Systems Security Certified Practitioner SSCP (SSCP) — Questions 526600

991 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQhard

A PKI administrator needs to check the revocation status of a digital certificate without requiring the client to download the entire CRL. Which method is designed for online, real-time certificate status checking?

A.OCSP
B.OCSP stapling
C.CRL
D.Certificate transparency
AnswerA

OCSP provides real-time status.

Why this answer

OCSP (Online Certificate Status Protocol) allows real-time checking of a certificate's revocation status without downloading the full CRL.

527
MCQmedium

An organization's security team detects a potential data breach. After confirming the incident, they classify it as P2 (high severity) and begin containment. Which action should be performed FIRST to preserve evidence for forensic analysis?

A.Disconnect the system from the network
B.Capture a memory dump using a tool like Magnet RAM Capture
C.Create a forensic image of the hard drive
D.Run an antivirus scan to remove malware
AnswerB

Correct. Memory contains volatile evidence that is lost when power is removed.

Why this answer

When a high-severity incident (P2) is confirmed, the first priority for forensic preservation is capturing volatile data, which includes system memory (RAM). A memory dump using a tool like Magnet RAM Capture preserves running processes, network connections, encryption keys, and malware in memory that would be lost on shutdown or disconnection. This order follows the volatility principle: capture the most volatile data first before any other action that could alter the system state.

Exam trap

The trap here is that candidates often choose 'Disconnect the system from the network' first, thinking containment is the immediate priority, but the SSCP exam emphasizes that evidence preservation (starting with volatile data) must precede containment actions to avoid destroying forensic artifacts.

How to eliminate wrong answers

Option A is wrong because disconnecting from the network first would cause loss of volatile network connections, active sessions, and memory-resident artifacts; it also may trigger anti-forensic mechanisms in malware. Option C is wrong because creating a forensic image of the hard drive is a non-volatile step that should occur after memory capture, as disk imaging can overwrite slack space or alter timestamps if done prematurely. Option D is wrong because running an antivirus scan modifies the system state (e.g., quarantining or deleting files) and destroys evidence; scanning is a remediation step, not a preservation step.

528
MCQeasy

Which Windows feature allows an administrator to define security policies such as password complexity and account lockout across multiple systems in a domain?

A.Local Security Policy
B.Security Audit Policies
C.Group Policy
D.User Account Control (UAC)
AnswerC

Group Policy centrally manages security settings for multiple systems.

Why this answer

Group Policy enforces security settings across Active Directory domain-joined systems. Local Security Policy only affects the local machine. UAC controls elevation.

Security Audit Policies are part of Group Policy but not the overarching feature.

529
MCQeasy

Based on the exhibit, what type of attack is most likely occurring?

A.Brute-force attack
B.Pass-the-hash attack
C.Dictionary attack
D.Password spraying attack
AnswerD

Password spraying attempts one or a few common passwords across many accounts, matching the pattern.

Why this answer

The exhibit shows a single username being targeted with multiple passwords from a list, which is characteristic of a dictionary attack. However, the correct answer is password spraying attack because the scenario likely involves trying a single common password against many usernames, not many passwords against one user. In password spraying, the attacker uses a small set of common passwords across many accounts to avoid account lockout thresholds, which matches the exhibit's pattern of low-and-slow attempts.

Exam trap

The trap here is confusing dictionary attacks (many passwords, one user) with password spraying (one password, many users), as both use a wordlist but differ in the attack vector and lockout avoidance strategy.

How to eliminate wrong answers

Option A is wrong because a brute-force attack tries all possible character combinations systematically, not a curated list of likely passwords, and would generate far more attempts than shown. Option B is wrong because a pass-the-hash attack uses captured NTLM or Kerberos hashes to authenticate without knowing the plaintext password, which is unrelated to trying passwords from a list. Option C is wrong because a dictionary attack focuses on many passwords against a single username, whereas the exhibit shows a single password attempt across multiple usernames, which is the hallmark of password spraying.

530
MCQmedium

A company wants to implement a key management system. They need to generate cryptographic keys that are unpredictable. Which source of randomness should be used?

A.Hardware random number generator (HRNG)
B.Random numbers from a website
C.Linear congruential generator (LCG)
D.Pseudorandom number generator (PRNG) seeded with current timestamp
AnswerA

HRNGs provide high-quality entropy suitable for key generation.

Why this answer

A hardware random number generator (HRNG) is the correct choice because it derives randomness from physical processes (e.g., thermal noise, quantum effects) that are inherently unpredictable and non-deterministic. Cryptographic key generation requires true entropy to resist brute-force and prediction attacks, which software-based deterministic methods cannot guarantee.

Exam trap

Cisco often tests the misconception that a PRNG seeded with a timestamp is sufficient for cryptography, but the trap is that timestamps are predictable or guessable, making the output deterministic and insecure for key generation.

How to eliminate wrong answers

Option B is wrong because random numbers from a website are sourced over an untrusted network and may be intercepted, reused, or generated by a pseudorandom algorithm, offering no verifiable entropy. Option C is wrong because a linear congruential generator (LCG) is a deterministic, predictable algorithm with a short period, making it unsuitable for cryptographic key generation. Option D is wrong because a pseudorandom number generator (PRNG) seeded with a current timestamp is deterministic; if the timestamp is guessed or observed, all outputs become predictable, violating the unpredictability requirement.

531
Multi-Selectmedium

After a security incident, the response team holds a lessons learned meeting. Which TWO are primary objectives of this meeting? (Select two.)

Select 2 answers
A.Identify what went well and what could be improved
B.Update the incident response plan and runbooks
C.Delete all evidence to free up storage
D.Assign blame for the incident
E.Restore affected systems to production
AnswersA, B

Correct. Lessons learned captures successes and areas for improvement.

