Systems Security Certified Practitioner SSCP (SSCP) — Questions 451504

504 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
Multi-Selecthard

Which THREE are appropriate controls to prevent unauthorized access to a data center? (Choose three.)

Select 3 answers
A.Biometric scanner
B.Firewall
C.Mantrap
D.Security guards
E.Encryption
AnswersA, C, D

Biometric scanner authenticates individuals for physical access.

Why this answer

A biometric scanner is a physical access control that authenticates individuals based on unique physiological characteristics (e.g., fingerprints, iris patterns). It directly prevents unauthorized entry by verifying identity at the data center perimeter, making it an appropriate control for physical security.

Exam trap

ISC2 often tests the distinction between physical access controls (e.g., biometrics, mantrap, guards) and logical/technical controls (e.g., firewall, encryption), leading candidates to mistakenly select network or data protection mechanisms for a physical security question.

452
MCQmedium

A web application processes user-supplied data in SQL queries. Which practice best prevents SQL injection?

A.Parameterized queries
B.Escaping all user input
C.Using stored procedures exclusively
D.Input length validation
AnswerA

Parameterized queries ensure user input is treated as data, not code.

Why this answer

Parameterized queries (also known as prepared statements) separate SQL logic from user data by using placeholders (e.g., `?` in MySQLi or `:name` in PDO). The database engine treats the user input strictly as data, never as executable SQL code, which inherently prevents SQL injection regardless of the input content.

Exam trap

ISC2 often tests the misconception that stored procedures are inherently safe, but the trap is that they only prevent injection if they avoid dynamic SQL construction within the procedure body.

How to eliminate wrong answers

Option B is wrong because escaping all user input is error-prone and context-dependent; for example, escaping for MySQL with `mysql_real_escape_string()` can still be bypassed if the character set is mismatched (e.g., GBK encoding leading to multibyte injection). Option C is wrong because stored procedures alone do not prevent SQL injection if dynamic SQL is constructed within the procedure using concatenated user input (e.g., `EXEC('SELECT * FROM Users WHERE id = ' + @input)`). Option D is wrong because input length validation only restricts the size of input, not its malicious content; a short SQL injection payload like `' OR 1=1 --` can easily pass length checks.

453
MCQmedium

A security team is conducting a penetration test. In which phase would they attempt to exploit vulnerabilities found during scanning?

A.Maintaining access.
B.Scanning.
C.Reconnaissance.
D.Gaining access.
AnswerD

This phase uses exploits to achieve initial access based on scan results.

Why this answer

The gaining access phase is where the penetration tester actively exploits vulnerabilities discovered during scanning to obtain unauthorized entry into the system. This phase involves using tools like Metasploit or custom exploits to leverage specific weaknesses, such as unpatched software or misconfigured services, to achieve initial foothold. It directly follows the scanning phase and precedes maintaining access, making D the correct choice.

Exam trap

The trap here is confusing the scanning phase with the gaining access phase, as candidates often think vulnerability scanning includes exploitation, but scanning only identifies potential weaknesses without actively compromising the system.

How to eliminate wrong answers

Option A is wrong because maintaining access occurs after gaining access, focusing on persistence mechanisms like backdoors or rootkits, not the initial exploitation of vulnerabilities. Option B is wrong because scanning is the phase where vulnerabilities are identified through port scans (e.g., Nmap) and service enumeration, but exploitation is not performed here. Option C is wrong because reconnaissance is the initial information-gathering phase (e.g., OSINT, DNS lookups) that precedes scanning and does not involve active exploitation of vulnerabilities.

454
MCQhard

During a security audit, it is discovered that network devices are using Telnet for management. Which of the following is the most secure replacement to ensure encrypted remote access?

A.SNMPv3 with authentication and encryption
B.SSH with public key authentication
C.HTTPS with self-signed certificate
D.SSH with password authentication
AnswerB

Public key authentication is more secure and supports encryption.

Why this answer

SSH (Secure Shell) provides encrypted remote access and authentication, replacing the insecure Telnet protocol. Public key authentication adds a second factor (the private key) and is resistant to brute-force password attacks, making it the most secure option for managing network devices.

Exam trap

The trap here is that candidates often confuse SNMPv3's encryption capabilities with remote shell access, or they assume that any encrypted protocol (like HTTPS) is a direct replacement for Telnet, ignoring that SSH is the standard for secure command-line management.

How to eliminate wrong answers

Option A is wrong because SNMPv3 is designed for network management monitoring and trap notifications, not for interactive remote shell access or device configuration. Option C is wrong because HTTPS with a self-signed certificate encrypts the session but does not provide a trusted identity verification and is typically used for web-based management interfaces, not for command-line remote access. Option D is wrong because SSH with password authentication still relies on a shared secret that can be guessed, intercepted via keylogging, or compromised in transit if weak ciphers are used, whereas public key authentication eliminates password transmission.

455
MCQmedium

A company uses an identity management system that requires users to authenticate using a smart card and a PIN. This is an example of:

A.Single sign-on (SSO)
B.Biometric authentication
C.Two-factor authentication
D.Multi-factor authentication
AnswerC

Smart card (possession) and PIN (knowledge) constitute two-factor authentication.

Why this answer

Two-factor authentication (2FA) requires two distinct factors from different categories: something you have (the smart card) and something you know (the PIN). This combination provides stronger assurance than a single factor because an attacker would need both physical possession of the card and knowledge of the PIN to authenticate.

Exam trap

The trap here is that candidates often confuse multi-factor authentication (MFA) with two-factor authentication (2FA), but the SSCP exam expects you to recognize that when exactly two distinct factors are used, 'two-factor authentication' is the precise and correct term, not the broader 'multi-factor authentication'.

How to eliminate wrong answers

Option A is wrong because single sign-on (SSO) allows a user to authenticate once and access multiple systems without re-entering credentials; it does not inherently involve multiple authentication factors. Option B is wrong because biometric authentication relies on something you are (e.g., fingerprint, iris scan), not a smart card and PIN combination. Option D is wrong because multi-factor authentication (MFA) requires two or more factors, but the question specifically describes exactly two factors (smart card and PIN), making two-factor authentication the more precise term; MFA is a broader category that includes 2FA, but 2FA is the correct specific answer here.

456
MCQeasy

A small medical office has 10 employees who use laptops to access electronic health records (EHR) via a web application hosted at a colocation facility. The office currently uses a consumer-grade wireless router with WPA2-PSK for internet access. The EHR vendor requires all connections to be encrypted with TLS 1.2 and recommends using a VPN for remote access. The office manager wants to ensure secure connections from the office to the EHR system, while keeping costs low. The network consultant proposes several options. Which option best balances security and cost?

A.Upgrade the wireless router to one that supports WPA3-Enterprise.
B.Install a dedicated SSL VPN appliance at the office for clientless access.
C.Configure an IPsec site-to-site VPN between the office router and the colocation firewall.
D.Use only HTTPS with TLS 1.2 and disable HTTP access on the EHR server.
AnswerC

IPsec VPN provides end-to-end encryption and is cost-effective with existing hardware.

Why this answer

Option C is correct because an IPsec site-to-site VPN creates an encrypted tunnel between the office router and the colocation firewall, securing all EHR traffic without requiring per-user software or high ongoing costs. This directly satisfies the EHR vendor's VPN recommendation while using existing infrastructure (the office router and colocation firewall) and avoiding the expense of a dedicated appliance or complex client management.

Exam trap

The trap here is that candidates often focus on securing the wireless link (WPA3) or the application layer (HTTPS), forgetting that the EHR vendor explicitly requires a VPN to protect data across the untrusted internet path, not just at the endpoints.

How to eliminate wrong answers

Option A is wrong because upgrading to WPA3-Enterprise only secures the wireless link within the office, not the traffic between the office and the colocation facility; the EHR vendor requires encryption for the entire path, and WPA3 does not address internet transit. Option B is wrong because installing a dedicated SSL VPN appliance at the office adds significant hardware and licensing costs, which contradicts the office manager's goal of keeping costs low; clientless access is also unnecessary since employees use laptops that can run a VPN client. Option D is wrong because using only HTTPS with TLS 1.2 protects the web application session but does not encrypt traffic between the office network and the colocation facility at the network layer; it leaves the connection vulnerable to LAN-side attacks and does not meet the vendor's VPN recommendation.

