only if the password column is part of a specific set of columns.
AnswerC

The stored procedure likely was not modified to hash the input before comparison, resulting in failure.

Why this answer

Option C is correct because the stored procedure for login likely still expects a plain-text password and compares it directly to the stored hash, causing failure. Option A is incorrect because the trigger should fire on all updates, including those by the same user. Option B is incorrect because the trigger uses SHA-256 and the stored procedure should use the same algorithm.

Option D is incorrect because the trigger should be defined on the password column.

427
MCQeasy

A network technician needs to ensure that only authorized DHCP servers can assign IP addresses on the network. Which switch feature should be enabled?

A.DHCP snooping
B.Dynamic ARP Inspection
C.Port security
D.BPDU guard
AnswerA

DHCP snooping blocks unauthorized DHCP server responses.

Why this answer

DHCP snooping is a security feature that filters untrusted DHCP messages and builds a DHCP snooping binding database by monitoring DHCP traffic on untrusted ports. By enabling DHCP snooping on the switch, only DHCP servers connected to trusted ports can assign IP addresses, preventing rogue DHCP server attacks.

Exam trap

ISC2 often tests DHCP snooping by confusing it with Dynamic ARP Inspection, but the key distinction is that DHCP snooping directly controls DHCP server messages, while DAI relies on the snooping database to validate ARP traffic.

How to eliminate wrong answers

Option B (Dynamic ARP Inspection) is wrong because it validates ARP packets using the DHCP snooping binding table to prevent ARP spoofing, not to control which DHCP servers can assign IP addresses. Option C (Port security) is wrong because it limits the number of MAC addresses allowed on a switch port to prevent MAC flooding, not to authorize DHCP servers. Option D (BPDU guard) is wrong because it protects spanning tree protocol by disabling ports that receive BPDUs, which is unrelated to DHCP server authorization.

428
MCQhard

Refer to the exhibit. A systems administrator configures this Group Policy setting. What is the direct consequence?

A.Members of Backup Operators cannot connect to the server using Remote Desktop.
B.Members of Backup Operators are prohibited from local console logon.
C.Members of Backup Operators can connect via Remote Desktop.
D.Members of Backup Operators are prevented from using any remote access method.
AnswerA

The deny setting explicitly blocks RDP access for that group.

Why this answer

Option C is correct because the 'Deny log on through Remote Desktop Services' policy explicitly prevents the specified group from using RDP. Option A is wrong because the policy denies, not allows. Option B is wrong because it affects only Remote Desktop, not console.

Option D is wrong because it does not affect other remote access methods like SSH unless specifically configured.

429
MCQmedium

A system administrator is configuring a file encryption solution for a shared network drive. The solution must allow multiple users to read the files without sharing a single symmetric key. Which approach should be used?

A.Use a different symmetric key for each user and re-encrypt the file for each user
B.Encrypt the file with each user's public key directly
C.Encrypt the file with a symmetric key, then encrypt that key with each authorized user's public key
D.Encrypt the file with a single symmetric key and share that key securely with all users
AnswerC

This is a hybrid encryption approach that scales well and maintains security.

Why this answer

Option C describes hybrid encryption, which is the correct approach for this scenario. The file is encrypted with a random symmetric key (session key) for efficiency, and that symmetric key is then encrypted with each authorized user's public key. This allows multiple users to decrypt the symmetric key with their private key and then decrypt the file, without sharing a single symmetric key.

Exam trap

The trap here is that candidates may choose Option B (direct public key encryption) because they understand asymmetric encryption but overlook the performance and practical limitations of encrypting large files with public key algorithms, which are designed for small data like keys.

How to eliminate wrong answers

Option A is wrong because re-encrypting the entire file for each user with a different symmetric key is computationally expensive and does not scale; it also requires managing multiple encrypted copies. Option B is wrong because directly encrypting the file with each user's public key would require encrypting the entire file multiple times, which is inefficient for large files and does not leverage symmetric key performance. Option D is wrong because sharing a single symmetric key with all users violates the requirement of not sharing a single symmetric key and introduces a single point of compromise.

430
MCQmedium

A company implements mandatory access control (MAC) on its classified document system. A user with a security clearance of Secret attempts to read a document labeled Top Secret. What happens?