Why this answer

The primary objectives of a lessons learned meeting after a security incident are to identify what went well and what could be improved, and to update the incident response plan and runbooks based on those findings. This meeting focuses on process improvement and documentation updates to enhance future response efforts, not on operational tasks like evidence handling or system restoration.

Exam trap

The trap here is that candidates may confuse operational recovery tasks (like restoring systems or deleting evidence) with the strategic, process-improvement objectives of the lessons learned meeting, which are solely focused on analyzing the response and updating documentation.

532
MCQhard

A security analyst reviews a firewall log showing an internal IP attempting outbound connections to multiple external IPs on port 443. The analyst suspects command and control. Which additional data source would be MOST useful for confirmation?

A.NetFlow data
B.System event logs
C.DNS logs
D.Antivirus logs
AnswerC

DNS logs can show domain resolutions, often used by C2 to obfuscate IPs.

Why this answer

DNS logs are the most useful additional data source because C2 traffic often uses domain generation algorithms (DGAs) or connects to known malicious domains. By correlating the outbound connections on port 443 with DNS queries, the analyst can identify suspicious domain lookups that precede the connections, revealing the C2 infrastructure. Unlike NetFlow or system logs, DNS logs directly show the domain names being resolved, which is a key indicator of C2 activity.

Exam trap

The trap here is that candidates often choose NetFlow data (Option A) because it shows traffic flows, but they overlook that DNS logs directly reveal the domain names being resolved, which is critical for identifying C2 domains that may not appear in NetFlow's IP-only view.

How to eliminate wrong answers

Option A is wrong because NetFlow data provides metadata about traffic flows (source/destination IPs, ports, and volume) but does not include the domain names or DNS queries, making it less effective for identifying C2 domains. Option B is wrong because system event logs record local OS events (e.g., process creation, logins) and do not directly capture network-level DNS queries or outbound connection destinations. Option D is wrong because antivirus logs focus on file-based malware detections and may miss network-only C2 activity, especially if the malware is fileless or uses encrypted channels.

533
MCQhard

You are the security administrator for a mid-sized financial services company. The company uses Active Directory (AD) for identity management and has implemented role-based access control (RBAC) for its core banking application. Recently, the company acquired a smaller firm and is integrating its employees into AD. During the integration, you notice that many of the new employees have been assigned multiple roles that grant them access to sensitive financial data, despite their job descriptions indicating they need only limited access. Additionally, some users who left the acquired company have not been disabled in AD. The company's security policy mandates the principle of least privilege and requires that access reviews be conducted quarterly, but no review has been performed in the past year. You have been tasked with remediating these issues. Which of the following approaches is the MOST effective initial step to address the immediate risk of excessive access?

A.Conduct a comprehensive access recertification review for all users in the acquired company.
B.Implement multifactor authentication (MFA) for all users in the acquired company.
C.Roll back all user permissions to the default role and then re-add each user based on their job function.
D.Immediately disable all user accounts from the acquired company that have not been logged in within the last 90 days.
AnswerD

This quickly removes dormant accounts that may have excessive privileges.

Why this answer

Option D is the most effective initial step because it immediately reduces the attack surface by disabling accounts that are likely orphaned (no login in 90 days), directly addressing the immediate risk of excessive access from former employees. This aligns with the principle of least privilege and is a quick, high-impact remediation that can be performed before a full access review or recertification.

Exam trap

The trap here is that candidates often choose a comprehensive review (Option A) as the 'best practice' without recognizing that immediate risk mitigation (disabling orphaned accounts) must precede a full recertification to prevent further exposure during the review process.

How to eliminate wrong answers

Option A is wrong because conducting a comprehensive access recertification review is a longer-term process that does not address the immediate risk of orphaned accounts or excessive permissions; it should follow initial containment. Option B is wrong because implementing MFA strengthens authentication but does not reduce excessive access or remove orphaned accounts; it addresses a different risk (unauthorized access via compromised credentials) rather than the immediate risk of already-assigned excessive permissions. Option C is wrong because rolling back all user permissions to a default role and re-adding them is disruptive, time-consuming, and may cause business interruption; it also assumes a clean baseline that may not exist and does not prioritize the highest-risk accounts (orphaned ones) first.

534
MCQmedium

An organization wants to ensure that only corporate-managed devices can connect to the internal network. Non-compliant devices should be placed in a restricted VLAN with limited access. Which technology should be deployed?

A.Virtual Private Network (VPN)
B.Network Access Control (NAC)
C.Stateful firewall
D.Intrusion Prevention System (IPS)
AnswerB

NAC integrates with authentication to enforce compliance and VLAN assignment.

Why this answer

Network Access Control (NAC) with 802.1X can enforce policies, quarantine non-compliant devices, and assign appropriate VLANs.

535
Multi-Selectmedium

Which TWO are valid reasons to revoke a user's access? (Choose two.)

Select 2 answers
A.User is terminated
B.User changes job roles
C.User password expires
D.User completes quarterly training
E.User updates personal information
AnswersA, B

Termination requires immediate revocation of all access.

Why this answer

Option A is correct because when a user is terminated, their access must be immediately revoked to prevent unauthorized access to systems and data. This is a fundamental principle of access control, ensuring that former employees cannot exploit their credentials. Revocation typically involves disabling the user account, removing group memberships, and invalidating any active sessions or tokens.

Exam trap

The trap here is that candidates confuse password expiration (a temporary lockout that can be resolved) with revocation (a permanent or indefinite removal of access rights), and they may think that completing training or updating personal info could justify revocation, but these are normal user lifecycle events that do not indicate a security risk.

536
Multi-Selecthard

Which three statements are true regarding mandatory access control (MAC) systems? (Select THREE)

Select 3 answers
A.Multilevel security is enforced
B.Subjects have clearance levels
C.Access decisions are based on security labels
D.The owner of an object can change its security label
E.Users can grant permissions to other users
AnswersA, B, C

MAC systems are designed to enforce multilevel security, allowing information at different classifications to be processed on the same system.