457
MCQhard

A mid-sized company has deployed a web application that handles sensitive customer data. The application uses TLS to encrypt data in transit. Recently, the company received a penetration test report indicating that an attacker could potentially downgrade the TLS connection to an older, weaker version (e.g., TLS 1.0) by performing a man-in-the-middle attack. The application server runs on Windows Server 2022 with IIS 10. The security team wants to disable all versions of TLS below 1.2 on the server. However, after making registry changes to disable TLS 1.0 and 1.1, some legacy clients that only support TLS 1.0 are unable to connect. The business requires that these legacy clients still be able to access the application securely, but the security team insists on disabling weak protocols. The server currently has a valid certificate from a public CA. Which of the following is the most appropriate course of action?

A.Switch the application to use a VPN instead of TLS for legacy client access.
B.Upgrade all legacy clients to support TLS 1.2 or later immediately.
C.Deploy a TLS-terminating reverse proxy that supports both strong and legacy TLS, placing it in front of the web server.
D.Re-enable TLS 1.0 and 1.1 on the server, as the business requirement outweighs security concerns.
AnswerC

The proxy can negotiate strong TLS with the server and weaker TLS with legacy clients, isolating the server from weak protocols.

Why this answer

Option C is correct because deploying a TLS-terminating reverse proxy allows the server to enforce TLS 1.2+ on the backend while the proxy handles legacy TLS 1.0 connections from older clients. This satisfies both the security requirement to disable weak protocols on the origin server and the business need to support legacy clients, without exposing the server to downgrade attacks. The proxy can be configured with separate TLS policies per listener, ensuring that only the proxy accepts weaker TLS versions while the IIS server remains locked down.

Exam trap

The trap here is that candidates may think re-enabling weak protocols (Option D) is the only way to support legacy clients, or that upgrading clients (Option B) is always feasible, but the exam expects you to recognize that a reverse proxy provides a secure, practical compromise without weakening the server's security posture.

How to eliminate wrong answers

Option A is wrong because switching to a VPN does not address the TLS downgrade vulnerability; it adds complexity and does not solve the legacy client compatibility issue at the application layer. Option B is wrong because upgrading all legacy clients immediately is often impractical or impossible due to business constraints, and the question explicitly states that the business requires these clients to still access the application. Option D is wrong because re-enabling TLS 1.0 and 1.1 on the server directly contradicts the security team's goal of disabling weak protocols and leaves the server vulnerable to downgrade attacks, which is not a balanced approach.

458
Multi-Selecteasy

Which TWO of the following are examples of multifactor authentication? (Choose two.)

Select 2 answers
A.Smart card and PIN
B.SMS code and password
C.Password and security question
D.Voice recognition and iris scan
E.Fingerprint and smart card
AnswersA, E

Smart card (something you have) and PIN (something you know) are two different factors.

Why this answer

Multifactor authentication (MFA) requires at least two distinct factors from different categories: something you know, something you have, and something you are. A smart card is 'something you have,' and a PIN is 'something you know,' so combining them satisfies MFA requirements. This is a classic example used in access control systems like Common Access Cards (CAC) or Personal Identity Verification (PIV) cards.

Exam trap

The trap here is that candidates often confuse 'something you have' (like a smart card) with 'something you know' (like a PIN) and incorrectly think that two different instances of the same factor (e.g., password and security question) count as MFA, or they mistakenly treat an SMS code as a possession factor when it is actually a knowledge-based OTP delivered via a possession channel.

459
MCQmedium

You work for a financial services firm that must comply with GDPR and PCI DSS. The company uses a cloud-based CRM to store customer data. The security team recently discovered that the CRM vendor had a data breach that exposed the company's customer records. An investigation shows that the breach occurred because the vendor did not have multi-factor authentication (MFA) enabled for administrative accounts. The contract with the vendor states that the vendor is responsible for security of their platform. However, your company had not conducted a risk assessment of the vendor before signing the contract. Management wants to improve risk identification for third-party relationships. Which of the following is the BEST long-term solution?

A.Implement a third-party risk management program with periodic security assessments and contractual security requirements
B.Demand that the vendor reimburse the company for breach costs
C.Cancel the contract with the vendor and move to a private cloud solution
D.Require all vendors to provide SOC 2 reports
AnswerA

A program ensures ongoing risk identification and mitigation.

Why this answer

Option A is correct because a third-party risk management (TPRM) program with periodic security assessments and contractual security requirements directly addresses the root cause: the lack of pre-contract risk identification and ongoing vendor oversight. By embedding MFA requirements into contracts and performing regular assessments (e.g., reviewing SOC 2 reports, conducting penetration tests), the company can proactively enforce security controls like MFA for administrative accounts, preventing future breaches. This is a sustainable, long-term solution that aligns with GDPR and PCI DSS due diligence obligations.

Exam trap

The trap here is that candidates may choose Option D (SOC 2 reports) as a quick fix, mistakenly believing a single compliance report guarantees security, when in fact SOC 2 is a point-in-time audit that does not enforce ongoing contractual obligations or address specific risks like MFA configuration.

How to eliminate wrong answers

Option B is wrong because demanding reimbursement is a reactive, financial remedy that does not prevent future breaches; it fails to address the systemic lack of risk identification and vendor oversight. Option C is wrong because canceling the contract and moving to a private cloud solution is an extreme, short-term reaction that ignores the need for a scalable, ongoing vendor risk management process; it also may not be feasible or cost-effective for all third-party relationships. Option D is wrong because requiring SOC 2 reports alone is insufficient; while SOC 2 provides a snapshot of controls, it does not ensure continuous compliance or contractual enforcement of specific security measures like MFA, and it does not replace the need for periodic assessments tailored to the company's risk appetite.

460
MCQhard

A DevOps team implements a CI/CD pipeline for a web application. Which security control is BEST to ensure that only properly reviewed code reaches production?

A.Run static application security testing (SAST) in the pipeline
B.Require a manual approval gate before deployment
C.Run automated unit tests and integration tests
D.Implement code signing for all artifacts
AnswerB

Ensures human review of code changes, catching issues automation might miss.

Why this answer

Option B is correct because requiring manual approval in the pipeline ensures a human has reviewed the code before it proceeds. Option A is wrong because automated tests are important but may miss logic flaws. Option C is wrong because code signing ensures integrity but not review.

Option D is wrong because static analysis is automated and may produce false positives; it does not replace human review.

461
MCQmedium

A company wants to enforce network access control (NAC) for both wired and wireless devices. Which protocol is used for this purpose?

A.802.1X
B.SNMP (Simple Network Management Protocol)
C.EAP (Extensible Authentication Protocol)
D.PAP (Password Authentication Protocol)
AnswerA

802.1X provides port-based authentication for NAC.

Why this answer

802.1X is the IEEE standard for port-based network access control (NAC) that authenticates devices before granting access to both wired and wireless networks. It operates at the data link layer and uses an authentication server (e.g., RADIUS) to validate credentials, ensuring only authorized devices connect to the network.

Exam trap

The trap here is confusing EAP (a framework) with 802.1X (the protocol that enforces NAC), leading candidates to pick EAP because it is directly involved in authentication, but it does not control network access itself.

How to eliminate wrong answers

Option B (SNMP) is wrong because it is a management protocol for monitoring and configuring network devices, not for enforcing access control or authentication. Option C (EAP) is wrong because it is an authentication framework used within 802.1X, not a standalone NAC protocol; it provides the transport for authentication methods but does not enforce port-based access control. Option D (PAP) is wrong because it is a simple, unencrypted password authentication protocol used in PPP, not designed for network access control in modern wired/wireless environments.

462
MCQhard

A security analyst reviews logs and finds that an attacker exploited a vulnerability in a web application to read arbitrary files from the server. The application runs on Apache with mod_php. Which of the following is the MOST likely vulnerability?

A.XML External Entity (XXE) vulnerability.
B.Remote File Inclusion (RFI) vulnerability.
C.Server-Side Request Forgery (SSRF) vulnerability.
D.Local File Inclusion (LFI) vulnerability in a PHP include statement.
AnswerD

LFI allows reading local files via path traversal.