A.The user is prompted to request a temporary upgrade
B.The access is denied by the system
C.The document is downgraded to Secret for the user
D.The user can read the document because they have a valid clearance
AnswerB

MAC denies any access that violates the lattice.

Why this answer

In a mandatory access control (MAC) system, access decisions are based on comparing the user's security clearance (Secret) with the document's classification label (Top Secret). Since the clearance level is lower than the document's classification, the system automatically denies the read operation. This is a fundamental property of MAC, where the system enforces the Bell-LaPadula model's simple security property (no read up).

Exam trap

The trap here is that candidates confuse MAC with discretionary access control (DAC), where a user might be able to request temporary access or have permissions changed by the owner, but in MAC, all access decisions are system-enforced and cannot be overridden by users.

How to eliminate wrong answers

Option A is wrong because MAC does not support user-initiated temporary upgrades; clearance changes require administrative action and are not prompted by the system. Option C is wrong because MAC never automatically downgrades a document's classification label to match a user's clearance; labels are immutable and set by the security administrator. Option D is wrong because having a valid clearance is insufficient; the clearance must equal or exceed the document's classification level for read access.

431
Multi-Selectmedium

Which TWO of the following are primary purposes of a risk register?

Select 2 answers
A.Track the status of risk treatment plans
B.Document identified risks and their characteristics
C.Record network traffic logs
D.Store vulnerability scan results
E.Provide a checklist for compliance audits
AnswersA, B

The risk register tracks mitigation actions and their progress.

Why this answer

Option A is correct because a risk register is a living document used to track the status of risk treatment plans, including whether controls have been implemented, are in progress, or are overdue. This ensures that risk owners are accountable and that residual risk is managed over time. Option B is correct because the primary function of a risk register is to document identified risks along with their characteristics, such as probability, impact, risk score, and owner.

These two functions are core to the risk management process as defined by frameworks like NIST SP 800-37 and ISO 31000.

Exam trap

The trap here is that candidates confuse the risk register with operational security tools like vulnerability scanners or log management systems, leading them to select options that describe technical data storage rather than the risk management documentation and tracking functions.

432
MCQeasy

An organization wants to allow secure remote access for employees. Which protocol is most appropriate for a site-to-site VPN?

A.PPTP
B.SSL/TLS
C.IPsec
D.SSH
E.L2TP
AnswerC

IPsec provides strong encryption and authentication for site-to-site VPNs.

Why this answer

IPsec is the correct choice for a site-to-site VPN because it operates at the network layer (Layer 3), providing encryption and authentication for all IP traffic between two entire networks. It supports both tunnel and transport modes, and uses protocols like ESP (Encapsulating Security Payload) and AH (Authentication Header) to ensure confidentiality, integrity, and origin authentication, making it the standard for permanent site-to-site connections.

Exam trap

The trap here is that candidates often confuse SSL/TLS with site-to-site VPNs because of its common use in remote access VPNs (e.g., AnyConnect), but SSL/TLS is a transport-layer protocol designed for client-to-server connections, not for routing entire network segments.

How to eliminate wrong answers

Option A (PPTP) is wrong because it uses outdated MPPE encryption and relies on PPP authentication, which has known security vulnerabilities (e.g., MS-CHAPv2 cracking) and is not suitable for secure site-to-site VPNs. Option B (SSL/TLS) is wrong because it operates at the transport layer (Layer 4) and is designed for client-to-site remote access VPNs (e.g., OpenVPN or AnyConnect), not for routing traffic between two entire networks. Option D (SSH) is wrong because it is a protocol for secure remote command-line access and port forwarding (tunneling individual TCP connections), not for encapsulating entire IP networks.

Option E (L2TP) is wrong because it is a tunneling protocol that provides no encryption by itself (RFC 2661); it is typically paired with IPsec (L2TP/IPsec) for security, but alone it is not appropriate for a secure site-to-site VPN.

433
Multi-Selectmedium

A network administrator is configuring a VPN using IPsec. Which two protocols are used within IPsec to ensure data integrity and confidentiality? (Choose two.)