Why this answer

Mandatory Access Control (MAC) enforces system-wide policy based on security labels assigned to subjects and objects. Multilevel security (MLS) is a core MAC property where data at different classification levels (e.g., Secret, Top Secret) is isolated and access is governed by the system, not users. Subjects (users/processes) are assigned clearance levels, and objects have security labels; access decisions compare these labels using rules like the Bell-LaPadula model (no read up, no write down).

Exam trap

The trap here is that candidates confuse MAC with Discretionary Access Control (DAC), where owners can change permissions and grant access, leading them to incorrectly select options D or E as true for MAC.

537
MCQhard

An organization is restoring a critical database from a backup after a ransomware attack. Which of the following steps should be performed BEFORE restoring the data to ensure the restoration is successful and secure?

A.Notify users that the system will be available in one hour
B.Disconnect the backup server from the network
C.Immediately restore the most recent backup to minimize data loss
D.Verify the integrity of the backup and patch the exploited vulnerability
AnswerD

This ensures the backup is clean and the system is hardened before restoration.

Why this answer

Option D is correct because verifying backup integrity (e.g., using checksums or restore tests) ensures the backup is not corrupted or incomplete, which is critical after a ransomware attack where backups may also be targeted. Patching the exploited vulnerability (e.g., applying a security update or disabling the vulnerable service) prevents re-infection during or after the restore, ensuring the recovery is secure. Without these steps, restoring a compromised or incomplete backup could lead to data loss or immediate re-encryption by the same ransomware.

Exam trap

The trap here is that candidates assume restoring the most recent backup is always the priority, but the SSCP exam emphasizes that verifying backup integrity and securing the environment against re-infection are mandatory prerequisites for a successful and secure recovery.

How to eliminate wrong answers

Option A is wrong because notifying users of a one-hour availability before verifying the backup or patching the vulnerability is premature and unrealistic; restoration time depends on backup size and integrity checks, and users should only be notified after a successful restore and testing. Option B is wrong because disconnecting the backup server from the network is a good practice during recovery to prevent ransomware spread, but it is not the step that ensures restoration success and security—it is a containment measure that should be done before or during the restore, not the critical prerequisite for a successful restore. Option C is wrong because immediately restoring the most recent backup without verifying its integrity risks restoring a corrupted or encrypted backup (common in ransomware attacks where backups are also encrypted), and without patching the vulnerability, the system will be immediately re-infected.

538
MCQhard

A security analyst reviews firewall logs and sees multiple 'ACL drop' entries for a specific internal IP trying to connect to a database server on port 1433. The rule base has an explicit permit for this traffic. What is the most likely reason for the drops?

A.The firewall rule is disabled
B.The database server is down
C.An earlier deny rule matches the traffic before the permit rule
D.The internal IP is on a blacklist
AnswerC

Rule ordering is critical; a preceding deny rule that matches the same traffic will cause drops even if a later permit exists.

Why this answer

The most likely reason for the ACL drops despite an explicit permit rule is that an earlier deny rule in the firewall rule base matches the traffic before the permit rule. Firewalls process ACL rules sequentially from top to bottom; the first matching rule determines the action. If a deny rule appears before the permit rule and matches the source IP, destination port, or other criteria, the traffic is dropped before reaching the permit entry.

Exam trap

The trap here is that candidates assume an explicit permit rule guarantees traffic flow, but they forget that ACLs are processed top-down and an earlier deny rule can override a later permit rule.

How to eliminate wrong answers

Option A is wrong because if the firewall rule were disabled, the traffic would not match any rule and would be subject to the default implicit deny, but the logs specifically show 'ACL drop' entries, which indicate a rule explicitly denied the traffic. Option B is wrong because a down database server would cause connection timeouts or TCP RSTs, not ACL drops; ACL drops occur at the firewall layer before any server interaction. Option D is wrong because blacklists are typically implemented as separate threat intelligence feeds or dynamic block lists, not as standard ACL rules; if the IP were on a blacklist, it would still be matched by an earlier deny rule, not by a separate 'blacklist' mechanism in the ACL.

539
Multi-Selecthard

Which THREE steps are essential during the identification phase of incident response?

Select 3 answers
A.Eradicate the threat
B.Notify stakeholders
C.Monitor logs and alerts
D.Determine scope of incident
E.Classify incident severity
AnswersC, D, E

Continuous monitoring is key to detecting anomalies.

Why this answer

Options A, B, and D are correct because identification involves monitoring logs and alerts (A), determining the scope and impact (B), and classifying the severity (D). Option C is part of eradication. Option E is part of communication, which may occur but is not essential to identification.

540
MCQeasy

Which wireless encryption protocol is currently considered the most secure for home use?

A.WPA2-Enterprise
B.WPA3-Personal
C.WEP (Wired Equivalent Privacy)
D.WPA2-PSK
AnswerB

WPA3-Personal is the latest standard with enhanced security.

Why this answer

WPA3-Personal is currently the most secure wireless encryption protocol for home use because it replaces the Pre-Shared Key (PSK) model with Simultaneous Authentication of Equals (SAE), which provides forward secrecy and protects against offline dictionary attacks. Unlike WPA2, WPA3 mandates the use of GCMP-256 encryption and disables legacy TKIP, ensuring robust confidentiality and integrity for home networks.

Exam trap

ISC2 often tests the misconception that WPA2-Enterprise is inherently more secure than WPA3-Personal for all environments, but the question specifically asks for home use, where WPA3-Personal's SAE and forward secrecy provide superior security without the complexity of a RADIUS server.