Why this answer

The correct answer is D because the scenario describes reading arbitrary files from the server, which is the hallmark of a Local File Inclusion (LFI) vulnerability. In a PHP application using include statements, an attacker can manipulate a file path parameter (e.g., `?page=../../etc/passwd`) to include and read local files, exploiting the server's filesystem access. Apache with mod_php is particularly susceptible to LFI when user input is not sanitized before being passed to functions like `include()` or `require()`.

Exam trap

The trap here is that candidates confuse LFI with RFI because both involve file inclusion, but the key distinction is that LFI reads local files from the server, while RFI requires remote file inclusion, which is less common and often blocked by default PHP settings.

How to eliminate wrong answers

Option A is wrong because XML External Entity (XXE) exploits XML parsers to read files or perform SSRF, but the scenario does not mention XML processing or a parser; it focuses on a PHP include statement, making XXE an unlikely vector. Option B is wrong because Remote File Inclusion (RFI) involves including remote files from external servers (e.g., via HTTP), which requires `allow_url_include` to be enabled—a rare configuration—and the question specifies reading arbitrary files from the server, not remote hosts. Option C is wrong because Server-Side Request Forgery (SSRF) forces the server to make requests to internal or external resources, but it does not directly read arbitrary files via PHP include; it is more about accessing internal services or performing port scans.

463
MCQmedium

Refer to the exhibit. During a security review, an analyst finds these firewall rules. Which recommendation should be made to reduce risk?

A.Restrict the source for rule 10 to specific administrative IPs
B.Enable logging on rule 15 as well
C.Require VPN access for all internal traffic
D.Remove rule 15 entirely
AnswerA

Limiting source reduces attack surface for SQL Server.

Why this answer

Rule 10 allows SSH (TCP/22) from any source (0.0.0.0/0) to the internal server, which exposes the management interface to the entire internet. Restricting the source to specific administrative IPs reduces the attack surface by limiting who can initiate SSH connections, mitigating brute-force and unauthorized access risks. This aligns with the principle of least privilege and is a fundamental access control recommendation.

Exam trap

The trap here is that candidates may focus on logging (option B) or overly broad solutions (option C) instead of directly addressing the most critical risk—unrestricted inbound SSH access—which is the classic 'permit any any' mistake in firewall rules.

How to eliminate wrong answers

Option B is wrong because enabling logging on rule 15 (which likely permits all outbound traffic) does not reduce risk; it only improves visibility, but the rule itself remains overly permissive and could allow malicious outbound traffic. Option C is wrong because requiring VPN for all internal traffic is excessive and unnecessary; VPN is typically used for remote access, not for internal LAN traffic, and would add latency and complexity without addressing the specific exposure of rule 10. Option D is wrong because removing rule 15 entirely might break legitimate outbound connectivity (e.g., DNS, updates) and is not the most direct fix for the inbound SSH exposure; a more targeted approach is to restrict the source of rule 10.

464
Multi-Selecteasy

Which TWO roles are typically part of an incident response team?

Select 2 answers
A.Chief Financial Officer
B.Network Administrator
C.Incident Manager
D.Forensic Analyst
E.Legal Counsel
AnswersC, D

The Incident Manager coordinates the response effort.

Why this answer

The Incident Manager (C) is the central coordinator who manages the incident response process, ensures communication among stakeholders, and makes strategic decisions during an incident. The Forensic Analyst (D) is responsible for collecting, preserving, and analyzing digital evidence in a forensically sound manner, often using tools like FTK Imager or EnCase to maintain chain of custody. Both roles are essential for a structured and legally defensible incident response.

Exam trap

The trap here is that candidates often confuse operational support roles (like Network Administrator) with core incident response team roles, or mistakenly include executive/legal positions as permanent team members rather than as external stakeholders consulted on an as-needed basis.

465
Multi-Selecthard

Which TWO of the following are examples of preventive controls for data leakage?

Select 2 answers
A.Encryption.
B.Data Loss Prevention (DLP) system.
C.Log monitoring.
D.Security awareness training.
E.User access reviews.
AnswersA, B

Encryption renders data unreadable without a key, preventing leakage.

Why this answer

Encryption is a preventive control because it renders data unreadable to unauthorized parties, thereby preventing data leakage even if the data is intercepted or accessed without authorization. By transforming plaintext into ciphertext using algorithms like AES-256, encryption ensures that only entities with the correct decryption key can access the original data, effectively blocking data exfiltration at rest or in transit.

Exam trap

The trap here is that candidates often confuse detective controls (like log monitoring) or administrative controls (like training) with preventive controls, because they seem to 'prevent' issues indirectly, but the SSCP exam strictly classifies controls by their primary function—preventive controls must actively block the threat before it occurs.

466
MCQeasy

Refer to the exhibit. A security analyst notices that multiple internal hosts are using the same inside global IP address but different port numbers. Which technology is being used?

A.Dynamic NAT
B.Static NAT
C.PAT (Port Address Translation)
D.Port forwarding
AnswerC

PAT allows many internal hosts to share a single public IP by differentiating via port numbers.

Why this answer

The scenario describes multiple internal hosts sharing a single inside global IP address but using different port numbers. This is the defining behavior of Port Address Translation (PAT), also known as NAT overload. PAT maps multiple private IP addresses to one public IP by differentiating sessions based on the transport-layer port number (TCP/UDP), allowing many hosts to share a single public address.

Exam trap

The trap here is that candidates often confuse PAT with Dynamic NAT, not realizing that Dynamic NAT requires a pool of public IPs and does not allow port-level multiplexing, whereas PAT is specifically designed to allow many-to-one address sharing using port differentiation.

How to eliminate wrong answers

Option A is wrong because Dynamic NAT maps private IPs to public IPs from a pool on a one-to-one basis, so multiple internal hosts cannot share the same inside global IP; each would require a unique public IP. Option B is wrong because Static NAT provides a fixed one-to-one mapping between a private IP and a public IP, which also prevents multiple hosts from using the same global address. Option D is wrong because Port forwarding is a manual configuration that directs external traffic to a specific internal host and port, not a mechanism for multiple internal hosts to share a single public IP with different source ports.

467
Multi-Selecteasy

Which TWO of the following are key components of a risk assessment process?

Select 2 answers
A.Control testing
B.Asset identification
C.Vulnerability identification
D.Risk treatment selection
E.Threat identification
AnswersB, E

Assets must be identified to assess risk to them.

Why this answer

Asset identification (B) is a key component because you cannot assess risk without knowing what assets need protection. Threat identification (E) is also essential because risk is defined as the likelihood of a threat exploiting a vulnerability to cause harm to an asset. Together, asset and threat identification form the foundational inputs for calculating risk.

Exam trap

ISC2 often tests the distinction between risk assessment (identifying assets, threats, and vulnerabilities) and risk management (selecting and implementing controls), so candidates mistakenly select control testing or risk treatment selection as part of the assessment process.

468
MCQeasy

A risk manager is calculating the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $5,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?

A.$25,000
B.$1,000
C.$5,000
D.$100
AnswerB

Correct calculation.

Why this answer

The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). Here, SLE = $5,000 and ARO = 0.2, so ALE = $5,000 × 0.2 = $1,000. This represents the expected annual financial loss from the server risk.

Exam trap

The trap here is that candidates often confuse the ALE formula by dividing SLE by ARO instead of multiplying, leading to the inflated $25,000 figure in option A.

How to eliminate wrong answers

Option A is wrong because $25,000 results from dividing SLE by ARO ($5,000 / 0.2), which is a common arithmetic reversal error. Option C is wrong because $5,000 is simply the SLE value, ignoring the ARO multiplier entirely. Option D is wrong because $100 would come from multiplying SLE by ARO but misplacing a decimal (e.g., $5,000 × 0.02), indicating a calculation mistake.

469
Multi-Selecteasy

Which TWO are common methods to secure a wireless network against unauthorized access?

Select 2 answers
A.Implement WPA2-Enterprise
B.Enable SSID broadcast
C.Disable DHCP
D.Use MAC filtering
E.Deploy a wireless intrusion prevention system (WIPS)
AnswersA, E

Provides strong authentication per user.

Why this answer

WPA2-Enterprise uses IEEE 802.1X authentication with a RADIUS server, requiring unique credentials per user rather than a shared pre-shared key (PSK). This eliminates the risk of PSK compromise and provides centralized authentication, making it highly resistant to unauthorized access. It is the recommended method for securing wireless networks in enterprise environments.