Select 2 answers
A.SSL (Secure Sockets Layer)
B.L2TP (Layer 2 Tunneling Protocol)
C.ESP (Encapsulating Security Payload)
D.IKE (Internet Key Exchange)
E.AH (Authentication Header)
AnswersC, E

ESP provides both confidentiality and integrity, making it essential for data security in IPsec.

Why this answer

C is correct because ESP (Encapsulating Security Payload) provides both data confidentiality (via encryption) and data integrity (via authentication), making it the primary IPsec protocol for securing payloads. E is correct because AH (Authentication Header) ensures data integrity and origin authentication but does not provide confidentiality, as it does not encrypt the payload. Together, ESP and AH are the two core IPsec protocols that handle integrity and confidentiality, though ESP alone is typically used in modern deployments.

Exam trap

The trap here is that candidates often confuse IKE as a protocol that provides data integrity or confidentiality, when in fact it only handles key exchange and SA negotiation, not the actual data protection.

434
MCQmedium

A company deploys a guest Wi-Fi network that must be isolated from the internal network. The network team uses VLANs and a firewall. Which configuration best ensures isolation?

A.Configure the same SSID for both guest and internal networks but use different passwords.
B.Create a separate VLAN for guest traffic with a firewall rule blocking access to internal subnets.
C.Use WPA2 encryption with a pre-shared key and disable SSID broadcast.
D.Assign guest devices to the same subnet as internal devices but enforce MAC filtering.
AnswerB

This provides both VLAN segmentation and firewall enforcement.

Why this answer

Option B is correct because creating a separate VLAN for guest traffic logically segments the network at Layer 2, and adding a firewall rule that explicitly blocks access to internal subnets enforces isolation at Layer 3/4. This ensures guest devices cannot reach internal resources, even if they are on the same physical infrastructure.

Exam trap

The trap here is that candidates often confuse security features like encryption (WPA2) or hiding the SSID with network isolation, failing to recognize that VLANs and firewall rules are required for true Layer 2/3 separation.

How to eliminate wrong answers

Option A is wrong because using the same SSID for both guest and internal networks does not provide any logical separation; devices would still be on the same broadcast domain unless VLANs are used, and different passwords alone do not prevent traffic from crossing between networks. Option C is wrong because disabling SSID broadcast (hidden SSID) is a weak security measure that does not isolate traffic; it only hides the network name, and WPA2 with a PSK does not prevent guest devices from accessing internal subnets if they are on the same VLAN. Option D is wrong because assigning guest devices to the same subnet as internal devices eliminates any Layer 3 separation, and MAC filtering is an access control mechanism that can be easily spoofed and does not block traffic between devices on the same subnet.

435
MCQhard

Refer to the exhibit. An analyst reviews the sshd log. What should be the immediate response?

A.Block the source IP 203.0.113.5 on the firewall
B.Disable SSH service on the server
C.Inform the server administrator of the suspicious activity
D.Change the root password and disable root SSH login
AnswerD

Immediately revoke access for the compromised account and prevent further use.

Why this answer

The sshd log shows repeated failed root login attempts from IP 203.0.113.5, indicating a brute-force attack targeting the root account. The immediate response is to change the root password and disable root SSH login (e.g., set `PermitRootLogin no` in `/etc/ssh/sshd_config`), as this directly mitigates the attack vector by removing the ability to authenticate as root via SSH. This aligns with the principle of least privilege and is a standard first step in SSH security hardening.

Exam trap

The trap here is that candidates often choose to block the source IP (Option A) because it seems like a quick fix, but they overlook that the root account remains exposed and the attacker can simply switch IPs, making the password change and disabling root login the correct immediate response.

How to eliminate wrong answers

Option A is wrong because blocking the source IP 203.0.113.5 on the firewall is a reactive measure that only addresses this specific attacker; the root account remains vulnerable to future attacks from other IPs, and the underlying misconfiguration (root SSH login enabled) is not fixed. Option B is wrong because disabling the SSH service on the server would deny legitimate administrative access entirely, causing unnecessary disruption; the goal is to secure SSH, not disable it. Option C is wrong because informing the server administrator of the suspicious activity is a notification step, not an immediate response; it delays action while the attack continues, and the administrator would still need to perform the corrective steps (change password, disable root login).