How to eliminate wrong answers

Option A is wrong because WPA2-Enterprise is designed for corporate environments with a RADIUS server for 802.1X authentication, not for typical home use, and it does not offer the forward secrecy or SAE improvements of WPA3. Option C is wrong because WEP (Wired Equivalent Privacy) uses the RC4 stream cipher with a static key and is trivially broken in minutes using tools like aircrack-ng, making it completely insecure. Option D is wrong because WPA2-PSK relies on a pre-shared key and the 4-way handshake, which is vulnerable to offline dictionary attacks (e.g., using captured handshakes and tools like Hashcat), and it lacks the forward secrecy and SAE protection of WPA3.

541
MCQhard

A security analyst reviews log files and sees multiple failed SSH attempts from various IP addresses. The analyst implements a rate-limiting rule on the firewall to block IPs after 5 failed attempts in 10 minutes. This is an example of which type of security control?

A.Compensating
B.Preventive
C.Detective
D.Deterrent
E.Corrective
AnswerB

Rate-limiting blocks attacks before they succeed.

Why this answer

Rate-limiting SSH attempts by blocking IPs after 5 failed attempts in 10 minutes is a preventive control because it actively stops unauthorized access before it can occur. By enforcing a threshold on the firewall, the control reduces the attack surface against brute-force attacks, directly preventing further authentication attempts from suspicious sources.

Exam trap

The trap here is that candidates confuse 'preventive' with 'deterrent' because both aim to stop attacks, but preventive controls physically block the action (e.g., firewall rule) while deterrent controls only discourage it (e.g., warning banner).

How to eliminate wrong answers

Option A is wrong because compensating controls are alternative measures that provide equivalent protection when a primary control cannot be implemented (e.g., using out-of-band authentication instead of a smart card), not a proactive block on SSH attempts. Option C is wrong because detective controls identify and log malicious activity after it happens (e.g., IDS alerts), whereas this firewall rule blocks attempts in real time. Option D is wrong because deterrent controls discourage attackers through fear of consequences (e.g., warning banners), but they do not physically or logically prevent the action.

Option E is wrong because corrective controls remediate damage after an incident (e.g., restoring from backup), not preemptively limiting failed logins.

542
MCQmedium

A financial services firm with 500 servers and 2000 workstations uses an internal public key infrastructure (PKI) for authentication and secure communication. The root CA certificate is self-signed and stored on an offline root CA server. Recently, the root CA server was physically stolen from a locked data center. Although the server was encrypted, forensic analysis confirms that the root CA private key was extracted. The security team must immediately revoke trust in the compromised root CA and issue new certificates to all devices. The environment includes Active Directory and Group Policy. Which approach best ensures all systems trust the new CA hierarchy and obtain valid certificates with minimal disruption?

A.Generate a new root CA, sign new subordinate CAs, distribute the new root via Group Policy, and re-issue all end-entity certificates.
B.Publish a certificate revocation list (CRL) and wait for existing certificates to expire.
C.Generate a new root CA certificate and key, then re-issue all subordinate CA certificates without re-issuing end-entity certificates.
D.Enable OCSP stapling on all web servers to check revocation status in real time.
AnswerA

This ensures all systems trust the new CA hierarchy and have valid certificates.

Why this answer

Option A is correct because the root CA private key has been compromised, requiring the entire PKI hierarchy to be rebuilt from scratch. A new self-signed root CA must be generated, new subordinate CAs signed under it, and all end-entity certificates re-issued to devices. Distributing the new root CA certificate via Active Directory Group Policy ensures that all domain-joined systems trust the new hierarchy automatically, minimizing manual intervention and disruption.

Exam trap

The trap here is that candidates may think re-issuing only subordinate CAs (Option C) is sufficient, overlooking that end-entity certificates signed by the compromised root remain untrusted and must also be replaced to restore a valid chain of trust.

How to eliminate wrong answers

Option B is wrong because publishing a CRL only revokes trust in the compromised root CA but does not establish a new trusted hierarchy; waiting for existing certificates to expire leaves systems vulnerable and without valid certificates for an extended period. Option C is wrong because re-issuing subordinate CA certificates without re-issuing end-entity certificates leaves all existing end-entity certificates signed by the compromised root CA still in use, which are untrusted and cannot be validated. Option D is wrong because OCSP stapling is a revocation checking mechanism, not a method to replace a compromised root CA or issue new certificates; it does not address the need to establish a new trust anchor.

543
MCQmedium

During incident response, a team needs to isolate an infected workstation that is part of a critical manufacturing network. Which containment method is MOST appropriate to minimize disruption while preventing the spread of malware?

A.Place the workstation into a quarantine VLAN via switch configuration
B.Apply a host-based firewall rule to block all inbound traffic
C.Physically unplug the network cable
D.Disable the user's Active Directory account
AnswerA

Correct. VLAN quarantine isolates the device while allowing limited access for forensics.

Why this answer

Placing the workstation into a quarantine VLAN via switch configuration is most appropriate because it logically isolates the infected host from the rest of the network at Layer 2, preventing lateral spread of malware while allowing the manufacturing network to continue operating. This method uses 802.1Q VLAN tagging and access control lists (ACLs) on the switch to restrict traffic without physically disconnecting the device, which could disrupt time-sensitive manufacturing processes. It also preserves the ability to remotely manage or forensically image the workstation if needed.

Exam trap

The trap here is that candidates often choose 'physically unplug the network cable' because it seems like the most definitive containment, but they overlook the requirement to minimize disruption in a critical manufacturing network where sudden disconnection can halt production or cause safety hazards.

How to eliminate wrong answers

Option B is wrong because applying a host-based firewall rule to block all inbound traffic does not prevent the infected workstation from initiating outbound connections to spread malware to other systems, and it relies on the compromised host's own software, which may be disabled or bypassed by the malware. Option C is wrong because physically unplugging the network cable completely removes the workstation from the network, which can cause immediate disruption to critical manufacturing processes that depend on that workstation for real-time control or monitoring. Option D is wrong because disabling the user's Active Directory account only prevents authentication and access to domain resources, but does not stop the workstation from communicating with other devices on the same subnet or from spreading malware via non-authenticated protocols like ARP or NetBIOS.