Exam trap

The trap here is that candidates often mistake MAC filtering or disabling DHCP as effective security controls, when in fact they are easily bypassed and provide only a false sense of security, while the exam expects recognition of enterprise-grade authentication and active monitoring as the correct methods.

470
MCQmedium

A software development team is implementing input validation for a web application that accepts user email addresses. Which approach BEST prevents email injection attacks?

A.Whitelist allowed characters: alphanumeric, @, ., -, _
B.Blacklist known malicious email patterns
C.Set maximum email length to 100 characters
D.Rely on client-side JavaScript validation only
AnswerA

Whitelisting only safe characters prevents injection.

Why this answer

Option C is correct because whitelisting valid characters (alphanumeric, @, ., -, _) restricts input to safe characters, preventing injection of special characters used in email injection. Option A is wrong because blacklisting known malicious patterns is easily bypassed. Option B is wrong because client-side validation only is insufficient as it can be bypassed.

Option D is wrong because length limits do not prevent injection.

471
MCQeasy

A small business uses MAC address filtering on its wireless network to prevent unauthorized access. Which attack is most likely to bypass this control?

A.Deauthentication attack
B.Man-in-the-middle attack
C.Evil twin attack
D.MAC spoofing
AnswerD

An attacker can capture a valid MAC and use it to connect.

Why this answer

MAC address filtering is a weak access control because MAC addresses are transmitted in plaintext over the air and can be easily captured using a wireless sniffer (e.g., Wireshark). An attacker can then change their network interface's MAC address to match an allowed client via MAC spoofing, thereby bypassing the filter and gaining access to the network. This attack directly defeats the filtering mechanism without needing to crack encryption keys or impersonate the access point.

Exam trap

The trap here is that candidates confuse MAC spoofing with deauthentication attacks, thinking that disconnecting a client is the primary method to bypass filtering, when in fact the attacker must spoof the allowed MAC to actually authenticate and gain network access.

How to eliminate wrong answers

Option A is wrong because a deauthentication attack disconnects clients from the access point but does not bypass MAC filtering—it only disrupts service, not authenticate the attacker. Option B is wrong because a man-in-the-middle attack intercepts traffic between two parties but requires the attacker to already be associated with the network, so it does not bypass the initial MAC filter. Option C is wrong because an evil twin attack creates a rogue access point with the same SSID to trick clients into connecting, but the attacker still needs to associate with the legitimate network or bypass its MAC filter to access internal resources.

472
MCQmedium

A hospital's IT department manages a network with hundreds of medical devices, including patient monitors and infusion pumps, all connected to a separate VLAN. The security team has identified that several devices are running outdated firmware with known vulnerabilities. The vendor has not released patches for these legacy devices. The hospital cannot replace them immediately due to budget constraints. The network team proposes moving the devices to a more restrictive firewall zone and implementing intrusion detection. Which of the following additional controls should be implemented to BEST reduce the risk of a breach exploiting these devices?

A.Conduct daily vulnerability scans on the device VLAN
B.Deploy host-based intrusion prevention on each device
C.Use a web application firewall (WAF) in front of the devices
D.Implement strict network segmentation and access control lists (ACLs) to allow only necessary traffic
AnswerD

Segmentation with ACLs minimizes exposure and is feasible without modifying the devices.

Why this answer

Segmenting the devices into a separate, highly restricted network segment limits the blast radius and prevents lateral movement. Option A is already proposed; B is best practice; C is acceptable but not sufficient; D is reactive.

473
MCQhard

A medium-sized financial services company has recently deployed a new web application that processes sensitive customer data, including Social Security numbers and account balances. The security team implemented network segmentation, a web application firewall (WAF) from a reputable vendor, and quarterly vulnerability scans. The developers assert that they use parameterized queries for all database calls in the main application code. During a recent penetration test, testers successfully exploited a SQL injection vulnerability, extracting the entire customer database. Further investigation reveals that the main application indeed uses parameterized queries, but a third-party reporting module, integrated to generate compliance reports, constructs SQL queries by concatenating user-supplied date range inputs directly into SQL strings. The WAF is configured with a generic rule set and has not been tuned to the application's specific traffic patterns. What is the most effective course of action to remediate this vulnerability and prevent future occurrences?

A.Replace the third-party reporting module with an alternative that uses parameterized queries.
B.Implement strict input validation to sanitize user-supplied date inputs.
C.Increase the frequency of vulnerability scans from quarterly to monthly.
D.Configure the WAF to block SQL injection patterns with custom rules.
AnswerA

This directly removes the vulnerable coding practice (concatenation) and replaces it with a secure method, permanently fixing the SQL injection flaw.

Why this answer

The root cause is the third-party module's insecure query construction. Replacing it with a module that uses parameterized queries directly eliminates the vulnerability at its source. Input validation (A) is a defense-in-depth measure but not sufficient if concatenation is still used.

Increasing scan frequency (C) does not fix the underlying issue. Configuring the WAF (D) provides a layer of defense but can be bypassed and is not as reliable as eliminating the vulnerable code.

474
Multi-Selectmedium

A company is implementing encryption for data at rest in a file server. Which TWO of the following algorithms are suitable for this purpose? (Select TWO.)

Select 2 answers
A.3DES
B.Blowfish
C.SHA-256
D.AES-256
E.RSA-2048
AnswersB, D

Blowfish is a symmetric block cipher that can be used for data at rest, though AES is preferred.

Why this answer

Blowfish is a symmetric block cipher that supports variable key lengths (32–448 bits), making it suitable for encrypting data at rest on a file server. It is designed for fast encryption in software and has been widely used for file and disk encryption, though it is now considered less secure than modern alternatives like AES.

Exam trap

The trap here is that candidates often confuse hashing algorithms (like SHA-256) with encryption algorithms, or mistakenly think asymmetric ciphers (like RSA) are suitable for bulk data encryption, when in fact symmetric ciphers (like AES and Blowfish) are the correct choice for data at rest.

475
MCQeasy

An administrator notices that a terminated employee's account is still active. Which access control process was likely skipped?

A.Authorization
B.Authentication
C.Provisioning
D.Accounting
AnswerC

Provisioning includes creating and disabling accounts; the termination process should have disabled the account.

Why this answer

Provisioning is the access control process that includes creating, modifying, and disabling user accounts and their associated privileges. When a terminated employee's account remains active, the de-provisioning step—specifically account revocation—was likely skipped, leaving the account enabled and accessible.

Exam trap

The trap here is that candidates confuse provisioning with authorization or authentication, thinking that account termination is about setting permissions (authorization) rather than the account lifecycle itself.

How to eliminate wrong answers

Option A is wrong because authorization determines what an authenticated user is allowed to do (e.g., read, write), not whether the account itself exists or is active. Option B is wrong because authentication verifies a user's identity (e.g., via password or certificate), not the lifecycle management of the account. Option D is wrong because accounting tracks user actions and resource usage (e.g., via logs or RADIUS accounting), not the creation or removal of accounts.

476
MCQeasy

Refer to the exhibit. An IAM policy includes the following statement: 'Effect': 'Allow', 'Action': ['s3:ListBucket','s3:GetObject'], 'Resource': 'arn:aws:s3:::example-bucket/*'. What does this policy allow?

A.List objects and read objects in example-bucket
B.Full access to all S3 buckets
C.Delete objects from example-bucket
D.Write objects to example-bucket
AnswerA

ListBucket and GetObject provide list and read.

Why this answer

ListBucket allows listing objects, GetObject allows reading objects. It does not allow write or delete. The resource is specific to example-bucket.

477
MCQeasy

An analyst notices unusual outbound traffic from a workstation to an external IP on port 445. Which protocol is likely being used?

A.HTTP
B.SMB
C.FTP
D.DNS
AnswerB

SMB uses port 445 for direct TCP communication, often associated with file sharing.

Why this answer

Port 445 is the default port for Microsoft-DS (Direct Hosting of SMB over TCP/IP), which is used by the Server Message Block (SMB) protocol for file and printer sharing. Unusual outbound traffic on this port often indicates SMB activity, such as a workstation attempting to connect to a remote share or, in a security context, potential data exfiltration or lateral movement using SMB.

Exam trap

ISC2 often tests the association of well-known ports with their protocols, and the trap here is that candidates may confuse port 445 with NetBIOS (ports 137-139) or assume SMB only uses ports 137-139, forgetting that modern SMB over TCP/IP uses port 445 directly.