436
MCQhard

A large data center uses a three-tier architecture with core, aggregation, and access switches. The security team detects anomalous traffic patterns: every night at 2:00 AM, a single server (IP 10.10.10.50) sends large ICMP Echo requests to multiple external IPs, followed by a flood of TCP SYN packets from those external IPs back to the server. The server is a critical database server that should not initiate outbound connections. The team suspects the server is compromised. The network team wants to contain the threat without taking the server offline immediately. Which action should they take first?

A.Apply an access control list (ACL) on the switch port to block outbound ICMP and non-essential TCP traffic from the server.
B.Add a firewall rule to block all traffic to and from the server's IP.
C.Move the server to a quarantine VLAN with no route to the internet.
D.Shut down the switch port to disconnect the server immediately.
AnswerA

This restricts the server's outbound traffic without fully disconnecting it.

Why this answer

Option A is correct because applying an ACL on the switch port to block outbound ICMP and non-essential TCP traffic from the server immediately stops the anomalous traffic (ICMP Echo requests and TCP SYN flood responses) without taking the critical database server offline. This containment approach preserves server availability for legitimate database operations while preventing further malicious outbound activity, aligning with the goal of containing the threat without immediate downtime.

Exam trap

The trap here is that candidates often choose a more drastic action like shutting down the port or blocking all traffic, failing to recognize that a granular ACL on the switch port can surgically stop the malicious traffic while keeping the server online for its primary role.

How to eliminate wrong answers

Option B is wrong because adding a firewall rule to block all traffic to and from the server's IP would completely isolate the server, taking it offline and violating the requirement to not take the server offline immediately. Option C is wrong because moving the server to a quarantine VLAN with no route to the internet would require reconfiguring the network and potentially disrupting connectivity, which is more invasive and time-consuming than a simple ACL on the switch port; it also does not address the immediate need to stop the ongoing traffic. Option D is wrong because shutting down the switch port disconnects the server entirely, taking it offline and failing the condition to contain the threat without immediate downtime.

437
Multi-Selectmedium

A system administrator is hardening a Windows server. Which two of the following are effective hardening measures? (Choose two.)

Select 2 answers
A.Disable unnecessary services
B.Set file permissions to Everyone: Full Control
C.Remove administrative shares
D.Enable guest account with strong password
E.Use Telnet for remote management
AnswersA, C

Reduces potential attack vectors.

Why this answer

Disabling unnecessary services reduces the attack surface by removing potential entry points for malware or unauthorized access. On Windows Server, services like Print Spooler or Windows Search may be disabled if not needed, as they have historically been exploited (e.g., PrintNightmare). This aligns with the principle of least functionality.

Exam trap

The trap here is that candidates may think removing administrative shares breaks legitimate management tasks, but in reality, modern tools like PowerShell Remoting or Group Policy do not rely on hidden shares, making this a safe and effective hardening step.

438
Multi-Selectmedium

An organization has detected a ransomware infection on a critical file server. The incident response team has been activated. Which TWO actions should be performed FIRST during the initial response phase?

Select 2 answers
A.Determine the type of ransomware variant
B.Immediately disconnect the file server from the network
C.Reimage the file server using a known good backup
D.Identify all affected systems and scope of infection
E.Notify law enforcement authorities
AnswersB, D

Correct: Immediate containment prevents further encryption or lateral movement.

Why this answer

Option B is correct because immediately disconnecting the file server from the network is a critical containment action that stops the ransomware from encrypting additional files on the server and prevents lateral movement to other systems. This aligns with the first priority in incident response: containment before eradication or recovery. Disconnecting at the switch port or disabling the network interface card (NIC) is preferred over a graceful shutdown to avoid triggering any persistence mechanisms.

Exam trap

ISC2 often tests the misconception that identifying the ransomware variant (Option A) is the first step, but in the SSCP framework, containment (disconnection) and scoping (identifying affected systems) are the immediate priorities during the initial response phase.

439
MCQmedium

A company needs to ensure that when an employee leaves the organization, their accounts are disabled promptly to prevent unauthorized access. Which approach is MOST effective for timely account deactivation?