544
MCQhard

After containing a ransomware incident, the incident response team identifies that the attacker gained initial access through a phishing email that installed a backdoor. Which of the following eradication steps is MOST critical to prevent re-infection?

A.Resetting all user passwords
B.Reimaging all affected systems from a known-good backup
C.Removing the backdoor executable and associated persistence mechanisms
D.Conducting security awareness training for all employees
AnswerC

Directly removing the backdoor prevents it from being used again. Combined with patching, this is critical.

Why this answer

Option C is correct because the primary goal of eradication is to remove the attacker's foothold from the system. Removing the backdoor executable and its associated persistence mechanisms (e.g., scheduled tasks, registry Run keys, or WMI subscriptions) directly eliminates the means by which the attacker can regain access, preventing re-infection from the same vector.

Exam trap

The trap here is that candidates often confuse eradication with recovery or prevention, choosing reimaging (Option B) or training (Option D) instead of recognizing that removing the attacker's specific foothold is the immediate technical priority to stop re-infection.

How to eliminate wrong answers

Option A is wrong because resetting user passwords addresses credential compromise but does not remove the backdoor or its persistence; the attacker can still re-enter via the backdoor without needing a password. Option B is wrong because reimaging from a known-good backup is a valid recovery step, but it is not the most critical eradication step—it is a more drastic measure that may not be necessary if the backdoor can be surgically removed, and it does not address the root cause of the initial compromise (the phishing vector). Option D is wrong because security awareness training is a preventive measure that reduces future risk but does not eradicate the existing backdoor or persistence mechanisms already present on affected systems.

545
MCQmedium

During a security awareness training session, an employee asks how to identify a phishing email. Which of the following is the most reliable indicator of a phishing attempt?

A.The email contains an attachment from an unknown sender
B.The email has grammatical errors or misspellings
C.The email creates a sense of urgency or threatens negative consequences
D.The email address of the sender closely resembles a legitimate domain
AnswerC

Urgency and threats are classic phishing tactics designed to bypass rational thinking.

Why this answer

Phishing emails often contain urgent or threatening language to prompt immediate action. While other indicators like misspellings can be present, the most reliable is the use of urgency or threats, which is a common social engineering tactic.

546
MCQeasy

Which of the following protocols operates on TCP port 443 and provides encrypted communication between a web browser and a web server?

A.HTTPS
B.SMTP
C.SSH
D.HTTP
AnswerA

HTTPS uses TCP port 443 with TLS/SSL encryption.

Why this answer

HTTPS uses TLS/SSL over TCP port 443 to secure HTTP traffic.

547
Multi-Selectmedium

An organization uses a hot disaster recovery (DR) site and has a Recovery Time Objective (RTO) of 4 hours. During a DR test, the team discovers that data replication from the primary site fails. Which TWO actions should the team take to meet the RTO while ensuring data integrity? (Choose two.)

Select 2 answers
A.Verify the integrity of the backup before restoration using hash checks.
B.Extend the RTO to allow time for manual data re-entry.
C.Failover to the hot DR site immediately without data restoration.
D.Restore the latest valid backup from the primary site to the DR site.
E.Switch to a cold DR site that requires hardware setup.
AnswersA, D

Ensuring backup integrity prevents restoring corrupted or infected data.

Why this answer

Option A is correct because verifying the integrity of the backup using hash checks (e.g., SHA-256 or MD5) ensures that the data has not been corrupted during storage or transfer, which is critical before restoration to maintain data integrity. Option D is correct because restoring the latest valid backup from the primary site to the DR site provides a known-good data set, allowing the organization to meet the 4-hour RTO by having a consistent state to failover to, even if replication has failed.

Exam trap

Cisco often tests the misconception that failing over to a hot site immediately is sufficient, but the trap here is that without verifying and restoring a valid backup, the DR site may contain corrupted or incomplete data, breaking data integrity requirements.

548
MCQhard

You are the security administrator for a healthcare organization that uses a Windows Active Directory domain. The organization has recently implemented a new electronic health record (EHR) system that requires users to authenticate before accessing patient data. The EHR system uses Kerberos for authentication. Users report that they can access the EHR system from their office workstations, but when they attempt to access it remotely via VPN, they receive an 'Access Denied' error. The VPN uses RADIUS for authentication and assigns IP addresses from a separate subnet. The EHR server is in the same domain as the workstations. You verify that the users are able to connect to the VPN successfully and can access other internal resources. What is the most likely cause of the issue?

A.The EHR server is not joined to the domain.
B.The VPN does not forward Kerberos traffic to the domain controller.
C.The remote user's system clock is not synchronized with the domain controller.
D.The user's account is not in the EHR application's access group.
AnswerC

Kerberos requires time sync; VPN issues often corrupt time sync.

Why this answer

Kerberos authentication is highly sensitive to time skew; the default maximum tolerance is 5 minutes (RFC 4120). When users connect via VPN, their system clocks may drift from the domain controller's time, especially if they are not synchronized with the domain's time source. This time difference causes Kerberos to reject the ticket request, resulting in an 'Access Denied' error even though the VPN connection itself is successful.

Exam trap

The trap here is that candidates focus on network connectivity or VPN configuration (like port forwarding) rather than the time synchronization requirement of Kerberos, assuming that successful VPN connection implies all authentication protocols will work seamlessly.

How to eliminate wrong answers

Option A is wrong because the EHR server is explicitly stated to be in the same domain as the workstations, and users can access it from office workstations, confirming domain membership. Option B is wrong because the VPN successfully forwards other traffic (users can access other internal resources), and Kerberos traffic uses UDP/TCP port 88, which is typically allowed through VPN tunnels; the issue is not traffic forwarding but authentication failure. Option D is wrong because the error occurs during authentication, not authorization; if the user were not in the EHR application's access group, they would likely receive a different error (e.g., 'Access Denied' after successful authentication) or be prompted for credentials again, not fail at the Kerberos ticket-granting step.