How to eliminate wrong answers

Option A is wrong because HTTP typically uses ports 80 (unencrypted) or 443 (TLS), not port 445. Option C is wrong because FTP uses ports 20 (data) and 21 (control), not port 445. Option D is wrong because DNS uses port 53 (UDP primarily, with TCP for zone transfers), not port 445.

478
Multi-Selecthard

Which THREE of the following are types of application security testing that should be included in a secure SDLC?

Select 3 answers
A.Static application security testing (SAST)
B.Penetration testing
C.User acceptance testing (UAT)
D.Dynamic application security testing (DAST)
E.Load testing
AnswersA, B, D

Analyzes source code for vulnerabilities.

Why this answer

Options A, C, and E are correct. SAST (Static Application Security Testing) analyzes source code, DAST (Dynamic Application Security Testing) tests running applications, and penetration testing simulates real attacks. Option B is wrong because UAT is for functional validation, not security.

Option D is wrong because load testing is for performance, not security.

479
Multi-Selecthard

Which three of the following are best practices for securing a database? (Choose three.)

Select 3 answers
A.Encrypt sensitive data at rest
B.Use default passwords for database accounts
C.Implement row-level security
D.Apply the principle of least privilege for database users
E.Enable public access to the database
AnswersA, C, D

Protects data if storage is compromised.

Why this answer

Encrypting sensitive data at rest protects confidentiality. Row-level security restricts access to specific rows. Least privilege limits user permissions.

Default passwords are insecure. Public access exposes the database.

480
Multi-Selectmedium

Which two commands can be used to modify existing file permissions on a Linux system? (Select TWO)

Select 2 answers
A.chattr
B.setfacl
C.umask
D.chown
E.chmod
AnswersB, E

setfacl sets or modifies Access Control Lists (ACLs) that can define permissions for specific users or groups.

Why this answer

B is correct because `setfacl` is used to modify Access Control Lists (ACLs) on a file or directory, which are an extended mechanism for setting permissions beyond the standard owner/group/others model. E is correct because `chmod` is the standard command for changing the read, write, and execute permissions for the file owner, group, and others using symbolic or octal notation.

Exam trap

ISC2 often tests the distinction between commands that modify existing permissions (`chmod`, `setfacl`) versus commands that set defaults for new files (`umask`) or change file ownership (`chown`), leading candidates to mistakenly select `umask` or `chown` as tools for altering current permissions.

481
Multi-Selectmedium

Which TWO actions are appropriate during the containment phase of incident response?

Select 2 answers
A.Restoring data from backups
B.Removing malware from the system
C.Isolating the affected system from the network
D.Blocking malicious IP addresses at the firewall
E.Analyzing the root cause of the incident
AnswersC, D

Isolation prevents spread.

Why this answer

During the containment phase of incident response, the primary goal is to stop the incident from spreading and to limit damage. Isolating the affected system from the network (Option C) immediately prevents lateral movement of the threat and further data exfiltration. Blocking malicious IP addresses at the firewall (Option D) is another containment action that cuts off communication with known command-and-control servers or attack sources, effectively containing the network-level impact.

Exam trap

ISC2 often tests the distinction between containment, eradication, and recovery phases, and the trap here is that candidates mistakenly classify malware removal or root cause analysis as containment actions, when they actually belong to later phases.

482
MCQmedium

A company uses a hub-and-spoke VPN topology with a central site and multiple branch offices. The central site's firewall is being upgraded. Which technology can provide link redundancy with automatic failover for the VPN connections?

A.STP
B.VRRP
C.OSPF
D.BGP
AnswerD

BGP can be used to manage multiple VPN paths and failover automatically.

Why this answer

BGP is correct because it supports dynamic routing and can be configured with multiple paths to provide automatic failover for VPN connections in a hub-and-spoke topology. When the central site's firewall is upgraded, BGP can reroute traffic through alternate paths without manual intervention, ensuring link redundancy. This is achieved through BGP's path selection algorithm and the ability to advertise multiple routes via different VPN tunnels.

Exam trap

The trap here is that candidates confuse VRRP (a first-hop redundancy protocol) with VPN failover, but VRRP only provides gateway redundancy at the local subnet, not dynamic routing or failover across multiple VPN tunnels between sites.

How to eliminate wrong answers

Option A is wrong because STP (Spanning Tree Protocol) is a Layer 2 protocol designed to prevent loops in Ethernet networks, not to provide link redundancy or automatic failover for VPN connections. Option B is wrong because VRRP (Virtual Router Redundancy Protocol) provides gateway redundancy at Layer 3 by allowing multiple routers to share a virtual IP, but it does not handle VPN-specific failover or dynamic routing across multiple sites. Option C is wrong because OSPF is an interior gateway protocol that can provide dynamic routing and failover within a single autonomous system, but it is not typically used for hub-and-spoke VPN redundancy across multiple branch offices without additional configuration like DMVPN, and it lacks the policy-based path control and scalability of BGP for this scenario.

483
MCQhard

An organization uses role-based access control (RBAC). A user complains that they can access a resource they were previously denied. The security administrator finds that the user's role was recently changed. What is the most likely cause?

A.The user's previous role was not properly removed.
B.The RBAC implementation has a bug that grants excessive permissions.
C.The user's new role inherits permissions from multiple roles that collectively grant access.
D.The user was directly assigned permissions to the resource.
AnswerC

In RBAC, roles can inherit permissions, leading to unintended access.

Why this answer

In RBAC, permissions are assigned to roles, not directly to users. When a user's role changes, the new role may have a different set of permissions. If the new role inherits permissions from multiple roles (e.g., through role hierarchy or composite roles), it can collectively grant access to resources that were previously denied under the old role.

This is the most likely cause because the security administrator confirmed the role change, and RBAC systems typically enforce permissions based on the current role membership.

Exam trap

The trap here is that candidates assume a role change always removes old permissions, but RBAC role hierarchies can cause permission accumulation through inheritance, leading to new access that was previously denied.

How to eliminate wrong answers

Option A is wrong because if the previous role was not properly removed, the user would still have the old role's permissions, but the complaint is about gaining access they were previously denied, not about retaining old access; role removal issues typically cause excessive permissions, not a new access pattern. Option B is wrong because a bug that grants excessive permissions would be a systemic flaw affecting multiple users or resources, not a single user's access change tied to a role change; the administrator's observation of a role change makes a bug less likely than a legitimate role-based permission change. Option D is wrong because direct permission assignments bypass RBAC and would be a separate access control mechanism; if the user had direct permissions, the role change would be irrelevant, and the administrator would likely see a direct ACE rather than a role-based grant.

484
MCQhard

A PKI administrator is designing a key management lifecycle for a high-security environment. Which practice is most critical for ensuring long-term security of asymmetric keys?

A.Performing regular key rotation
B.Using hardware security modules (HSMs)
C.Implementing key escrow
D.Maintaining a Certificate Revocation List (CRL)
AnswerA

Regular rotation minimizes impact of key compromise.

Why this answer

Regular key rotation limits exposure in case of compromise. All other options are important but rotation is most critical for long-term security.

485
MCQmedium

A small business experienced a ransomware attack that encrypted all files on the file server. They have no backups. The attacker demands a ransom. The CEO asks for advice. Which recommendation should the incident responder give?

A.Contact law enforcement and attempt decryption from public tools
B.Wipe the server and restore from the cloud sync if available
C.Pay the ransom immediately to regain access
D.Reinstall the OS and rebuild data from manual copies
AnswerA

Law enforcement can provide guidance, and free decryption tools may be available for some ransomware strains.

Why this answer

Option C is correct because contacting law enforcement and attempting decryption using public tools is the most responsible action. Paying the ransom (A) is discouraged and does not guarantee recovery. Wiping the server (B) and rebuilding from cloud sync would lose all data if no sync exists.

Reinstalling and rebuilding manually (D) is extremely time-consuming and likely impossible without backups.

486
MCQmedium

A database audit log shows that a user ran a query retrieving all customer records. The user's job role only requires access to view their own assigned customers. Which access control concept has been violated?

A.Job rotation
B.Need-to-know
C.Separation of duties
D.Least privilege
AnswerB

Need-to-know restricts access to data required for job functions; the user accessed data outside their need.