A.Conduct quarterly access reviews to identify and disable unused accounts.
B.Require managers to report departures via a ticketing system.
C.Implement a self-service password reset system to empower users.
D.Automatically synchronize with the HR system to disable accounts upon termination.
AnswerD

Automated synchronization with HR ensures near-instant deactivation when HR records a termination, significantly reducing the window of unauthorized access.

Why this answer

Option D is correct because automatically synchronizing with the HR system ensures that account deactivation occurs immediately upon termination, eliminating human delay or error. This approach leverages identity lifecycle management (ILM) to enforce the principle of least privilege and prevent unauthorized access through orphaned accounts.

Exam trap

The trap here is that candidates may choose option B because it seems proactive, but they overlook the inherent delay and unreliability of manual reporting compared to automated synchronization, which is the only option guaranteeing timely deactivation.

How to eliminate wrong answers

Option A is wrong because quarterly reviews are too infrequent to meet the requirement for timely deactivation, leaving accounts active for up to 90 days after departure. Option B is wrong because relying on managers to report departures via a ticketing system introduces manual latency and the risk of forgotten or delayed reports, which fails to guarantee prompt deactivation. Option C is wrong because a self-service password reset system does not disable accounts; it only allows users to reset their own passwords, which is irrelevant to deactivating a terminated employee's account.

440
MCQmedium

A security team is conducting a qualitative risk assessment for a new cloud application. They want to prioritize risks based on likelihood and impact. Which method should they use to combine these factors?

A.Risk matrix (heat map)
B.SWOT analysis
C.Annualized loss expectancy (ALE)
D.Business Impact Analysis (BIA)
AnswerA

A qualitative risk matrix uses ordinal scales for likelihood and impact to produce risk ratings.

Why this answer

A risk matrix (heat map) is the correct method because it combines qualitative assessments of likelihood and impact into a single visual grid, allowing the team to prioritize risks by their position in the matrix. This approach is standard for qualitative risk assessments where numerical data is unavailable, as it maps ordinal ratings (e.g., low, medium, high) to a color-coded priority level.

Exam trap

The trap here is that candidates often confuse qualitative risk assessment with quantitative methods like ALE, assuming any combination of likelihood and impact requires numerical calculation, but the question explicitly states 'qualitative', which directly points to a risk matrix.

How to eliminate wrong answers

Option B is wrong because SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) is a strategic planning tool used to identify internal and external factors, not a method for combining likelihood and impact to prioritize risks. Option C is wrong because Annualized Loss Expectancy (ALE) is a quantitative metric (SLE × ARO) that requires numerical values for asset value and frequency, making it unsuitable for a purely qualitative assessment. Option D is wrong because Business Impact Analysis (BIA) focuses on identifying critical business functions and recovery priorities, not on combining likelihood and impact for risk prioritization.

441
MCQhard

A company implements a new policy requiring all privileged access requests to be approved by a manager. However, after deployment, analysts report that they cannot perform emergency changes outside business hours. What is the best solution?

A.Extend manager on-call hours to cover all times.
B.Implement a break-glass procedure for emergency access.
C.Remove the approval requirement for privileged access.
D.Require analysts to call a manager for approval each time.
AnswerB

Break-glass allows temporary privileged access with post-event review, balancing security and availability.

Why this answer

Option B is correct because a break-glass procedure provides a predefined, auditable method for granting emergency privileged access without requiring real-time manager approval. This balances security with operational continuity, allowing analysts to perform critical changes outside business hours while maintaining accountability through post-event review and logging.

Exam trap

The trap here is that candidates may choose option A (extending on-call hours) thinking it solves the availability issue, but they fail to recognize that it does not address the fundamental need for immediate, unattended access during emergencies, which is the core purpose of a break-glass procedure.

How to eliminate wrong answers

Option A is wrong because extending manager on-call hours does not eliminate the approval bottleneck; it only shifts the coverage window, potentially leading to delays or burnout without a guaranteed response. Option C is wrong because removing the approval requirement for privileged access eliminates necessary oversight, violating the principle of least privilege and increasing the risk of unauthorized changes. Option D is wrong because requiring analysts to call a manager for approval each time outside business hours creates a single point of failure and introduces unacceptable delays for emergency changes, undermining operational resilience.