549
MCQmedium

A security auditor discovers that a Linux server has a user who can execute any command as root via sudo without a password. Which file should be reviewed to verify this configuration?

A./etc/shadow
B./etc/group
C./etc/sudoers
D./etc/passwd
AnswerC

sudoers defines which users can run which commands as which users, including NOPASSWD option.

Why this answer

The /etc/sudoers file controls sudo privileges. It can be edited with visudo. A NOPASSWD entry would allow passwordless sudo.

550
MCQeasy

Which of the following encryption algorithms is classified as a symmetric block cipher and is the current standard recommended by NIST, supporting key sizes of 128, 192, and 256 bits?

A.AES
B.RSA
C.3DES
D.ChaCha20
AnswerA

AES is the correct answer.

Why this answer

AES (Advanced Encryption Standard) is a symmetric block cipher that encrypts data in fixed 128-bit blocks and is the current standard recommended by NIST (FIPS 197). It supports key sizes of 128, 192, and 256 bits, making it the correct answer for a symmetric block cipher with those specific key lengths.

Exam trap

The trap here is that candidates often confuse symmetric vs. asymmetric algorithms or mistake 3DES for a modern standard, but NIST specifically deprecated 3DES in 2018 (NIST SP 800-131A Rev. 2) and recommends AES for all new applications.

How to eliminate wrong answers

Option B (RSA) is wrong because it is an asymmetric (public-key) cipher, not a symmetric block cipher, and it does not use fixed block sizes or the specified key sizes. Option C (3DES) is wrong because, while it is a symmetric block cipher, it is deprecated by NIST due to its small 64-bit block size and slow performance, and it supports key sizes of 56, 112, or 168 bits, not 128, 192, or 256 bits. Option D (ChaCha20) is wrong because it is a stream cipher, not a block cipher, and although it is a symmetric algorithm, it does not use the specified key sizes in the context of a block cipher standard.

551
MCQhard

In a Bell-LaPadula model implementation, a user with a Secret clearance attempts to read a document classified as Top Secret. Additionally, they try to write to a document classified as Unclassified. What are the results of these actions?

A.Read denied, write allowed
B.Read allowed, write allowed
C.Read denied, write denied
D.Read allowed, write denied
AnswerC

Correct. Both actions are denied.

Why this answer

Bell-LaPadula enforces *no read up* (simple security property) and *no write down* (*-property). Thus reading Top Secret is denied, and writing to Unclassified is also denied to prevent leakage.

552
MCQeasy

Based on the exhibit, which type of attack is most likely occurring?

A.Denial of service.
B.Brute force attack.
C.Dictionary attack.
D.Man-in-the-middle.
AnswerB

Multiple rapid failed attempts for the same user from one IP is characteristic of brute force.

Why this answer

The exhibit shows a high number of failed authentication attempts (e.g., 1000+ failures) from a single source IP within a short time window, targeting a specific user account. This pattern is characteristic of a brute force attack, where an attacker systematically tries many password combinations to gain unauthorized access. Unlike a dictionary attack, which uses a predefined list of likely passwords, a brute force attack exhaustively tests all possible combinations, as indicated by the sheer volume of attempts.

Exam trap

The trap here is that candidates may confuse a brute force attack with a dictionary attack, but the key differentiator is the exhaustive, non-selective nature of the attempts versus the use of a precompiled wordlist.

How to eliminate wrong answers

Option A is wrong because a denial of service (DoS) attack aims to overwhelm system resources or disrupt service availability, not to repeatedly attempt authentication. Option C is wrong because a dictionary attack uses a curated list of common passwords or phrases, not the exhaustive, high-volume attempts shown in the exhibit. Option D is wrong because a man-in-the-middle (MITM) attack involves intercepting or altering communications between two parties, not directly targeting authentication endpoints with repeated login attempts.

553
MCQeasy

Which of the following is a common defense against ARP spoofing attacks on a local area network?

A.DHCP snooping
B.Port security
C.MAC filtering
D.Dynamic ARP Inspection
AnswerD

DAI validates ARP packets to prevent spoofing.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets against a trusted database (DHCP snooping binding), preventing spoofed ARP messages.

554
MCQeasy

During a security assessment, you discover that a Windows server has the Telnet service running. Which of the following is the BEST action to harden the server against this finding?

A.Configure a host-based firewall to allow Telnet only from specific IPs
B.Enable encryption on Telnet
C.Remove the Telnet service and use SSH instead
D.Audit Telnet connections in Event Viewer
AnswerC

This removes an insecure service and replaces it with a secure alternative (SSH), which is a best practice for system hardening.

Why this answer

Telnet is an unencrypted protocol that transmits credentials in cleartext. Removing unnecessary services reduces the attack surface; disabling Telnet eliminates a known vulnerability.

555
MCQmedium

An organization wants to deploy a firewall that can inspect the payload of application-layer protocols such as HTTP and FTP, and make access decisions based on application data. Which type of firewall best meets this requirement?

A.Application proxy firewall
B.Stateless packet filter
C.Next-generation firewall
D.Stateful packet filter
AnswerA

Application proxies terminate and inspect application-layer traffic.

Why this answer

An application proxy firewall (or application-layer gateway) performs deep inspection of application payloads, unlike stateless or stateful packet filters.

556
MCQeasy

Which of the following is a secure remote access VPN protocol that uses TLS for encryption and is commonly used with Cisco AnyConnect?

A.IPsec
B.SSL/TLS VPN
C.L2TP/IPsec
D.PPTP
AnswerB

SSL/TLS VPN uses TLS and is used by AnyConnect.