Why this answer

The need-to-know principle restricts data access to only the information necessary for a user to perform their job duties. In this case, the user retrieved all customer records, but their role only requires access to their own assigned customers, meaning they accessed data beyond what is necessary. This directly violates the need-to-know concept, which is a subset of access control that limits access to specific data elements rather than entire datasets.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'need-to-know,' but least privilege governs the level of permissions (e.g., read vs. write), while need-to-know governs the scope of data accessible (e.g., which specific records), and the question specifically describes a scope violation, not a permission level violation.

How to eliminate wrong answers

Option A is wrong because job rotation is a security practice where users periodically change roles to reduce fraud risk and detect malicious activity, not an access control principle that limits data access. Option C is wrong because separation of duties ensures that no single individual has complete control over a critical process by dividing tasks among multiple users, which is unrelated to a user accessing more data than their role requires. Option D is wrong because least privilege limits a user's permissions to the minimum necessary to perform their job, but the violation here is specifically about accessing data beyond what is needed for their role, which is the definition of need-to-know; least privilege focuses on the level of access (e.g., read vs. write), while need-to-know focuses on the scope of data (e.g., which records).

487
MCQeasy

A company wants to implement a policy where no single individual can approve a purchase order and also receive the goods. Which access control principle does this enforce?

A.Rotation of duties
B.Separation of duties
C.Need to know
D.Least privilege
AnswerB

This principle splits critical functions among different individuals.

Why this answer

This policy enforces separation of duties by ensuring that no single individual has the authority to both approve a purchase order and receive the goods. This control prevents fraud and errors by requiring two different people to complete related but conflicting tasks, which is a fundamental access control principle in financial and operational systems.

Exam trap

The trap here is that candidates often confuse separation of duties with least privilege, but least privilege focuses on minimizing permissions per role, whereas separation of duties mandates that conflicting tasks be split across multiple roles to prevent fraud or error.

How to eliminate wrong answers

Option A is wrong because rotation of duties involves periodically moving personnel between different roles to reduce the risk of collusion or skill stagnation, not preventing a single person from performing two conflicting tasks. Option C is wrong because need to know restricts access to information based on job requirements, not the segregation of conflicting operational steps. Option D is wrong because least privilege limits users to the minimum permissions necessary for their job functions, but does not specifically address the requirement that two separate individuals must handle approval and receipt of goods.

488
MCQmedium

A company deploys a web application that processes credit card payments. The development team uses parameterized queries for all database interactions. However, during a penetration test, the tester successfully injects malicious code into a search field and retrieves sensitive customer data. Which of the following is the most likely cause?

A.The application uses dynamic SQL despite parameterized queries for some fields.
B.The web server is misconfigured to allow directory traversal.
C.The database server has weak permissions allowing direct query execution.
D.The search field output is not sanitized, allowing stored XSS.
AnswerA

Dynamic SQL in the search field bypasses the parameterized queries used elsewhere, allowing injection.

Why this answer

Option A is correct because the use of parameterized queries prevents SQL injection, but if dynamic SQL is constructed elsewhere in the application (e.g., for the search field), it can still be vulnerable. Option B is incorrect because XSS affects client-side execution, not direct data retrieval from the database. Option C is incorrect because direct query execution would require explicit permissions beyond the application's context.

Option D is incorrect because directory traversal exploits file system access, not database query injection.

489
MCQmedium

Refer to the exhibit. A user at IP 10.0.0.1 reports that they cannot access a web server at 203.0.113.5 on port 443. What is the most likely cause?

A.The firewall only permits inbound traffic to specific IPs.
B.The firewall rule order is incorrect.
C.The firewall blocks all outbound traffic.
D.The firewall does not have a rule permitting outbound traffic.
AnswerD

Without an explicit permit for outbound traffic, the implicit deny blocks it.

Why this answer

Option D is correct because the user at 10.0.0.1 cannot reach 203.0.113.5:443, which indicates that outbound traffic to that destination is not permitted. Firewalls by default block all traffic unless explicitly allowed; if no rule permits outbound HTTPS (TCP/443) traffic, the connection will be dropped. The symptom (inability to access an external web server) points to a missing outbound rule, not an inbound rule issue.

Exam trap

The trap here is that candidates often focus on inbound rules when a user cannot reach an external server, forgetting that outbound traffic must also be explicitly permitted by the firewall's egress policy.

How to eliminate wrong answers

Option A is wrong because the problem is outbound from 10.0.0.1 to 203.0.113.5; inbound rules control traffic coming into the network, not traffic leaving it. Option B is wrong because rule order matters only when multiple rules conflict or overlap; here, there is no indication of any rule at all for outbound traffic, so order is irrelevant. Option C is wrong because if the firewall blocked all outbound traffic, no user could reach any external resource, but the question specifies only this user and this destination are affected, implying a selective block or missing rule.

490
MCQmedium

A company has segmented its network into VLANs for different departments: HR, Finance, and IT. The router interconnecting the VLANs has ACLs configured to block traffic from HR to Finance. However, IT has noticed that traffic from HR VLAN is reaching the Finance VLAN. The network uses managed switches with 802.1Q trunking. All access ports are configured as untagged members of their respective VLANs. What is the most likely cause of this unauthorized traffic flow?

A.DHCP snooping disabled
B.VLAN hopping attack via double tagging
C.Default gateway misconfiguration
D.STP misconfiguration
AnswerB

Double tagging can allow an attacker to send frames to a VLAN other than the source VLAN, potentially bypassing ACLs.

Why this answer

The most likely cause is a VLAN hopping attack via double tagging. In this attack, an attacker on the HR VLAN sends a frame with two 802.1Q tags: the outer tag matches the native VLAN of the trunk (often VLAN 1), and the inner tag is the target VLAN (Finance). When the switch receives the frame on an access port, it strips the outer tag (as it is the native VLAN) and forwards the frame with the inner tag over the trunk, allowing the traffic to bypass the ACLs and reach the Finance VLAN.

Exam trap

ISC2 often tests the distinction between VLAN hopping via double tagging versus switch spoofing; the trap here is that candidates may confuse this with a simple ACL misconfiguration or assume the router is the only point of control, overlooking that the attack occurs at Layer 2 before the router even sees the traffic.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is a security feature that prevents rogue DHCP servers and does not control inter-VLAN traffic flow or prevent VLAN hopping. Option C is wrong because a default gateway misconfiguration would cause traffic to be sent to the wrong router or not routed at all, but it would not allow traffic to bypass ACLs and reach a different VLAN; the router still enforces ACLs on routed traffic. Option D is wrong because STP misconfiguration can cause loops or broadcast storms but does not enable an attacker to inject frames into a different VLAN or bypass ACLs.

491
MCQhard

During a security audit, it is discovered that a developer has direct access to production databases. The policy requires that changes be reviewed and deployed by a separate team. Which control is being violated?

A.Need-to-know
B.Job rotation
C.Least privilege
D.Separation of duties
AnswerD

The developer should not have direct production access; changes should go through a separate deployment team.

Why this answer

The scenario describes a direct violation of separation of duties (SoD), a core access control principle that requires critical tasks to be divided among multiple individuals to prevent fraud or error. In this case, the developer both writes code and has direct access to production databases, bypassing the required review and deployment by a separate team. SoD ensures no single person has end-to-end control over a sensitive process, which is essential for maintaining integrity and accountability in production environments.

Exam trap

The trap here is that candidates confuse 'least privilege' with 'separation of duties' because both limit access, but least privilege focuses on the amount of access while separation of duties focuses on the division of conflicting responsibilities.

How to eliminate wrong answers

Option A is wrong because need-to-know restricts access to only the information necessary for a user's job role, but the violation here is about the process of change management, not about the developer having access to specific data they don't need. Option B is wrong because job rotation is a control that periodically moves employees between roles to reduce risk of collusion or monotony, but the issue is not about rotating roles; it's about the developer performing both development and production deployment tasks. Option C is wrong because least privilege limits users to the minimum permissions required for their duties, but the developer may have exactly the permissions needed for their job; the violation is that they are performing two conflicting duties (development and production deployment) that should be separated.

492
MCQmedium

Refer to the exhibit. A security incident responder sees this alert in the SIEM. What should the responder do first?