442
MCQeasy

A small company uses a single firewall at the network perimeter. The security team receives alerts from an IDS but cannot correlate them with firewall logs because logs are stored on separate servers with different timestamps. The CEO wants to reduce false positives and improve incident response. What should the security team do first?

A.Increase the IDS sensitivity to catch more threats.
B.Replace the IDS with a next-generation firewall.
C.Implement a SIEM to aggregate and correlate logs from multiple sources.
D.Manually align timestamps on each server daily.
AnswerC

A SIEM centralizes logs and normalizes timestamps, enabling correlation and reducing false positives.

Why this answer

A SIEM (Security Information and Event Management) system aggregates logs from multiple sources, normalizes timestamps, and correlates events to reduce false positives and improve incident response. This directly addresses the core problem of disparate log sources with unsynchronized timestamps, enabling effective correlation between IDS alerts and firewall logs without replacing existing infrastructure.

Exam trap

The trap here is that candidates may think a next-generation firewall (NGFW) replaces the need for log correlation, but NGFWs still generate logs that require aggregation and correlation with other sources to reduce false positives and enable effective incident response.

How to eliminate wrong answers

Option A is wrong because increasing IDS sensitivity would generate more alerts, exacerbating the false positive problem and making correlation harder without fixing the timestamp mismatch. Option B is wrong because replacing the IDS with a next-generation firewall (NGFW) does not solve the log correlation issue; NGFWs still generate logs that need to be correlated with other sources, and the underlying timestamp synchronization problem remains. Option D is wrong because manually aligning timestamps daily is impractical, error-prone, and does not scale; it also fails to provide automated correlation or reduce false positives in real time.

443
MCQhard

A security analyst discovers that an internal host is sending traffic to an external IP address known to be a command-and-control server. The analyst wants to block only that specific traffic without affecting other traffic. Which firewall rule should be implemented?

A.Deny all traffic from the internal host.
B.Deny all traffic to the external IP.
C.Deny traffic on the specific port used.
D.Deny traffic from the internal host to the external IP.
AnswerD

This provides a targeted block without affecting other traffic.

Why this answer

Option D is correct because it creates a specific deny rule that matches only the source IP of the internal host and the destination IP of the command-and-control server, blocking that exact traffic flow while allowing all other traffic to and from both hosts. This is the most precise and least disruptive approach, adhering to the principle of least privilege in firewall rule design.

Exam trap

The trap here is that candidates often choose a broad deny rule (like denying all traffic to the external IP) because they focus on the malicious destination, forgetting that such a rule would block all traffic to that IP from any source, potentially impacting other hosts or services.

How to eliminate wrong answers

Option A is wrong because denying all traffic from the internal host would block all outbound communications from that host, including legitimate traffic to other destinations, causing unnecessary disruption. Option B is wrong because denying all traffic to the external IP would block all inbound and outbound traffic to that IP from any host, potentially affecting other internal hosts that may need to communicate with that IP for legitimate reasons (though unlikely in this scenario, it is overly broad). Option C is wrong because denying traffic on the specific port used would block all traffic on that port to any destination, not just the command-and-control server, which could disrupt other services using the same port.

444
Multi-Selectmedium

Which TWO of the following are key components of a security awareness program?

Select 2 answers
A.User training on password policies
B.Regular phishing simulations
C.Incident response drills
D.Quarterly vulnerability scans
E.Annual penetration testing
AnswersA, B

Training users on strong password creation and management is a core awareness component.

Why this answer

A security awareness program focuses on educating users about security policies and threats. Phishing simulations test user vigilance, and password policy training reinforces good practices. Vulnerability scans and penetration tests are technical controls, not awareness components.

Incident response drills involve technical teams, not general user awareness.

445
MCQmedium

A security analyst receives an alert that a user account has been locked out multiple times within 10 minutes. The analyst checks the account and finds it is a service account used for automated backups. What is the most likely cause?

A.The service account's certificate has expired.
B.A brute force attack is targeting the service account.
C.The account password has expired and needs to be reset.
D.The service is using cached credentials that are out of sync with the domain controller.
AnswerD

Service accounts often cache credentials; if the password changes or becomes out of sync, repeated lockouts occur.