Why this answer

SSL/TLS VPNs use TLS to provide secure remote access, often with AnyConnect client.

557
MCQeasy

A security administrator is implementing an access control model that assigns permissions based on the clearance of the subject and the classification of the object. Which model is being implemented?

A.Role-Based Access Control (RBAC)
B.Discretionary Access Control (DAC)
C.Attribute-Based Access Control (ABAC)
D.Mandatory Access Control (MAC)
AnswerD

MAC uses clearance and classification labels.

Why this answer

Mandatory Access Control (MAC) uses labels for subjects (clearance) and objects (classification) to enforce access decisions, commonly used in government and military environments.

558
MCQmedium

A system administrator notices that a user's account has been locked out multiple times within an hour. The admin reviews the logs and finds repeated failed login attempts from an unusual IP address. What is the BEST immediate action to mitigate further risk?

A.Disable the user account
B.Delete the failed login log entries
C.Implement a firewall rule to block the IP address
D.Reset the user's password
AnswerA

Disabling the account immediately stops further authentication attempts, preventing unauthorized access.

Why this answer

Disabling the account stops any further unauthorized access while the situation is investigated. Option A is a weak password after lockout; B removes logs needed for investigation; D misidentifies the issue as a DoS attack.

559
MCQmedium

A network administrator notices that legitimate clients are unable to obtain IP addresses from the DHCP server. The network logs show a high volume of DHCP Discover messages from different MAC addresses. Which attack is most likely occurring?

A.DHCP starvation
B.DHCP spoofing
C.ARP spoofing
D.DNS amplification
AnswerA

A high volume of DHCP Discover messages from fake MACs is characteristic of a DHCP starvation attack.

Why this answer

DHCP starvation floods the network with fake DHCP Discover messages to exhaust the IP address pool, preventing legitimate clients from obtaining addresses.

560
Multi-Selectmedium

Which TWO are benefits of network segmentation using VLANs? (Choose two.)

Select 2 answers
A.Increased available bandwidth
B.Improved security through traffic isolation
C.Reduced broadcast traffic
D.Elimination of routing requirements
E.Simplified IP address management
AnswersB, C

Traffic in one VLAN cannot directly reach another VLAN.

Why this answer

VLANs segment a network into separate broadcast domains at Layer 2. By isolating traffic between VLANs, they prevent unauthorized access and contain potential threats, which directly improves security. Additionally, because each VLAN is its own broadcast domain, broadcast frames are confined to that VLAN, reducing overall broadcast traffic on the network.

Exam trap

ISC2 often tests the misconception that VLANs increase bandwidth, when in fact they only reduce unnecessary traffic (like broadcasts) but do not add physical throughput.

561
MCQhard

A security manager needs to comply with PCI DSS requirement 11.2, which mandates quarterly vulnerability scans. The company uses an external Qualified Security Assessor (QSA) for the quarterly scans. However, the internal team also performs continuous scanning. Which of the following best describes the required scan frequency?

A.Both internal and external scans must be performed quarterly
B.Scans are required only after significant changes to the network
C.Only the external scans need to be done quarterly; internal scans are optional
D.Continuous internal scanning eliminates the need for quarterly external scans
AnswerA

PCI DSS mandates quarterly internal and external vulnerability scans.

Why this answer

PCI DSS Requirement 11.2 explicitly requires both internal and external vulnerability scans to be performed at least quarterly. Even though the internal team performs continuous scanning, the external scans by a Qualified Security Assessor (QSA) must still occur quarterly to satisfy compliance. Continuous scanning does not replace the mandated quarterly external scans because the standard requires independent validation of external-facing systems.

Exam trap

The trap here is that candidates often assume continuous or frequent internal scanning can replace the mandated quarterly external scans, but PCI DSS explicitly requires both internal and external scans at the defined frequency, with external scans needing an independent assessor.

How to eliminate wrong answers

Option B is wrong because PCI DSS requires quarterly scans regardless of network changes; scans after significant changes are an additional requirement (11.2.b), not a replacement for the quarterly schedule. Option C is wrong because PCI DSS mandates both internal and external scans quarterly; internal scans are not optional. Option D is wrong because continuous internal scanning does not eliminate the need for quarterly external scans; the standard requires external scans to be performed by a qualified party (e.g., QSA) at the defined frequency, and continuous scanning is not a substitute.

562
MCQhard

A forensic analyst needs to review security events from multiple Windows servers. To ensure that logs are centrally collected and resistant to tampering, which of the following should be implemented?

A.Use Windows Event Forwarding to a central event collector
B.Store logs only on the local server and back them up weekly
C.Configure Event Viewer on each server to overwrite events as needed
D.Enable auditing of account logon events
AnswerA

This centralizes logs and can be configured to forward even when the server is compromised, preserving evidence.

Why this answer

Centralized logging with a SIEM (or similar) aggregates logs from multiple sources. Forwarding events to a central collector ensures logs are preserved even if a server is compromised.

563
MCQmedium

A vulnerability management program requires that critical vulnerabilities be remediated within 72 hours. A scanner identifies a critical vulnerability on a server, but after patching, the scanner still reports it as vulnerable. What is the most likely cause?

A.The patch was not applied correctly
B.The vulnerability is a false positive
C.The remediation SLA was not met
D.The server was not rebooted after patching
AnswerB

A false positive means the scanner incorrectly reports vulnerability.

Why this answer

False positives are common; the scanner may incorrectly flag the vulnerability even after patching.

564
MCQeasy

Which access control model allows the owner of a resource to grant access permissions to other users?

A.RBAC (Role-Based Access Control)
B.DAC (Discretionary Access Control)
C.MAC (Mandatory Access Control)
D.ABAC (Attribute-Based Access Control)
AnswerB

Correct. DAC allows the resource owner to control access.