A.Check if the source IP is a legitimate internal scanner.
B.Block the source IP at the firewall.
C.Update the firewall signature database.
D.Reboot the internal host 192.168.1.10.
AnswerA

Verifying the source prevents unnecessary action against authorized scanning.

Why this answer

The correct first step is to verify whether the source IP (10.0.0.5) is a legitimate internal scanner (e.g., authorized vulnerability scanner). Option A (blocking) might disrupt legitimate scanning. Option C (rebooting host) is premature.

Option D (updating signatures) does not address the immediate alert.

493
MCQhard

A company uses a SIEM to monitor security events. Recently, they are experiencing false positives from a new IDS rule. Which approach would best reduce false positives while maintaining detection?

A.Disable the rule.
B.Increase the log review frequency.
C.Whitelist false positive sources.
D.Adjust the rule threshold.
AnswerD

Fine-tuning the threshold balances false positive reduction with detection capability.

Why this answer

Adjusting the rule threshold (Option D) is the best approach because it fine-tunes the sensitivity of the IDS rule to reduce false positives without completely disabling detection. By raising the threshold (e.g., increasing the number of matching packets or the time window), the SIEM will only generate an alert when the rule's criteria are met more persistently, filtering out noise while still capturing genuine threats. This maintains the rule's detection capability for actual attacks that exceed the adjusted threshold.

Exam trap

The trap here is that candidates often choose to whitelist false positive sources (Option C) because it seems like a quick fix, but this approach can inadvertently suppress alerts for real attacks from those same sources, whereas threshold tuning preserves detection capability.

How to eliminate wrong answers

Option A is wrong because disabling the rule eliminates detection entirely, which could allow real attacks to go unnoticed and violates the principle of maintaining detection. Option B is wrong because increasing log review frequency does not reduce false positives; it only increases the volume of alerts to review, potentially overwhelming analysts and not addressing the root cause of the false positives. Option C is wrong because whitelisting false positive sources only suppresses alerts from those specific sources, which can mask legitimate attacks originating from the same sources and does not address the underlying rule sensitivity issue.

494
MCQeasy

A critical vulnerability is discovered in an application currently in use. What should be done first?

A.Notify users to stop using the application
B.Disable the application until patch is ready
C.Deploy the patch immediately to all systems
D.Test the patch in a non-production environment
AnswerD

Testing verifies patch stability before production rollout.

Why this answer

Testing the patch in a non-production environment ensures it does not break functionality before deployment. Immediate deployment risks downtime. Disabling the application or notifying users are reactive steps, not the first.

495
MCQhard

During incident analysis, a forensic examiner finds that the system logs were cleared using a command that writes null bytes. Which artifact is most likely preserved?

A.Event logs from other systems
B.Prefetch files
C.Registry keys
D.Volume shadow copies
AnswerD

Volume Shadow Copies can provide historical snapshots that may contain the original log data.

Why this answer

Volume shadow copies (VSS) are snapshots of the file system at a point in time, stored separately from the active logs. Even if an attacker clears logs by writing null bytes (e.g., using `fsutil` or `wevtutil cl`), VSS may retain a previous version of the logs, making them a critical artifact for forensic recovery.

Exam trap

ISC2 often tests the misconception that cleared logs are permanently lost, but VSS provides a forensic backup that persists independently of active log deletion.

How to eliminate wrong answers

Option A is wrong because event logs from other systems are not directly preserved on the compromised system; they reside on separate hosts and are not affected by local log-clearing commands. Option B is wrong because Prefetch files track application execution, not system event logs, and are not a direct source of cleared log data. Option C is wrong because registry keys store configuration and system state, but they do not contain the actual event log entries that were cleared.

496
MCQeasy

An organization wants to perform a risk analysis for a new cloud application. Which quantitative metric is most commonly used to calculate risk?

A.Control effectiveness.
B.Threat likelihood.
C.Residual risk.
D.Annualized Loss Expectancy (ALE).
AnswerD

ALE provides a monetary value for risk, enabling comparison and prioritization.

Why this answer

Annualized Loss Expectancy (ALE) is the most commonly used quantitative metric for calculating risk because it combines the expected financial loss from a single event (Single Loss Expectancy) with the annual frequency of that event (Annualized Rate of Occurrence). This produces a dollar-value risk figure that organizations can directly compare against security control costs and budget decisions for a cloud application.

Exam trap

The trap here is that candidates confuse 'threat likelihood' (a qualitative input) with the complete quantitative risk metric, failing to recognize that ALE incorporates both likelihood and impact into a single financial figure.

How to eliminate wrong answers

Option A is wrong because control effectiveness is a qualitative or semi-quantitative measure of how well a safeguard reduces risk, not a direct quantitative risk metric. Option B is wrong because threat likelihood is only one component of risk calculation (used in ARO), not a complete risk metric itself. Option C is wrong because residual risk is the risk remaining after controls are applied, which is an output of risk analysis, not the primary quantitative metric used to calculate initial risk.

497
MCQhard

Refer to the exhibit. A firewall log shows repeated outbound connection attempts from an internal workstation (192.168.1.50) to an external IP (203.0.113.50) on TCP port 445. What is the most likely cause?

A.A worm or malware exploiting SMB
B.A misconfigured DNS client
C.A user browsing the web
D.A legitimate file share connection
AnswerA

Outbound SMB traffic to external IP suggests propagation.

Why this answer

Port 445 is SMB. Outbound SMB attempts often indicate a worm or malware trying to propagate. Web browsing uses 80/443.

File sharing is typically internal. DNS uses 53.

498
MCQhard

A healthcare organization must comply with HIPAA and requires that access to electronic protected health information (ePHI) be logged and audited. They consider using an identity management system that supports single sign-on (SSO). What is the PRIMARY security concern with SSO in this environment?

A.Single credential compromise leads to broad access
B.Increased complexity of password policies
C.Lack of detailed audit logs for each application
D.User inconvenience due to multiple logins
AnswerA

SSO means one password grants access to all systems.

Why this answer

In a healthcare environment subject to HIPAA, the primary security concern with SSO is that a single compromised credential (e.g., a password or smart card PIN) grants an attacker immediate access to all applications and ePHI systems that the user is authorized to use. This creates a single point of failure, dramatically increasing the blast radius of a credential theft incident. Unlike separate per-application credentials, SSO eliminates the need for repeated authentication, so an attacker who obtains the SSO token or password can move laterally across the entire application portfolio without additional authentication barriers.

Exam trap

ISC2 often tests the misconception that SSO inherently reduces audit capabilities, when in fact the primary risk is the amplified impact of a single credential compromise — candidates may incorrectly choose 'lack of detailed audit logs' because they assume SSO bypasses application-level logging, but proper SSO implementations log at the IdP and can integrate with SIEM systems.

How to eliminate wrong answers

Option B is wrong because SSO typically reduces the number of passwords a user must remember, which can simplify password policies rather than increase their complexity; the real concern is not policy complexity but the amplified risk from a single credential compromise. Option C is wrong because modern SSO systems (e.g., SAML 2.0, OAuth 2.0, OpenID Connect) can and do generate detailed audit logs at the identity provider (IdP) level, often including timestamp, user ID, application accessed, and session duration — the lack of logs is not an inherent SSO limitation. Option D is wrong because SSO is designed to eliminate multiple logins, providing user convenience; the question asks for the primary security concern, not a usability issue.

499
MCQeasy

During a quantitative risk analysis, the asset value is $500,000, the exposure factor is 40%, and the annual rate of occurrence is 0.5. What is the annualized loss expectancy (ALE)?

A.$200,000
B.$500,000
C.$100,000
D.$250,000
AnswerC

Correctly calculated as AV * EF * ARO.

Why this answer

The annualized loss expectancy (ALE) is calculated as single loss expectancy (SLE) multiplied by the annual rate of occurrence (ARO). SLE is asset value ($500,000) times exposure factor (40%) = $200,000. ALE = $200,000 × 0.5 = $100,000.

This is the standard quantitative risk analysis formula per NIST SP 800-30.

Exam trap

ISC2 often tests the distinction between SLE and ALE, trapping candidates who compute the SLE ($200,000) and stop there, forgetting to multiply by the ARO (0.5) to get the annualized value.