Why this answer

Service accounts used for automated backups typically run as services that cache their credentials locally. When the password is changed on the domain controller, the cached credentials in the service's logon session become out of sync. The service repeatedly attempts to authenticate with the stale cached password, causing rapid lockout events within a short window.

Exam trap

The trap here is that candidates confuse a service account lockout with a brute force attack, but the pattern of rapid lockouts from the same source with no external IP variation points to cached credential mismatch, not an active attack.

How to eliminate wrong answers

Option A is wrong because certificate expiration would cause authentication failures, but not repeated lockouts; the service would fail to authenticate silently without triggering account lockout policy. Option B is wrong because a brute force attack would show multiple failed attempts from different IPs or sources, not a single service account locking out repeatedly from the same host. Option C is wrong because password expiration prevents the account from logging in at all, but the service would not repeatedly attempt authentication; it would fail once and stop, not generate multiple lockouts.

446
MCQhard

A Windows workstation is unable to authenticate to a Kerberos-based application. The time on the workstation is 5 minutes ahead of the domain controller. What is the impact?

A.The user would be prompted for credentials but authentication would proceed
B.Authentication will fail because the time difference exceeds the default Kerberos clock skew limit
C.Only NTLM authentication would be affected
D.No impact; Kerberos can tolerate up to 10 minutes of skew
AnswerB

Kerberos allows a maximum skew of 5 minutes by default; a 5-minute difference may cause rejection or succeed only if within tolerance.

Why this answer

Kerberos authentication relies on timestamps to prevent replay attacks. The default maximum clock skew allowed between a client and a domain controller is 5 minutes (as defined in RFC 4120). Since the workstation is exactly 5 minutes ahead, it meets the threshold, but any additional delay or network latency can cause the timestamp to exceed the limit, resulting in authentication failure.

Therefore, the user will be unable to authenticate.

Exam trap

The trap here is that candidates often assume the default clock skew is 10 minutes (as in some older implementations) or that a 5-minute difference is acceptable, but the SSCP exam expects you to know the exact default value of 5 minutes and that reaching that limit causes authentication to fail.

How to eliminate wrong answers

Option A is wrong because Kerberos does not prompt for credentials and proceed when the clock skew exceeds the limit; it returns a KRB_AP_ERR_SKEW error and authentication fails. Option C is wrong because the question specifies a Kerberos-based application, and NTLM is a separate protocol that is not directly affected by Kerberos clock skew; the impact is on Kerberos, not NTLM. Option D is wrong because the default Kerberos clock skew limit is 5 minutes, not 10 minutes; a skew of exactly 5 minutes is at the boundary and typically causes failure, especially with real-world network delays.

447
MCQmedium

A system administrator receives a report that a critical server is running low on disk space. After investigation, it is determined that the log files are not being rotated properly. Which of the following is the BEST solution to prevent this issue in the future?

A.Configure log rotation based on size and age.
B.Increase the maximum log file size.
C.Redirect logs to a different partition.
D.Enable compression on the log folder.
AnswerA

Log rotation automatically archives and deletes old logs.

Why this answer

Option A is correct because implementing log rotation policies ensures logs are archived and space is managed. Option B only adjusts size limit but doesn't rotate. Option C is for applications, not system logs.

Option D does not reduce space usage.

448
MCQmedium

A security team discovers that an employee's credentials were used to access the HR database from an unrecognized IP address in a foreign country. The employee is currently in the office. Which risk identification technique is most directly responsible for detecting this anomaly?

A.User and entity behavior analytics (UEBA)
B.Manual log review
C.Vulnerability scanning
D.Threat intelligence feeds
AnswerA

UEBA detects deviations from normal behavior, such as login from unusual location.

Why this answer

UEBA is the correct answer because it uses machine learning and statistical models to establish a baseline of normal user behavior (e.g., typical login times, geolocations, and access patterns). When the employee's credentials are used from a foreign IP address while the employee is physically in the office, UEBA detects this as an anomalous deviation from the baseline, triggering an alert. This technique is specifically designed for real-time anomaly detection in user and entity activities, making it the most direct method for identifying this type of credential misuse.