How to eliminate wrong answers

Option A is wrong because $200,000 is the single loss expectancy (SLE), not the annualized loss expectancy (ALE); it fails to multiply by the annual rate of occurrence (0.5). Option B is wrong because $500,000 is the full asset value, ignoring both the exposure factor (40%) and the annual rate of occurrence (0.5). Option D is wrong because $250,000 would result from multiplying the asset value by the annual rate of occurrence (0.5) but ignoring the exposure factor (40%), or from incorrectly halving the SLE instead of multiplying by 0.5.

500
MCQhard

Your organization has a mixed environment of Windows and Linux servers. You receive an alert from the EDR that a Linux server is beaconing to a suspicious IP. The server runs a critical application that cannot be taken offline. The security team needs to investigate while maintaining availability. You have access to a jump box with network monitoring tools. Which course of action is most appropriate?

A.Immediately disconnect the server from the network to stop beaconing
B.Block the suspicious IP at the firewall and continue monitoring
C.Use packet capture on the server's network segment to analyze traffic, then use EDR to isolate the process
D.Reimage the server from a known good backup
AnswerC

This allows investigation and containment without taking the server offline.

Why this answer

Option C is correct because it allows the security team to investigate the beaconing activity without disrupting the critical application's availability. Using packet capture on the server's network segment enables analysis of the outbound traffic to the suspicious IP, while EDR can isolate the specific malicious process without taking the entire server offline. This approach balances the need for containment with the requirement to maintain service continuity.

Exam trap

The trap here is that candidates may choose immediate disconnection (Option A) as a reflexive containment action, failing to recognize that the question explicitly requires maintaining availability for a critical application that cannot be taken offline.

How to eliminate wrong answers

Option A is wrong because immediately disconnecting the server from the network would cause a denial of service to the critical application, violating the requirement to maintain availability. Option B is wrong because blocking the suspicious IP at the firewall only addresses the network-level symptom; it does not identify or contain the underlying malicious process on the server, which could continue to beacon to other IPs or perform other harmful actions. Option D is wrong because reimaging the server from a known good backup is a drastic, disruptive step that would take the server offline and destroy potential forensic evidence, contradicting the need to investigate while maintaining availability.

501
MCQeasy

A system administrator needs to implement a control that ensures users can only access files necessary for their job functions. Which principle is being applied?

A.Need-to-know
B.Separation of duties
C.Job rotation
D.Least privilege
AnswerD

Least privilege ensures users have only the permissions necessary to perform their job.

Why this answer

The principle of least privilege ensures that users are granted only the permissions necessary to perform their job functions, minimizing the attack surface and potential damage from accidental or malicious actions. In this scenario, restricting file access to only what is needed for job duties directly implements least privilege, as it limits access rights to the minimum required. This is distinct from need-to-know, which focuses on information disclosure rather than access permissions.

Exam trap

The trap here is that candidates often confuse 'need-to-know' with 'least privilege' because both involve limiting access, but need-to-know is specifically about information confidentiality (e.g., classified data), while least privilege is a broader principle covering all access rights and permissions.

How to eliminate wrong answers

Option A is wrong because need-to-know is a subset of least privilege that specifically controls access to sensitive information based on a user's requirement to know that information to perform their duties, but the question broadly addresses file access necessary for job functions, which is the core of least privilege. Option B is wrong because separation of duties divides critical tasks among multiple users to prevent fraud or error, not to limit individual file access to job-necessary files. Option C is wrong because job rotation is a security practice that moves users between roles to reduce monotony and detect irregularities, not a principle for restricting file access based on job functions.

502
MCQhard

A financial firm has deployed network-based IDS/IPS sensors at key points to detect and prevent intrusions. During a recent security audit, it was discovered that an attacker exfiltrated sensitive data using DNS over HTTPS (DoH) queries. The IDS/IPS did not generate any alerts. The firm's network policy allows all outbound HTTPS traffic to any destination. To prevent such exfiltration in the future, what is the most effective corrective action?

A.Deploy TLS termination at the network perimeter
B.Enable deep packet inspection on all encrypted traffic
C.Implement a DNS sinkhole and block non-corporate DNS servers
D.Configure the IDS/IPS to inspect DNS traffic on standard port 53 only
AnswerA

Terminating TLS allows the IDS/IPS to inspect decrypted traffic, including DoH, before re-encrypting it for transit.

Why this answer

Deploying TLS termination at the network perimeter allows the organization to decrypt inbound and outbound HTTPS traffic, inspect the plaintext content, and re-encrypt it before forwarding. This enables the IDS/IPS to detect malicious payloads, such as DNS over HTTPS (DoH) queries, that would otherwise be hidden inside encrypted tunnels. Since the firm's policy allows all outbound HTTPS, TLS termination is the most effective way to regain visibility into that traffic without blocking it outright.

Exam trap

The trap here is that candidates often assume deep packet inspection (DPI) can magically inspect encrypted traffic, but DPI requires decryption first, which is exactly what TLS termination provides.

How to eliminate wrong answers

Option B is wrong because enabling deep packet inspection on all encrypted traffic is not possible without first decrypting that traffic; DPI cannot inspect encrypted payloads unless TLS termination or similar decryption is performed. Option C is wrong because a DNS sinkhole and blocking non-corporate DNS servers only affect traditional DNS (port 53/UDP), but DoH operates over HTTPS (port 443) and bypasses standard DNS controls entirely. Option D is wrong because configuring the IDS/IPS to inspect DNS traffic on standard port 53 only will miss DoH traffic, which uses port 443 and is encrypted, so no alerts would be generated.

503
MCQeasy

A security analyst notices an increase in failed login attempts from a single IP address. What is the best immediate action?

A.Run an antivirus scan.
B.Disable the user accounts.
C.Block the IP at the firewall.
D.Check the SIEM for correlated events.
AnswerD

The SIEM can correlate multiple events to determine if the IP is part of a larger attack or a false positive.

Why this answer

Checking the SIEM for correlated events (Option D) is the best immediate action because it allows the analyst to gather context around the failed login attempts—such as whether they target multiple accounts, originate from a known malicious IP, or coincide with other suspicious activity—before taking a potentially disruptive or irreversible step. This aligns with the incident response principle of 'verify before you act,' ensuring the response is proportional and informed by correlated data from multiple sources.

Exam trap

The trap here is that candidates often choose 'Block the IP at the firewall' (Option C) as the fastest immediate action, but the SSCP exam emphasizes that the first step in incident response is to gather and correlate evidence to confirm the threat before taking potentially disruptive actions.

How to eliminate wrong answers

Option A is wrong because running an antivirus scan addresses malware on endpoints, but failed login attempts from a single IP are a network-level authentication anomaly, not a sign of local infection. Option B is wrong because disabling user accounts is premature and disruptive; the failed attempts may target non-existent accounts or be a brute-force attack against a single service, and disabling accounts without investigation could lock out legitimate users. Option C is wrong because blocking the IP at the firewall is a reactive measure that could block a legitimate user (e.g., a misconfigured proxy or NAT) and does not provide the forensic context needed to understand the attack pattern or verify the threat.

504
MCQhard

A security analyst reviews the firewall log exhibit. Which type of activity is indicated?

A.Brute force attack against RDP service
B.Port scan of the internal network
C.Data exfiltration to an external server
D.Normal administrative remote access
AnswerA

Repeated connections to RDP port suggest password guessing.

Why this answer

The firewall log shows repeated failed RDP (TCP/3389) connection attempts from a single external IP to a single internal IP within a short time window. This pattern of multiple authentication failures against the same service is characteristic of a brute force attack, where an attacker systematically tries common passwords to gain unauthorized access to the RDP service.

Exam trap

ISC2 often tests the distinction between a brute force attack (repeated attempts to the same service) and a port scan (attempts to multiple services), so candidates mistakenly choose 'port scan' when they see many entries, even though all entries target the same port.

How to eliminate wrong answers

Option B is wrong because a port scan would show connection attempts to multiple different ports (e.g., 22, 80, 443, 3389) across one or more target IPs, not repeated attempts to a single port (3389) on a single IP. Option C is wrong because data exfiltration typically involves outbound data transfers to an external server, often using protocols like HTTP/S, FTP, or DNS tunneling, not repeated failed inbound authentication attempts. Option D is wrong because normal administrative remote access would show successful RDP logins (e.g., TCP SYN-ACK followed by session establishment), not a high volume of failed authentication events.

Page 6

Page 7 of 7

All pages