Exam trap

The trap here is that candidates may confuse threat intelligence feeds (Option D) with anomaly detection, assuming that an unrecognized foreign IP would be flagged by a threat feed, but UEBA is the only technique that directly detects behavioral anomalies without relying on known-bad indicators.

How to eliminate wrong answers

Option B (Manual log review) is wrong because it is a reactive, labor-intensive process that relies on human analysts to sift through logs after an incident, making it inefficient for real-time anomaly detection; it would not directly detect the anomaly without prior suspicion or automated correlation. Option C (Vulnerability scanning) is wrong because it focuses on identifying known security weaknesses in systems (e.g., unpatched software, misconfigurations) rather than monitoring user behavior or detecting anomalous access patterns. Option D (Threat intelligence feeds) is wrong because they provide information about known malicious IPs, domains, or indicators of compromise (IOCs) from external sources, but they do not establish a baseline of normal user behavior; an unrecognized IP from a foreign country may not be in any threat feed, so the anomaly would be missed without behavioral analysis.

449
MCQhard

A company's IDS generated an alert for a suspicious outbound connection to a known C2 server. The incident team discovers the host has been communicating for 2 weeks. Which containment strategy is most appropriate?

A.Perform memory forensics before disconnecting
B.Block the C2 IP at the perimeter
C.Shut down the host
D.Disconnect the host from the network immediately
AnswerA

Memory capture preserves evidence of running processes and network connections.

Why this answer

Performing memory forensics before disconnecting (A) is the most appropriate containment strategy because the host has been compromised for two weeks, meaning the attacker may have deployed rootkits, injected malicious code into system processes, or established persistence mechanisms that reside only in volatile memory. Disconnecting or shutting down the host immediately would destroy this volatile evidence, hindering the incident response team's ability to identify the full scope of the compromise, including the specific malware variant, C2 communication methods, and any lateral movement artifacts. Memory forensics allows the team to capture running processes, network connections, and loaded kernel modules, which are critical for understanding the attacker's tactics and preventing future incidents.

Exam trap

The trap here is that candidates often choose immediate disconnection (D) or IP blocking (B) as a quick containment action, failing to recognize that preserving volatile evidence is a higher priority in a long-term compromise to ensure a complete forensic analysis and effective remediation.

How to eliminate wrong answers

Option B is wrong because simply blocking the C2 IP at the perimeter is a reactive network-level control that does not address the already compromised host; the attacker may have multiple fallback C2 domains or IPs, and the host could still be used for lateral movement or data exfiltration via other channels. Option C is wrong because shutting down the host destroys volatile memory evidence and may trigger anti-forensic mechanisms that wipe logs or encrypt data, while also potentially alerting the attacker that their presence is known. Option D is wrong because disconnecting the host immediately without first performing memory forensics loses critical volatile data such as active network connections, encryption keys in memory, and running malicious processes, which are essential for a thorough investigation and attribution.

450
MCQeasy

Which metric is used to measure the potential loss from a single occurrence of a risk?

A.Exposure Factor (EF)
B.Annualized Loss Expectancy (ALE)
C.Annualized Rate of Occurrence (ARO)
D.Single Loss Expectancy (SLE)
AnswerD

SLE is the monetary loss from a single occurrence.

Why this answer

The Single Loss Expectancy (SLE) is the metric used to measure the potential loss from a single occurrence of a risk. It is calculated as Asset Value (AV) multiplied by the Exposure Factor (EF), providing a dollar value for one incident. This directly answers the question of loss per single event.

Exam trap

ISC2 often tests the distinction between SLE and ALE, trapping candidates who confuse a single-event loss with an annualized figure, especially when the question explicitly asks for 'single occurrence' but the answer options include ALE as a distractor.

How to eliminate wrong answers

Option A is wrong because Exposure Factor (EF) is a percentage representing the proportion of asset value lost per incident, not a direct monetary loss measure. Option B is wrong because Annualized Loss Expectancy (ALE) measures the expected loss per year, calculated as SLE × ARO, not per single occurrence. Option C is wrong because Annualized Rate of Occurrence (ARO) is a frequency metric (events per year), not a loss measurement.

Page 5

Page 6 of 7

Page 7

All pages