Why this answer

In DAC (Discretionary Access Control), the resource owner has discretion over who can access the resource. This contrasts with MAC, where access is based on labels, and RBAC/ABAC, where access is based on roles or attributes.

565
Multi-Selectmedium

During a virtualized environment security assessment, which THREE of the following are considered risks associated with virtual machine snapshots? (Select three.)

Select 3 answers
A.Snapshots may contain unpatched vulnerabilities
B.Sensitive data may persist in snapshots
C.Snapshots cause VM sprawl
D.Snapshots can be used to roll back security configurations
E.Snapshots can be used as an attack vector for VM escape
AnswersA, B, D

Snapshots are static and may lack the latest patches.

Why this answer

Snapshots can reintroduce vulnerabilities because they are not patched (A), and they may contain sensitive data that could be exposed if not secured (C). Also, snapshots can be used to roll back security controls (D). Snapshots do not cause VM escape (B) or VM sprawl (E).

566
MCQeasy

Which of the following is a key principle of the 3-2-1 backup rule?

A.Two copies on three different media types with one onsite
B.One copy on two different media types with three offsite
C.Three copies on two different media types with one offsite
D.Three copies on three different media types with two offsite
AnswerC

Correct description of the rule.

Why this answer

The 3-2-1 backup rule is a foundational data protection strategy: maintain three copies of your data (one primary and two backups), store them on two different media types (e.g., disk and tape, or local SSD and cloud object storage), and ensure at least one copy is stored offsite to protect against site-level disasters. Option C correctly captures this: three copies, two media types, one offsite.

Exam trap

The trap here is that candidates often misremember the numbers, confusing the '3' copies with '3' media types or '2' offsite, leading them to select options like A or D that sound plausible but violate the exact 3-2-1 structure.

How to eliminate wrong answers

Option A is wrong because it states 'two copies on three different media types with one onsite' — the rule requires three copies, not two, and only two different media types, not three. Option B is wrong because it says 'one copy on two different media types with three offsite' — the rule mandates three copies total, with only one offsite, not three offsite. Option D is wrong because it specifies 'three copies on three different media types with two offsite' — the rule requires only two different media types, not three, and only one offsite copy, not two.

567
MCQmedium

A hospital is implementing an access control system for its electronic health record (EHR) system. The system must comply with HIPAA regulations, which require that access to patient records is limited to personnel who need it to perform their job duties. The hospital has many roles: doctors, nurses, lab technicians, and administrative staff. Each role can access different types of records. The system currently uses a DAC model where each user sets permissions on their own files. However, a recent risk assessment identified that some nurses have been sharing their accounts with each other to access records outside their unit. The hospital wants to implement a more restrictive model that enforces access based on job roles and prevents sharing of accounts. Which access control model should the hospital adopt?

A.Attribute-Based Access Control (ABAC)
B.Mandatory Access Control (MAC) with clearance labels
C.Discretionary Access Control (DAC)
D.Role-Based Access Control (RBAC) with mandatory account uniqueness
AnswerD

RBAC restricts access based on roles, and requiring unique accounts ensures no sharing; this combination directly addresses the problem.

Why this answer

Option D is correct because Role-Based Access Control (RBAC) enforces access permissions based on job roles, directly aligning with HIPAA's need-to-know principle. Mandatory account uniqueness prevents account sharing by requiring each user to have a unique identifier, eliminating the ability to share credentials. This combination provides a more restrictive, policy-driven model than DAC, which allowed users to set their own permissions and led to unauthorized access.

Exam trap

The trap here is that candidates may choose ABAC (Option A) because it seems more flexible and modern, but they overlook that RBAC with mandatory account uniqueness directly addresses the account-sharing issue and is the simplest, most compliant model for role-based healthcare access under HIPAA.

How to eliminate wrong answers

Option A is wrong because Attribute-Based Access Control (ABAC) uses attributes (e.g., time, location, patient relationship) to grant access, which is more granular than needed and does not inherently enforce mandatory account uniqueness to prevent sharing. Option B is wrong because Mandatory Access Control (MAC) with clearance labels is designed for classified environments (e.g., military) using security labels and clearances, not for healthcare roles; it would require labeling all patients and users, which is impractical and does not directly address account sharing. Option C is wrong because Discretionary Access Control (DAC) is the current model that allows users to set permissions on their own files, which led to the account-sharing problem; it is the opposite of the restrictive model needed.

568
MCQmedium

During a risk assessment, a company identifies that a legacy system cannot be patched due to vendor end-of-life. The system is critical to operations. Which risk response strategy is most appropriate initially?

A.Avoid the risk by decommissioning the system immediately
B.Transfer the risk by purchasing cyber insurance
C.Accept the risk without any further action
D.Mitigate the risk by implementing compensating controls
AnswerD

Compensating controls such as network segmentation and strict access controls can reduce the risk even if the system cannot be patched.

Why this answer

Option D is correct because when a legacy system cannot be patched due to vendor end-of-life, the most appropriate initial risk response is to implement compensating controls. Compensating controls, such as network segmentation, strict access controls, or an intrusion detection system, reduce the likelihood or impact of exploitation without requiring a patch. This approach balances operational necessity with security, as immediate decommissioning (avoidance) may be infeasible for a critical system.

Exam trap

The trap here is that candidates often confuse risk acceptance with passive inaction, but the SSCP exam expects that acceptance must be a deliberate decision with documented justification and often paired with compensating controls, not simply ignoring the risk.

How to eliminate wrong answers

Option A is wrong because decommissioning a critical system immediately would disrupt operations, and risk avoidance is not appropriate when the system is essential to business functions; the goal is to manage risk, not eliminate it at the cost of operations. Option B is wrong because transferring risk via cyber insurance does not reduce the technical vulnerability; it only provides financial compensation after a breach, which does not address the immediate security gap. Option C is wrong because accepting the risk without any further action is negligent; while acceptance is a valid strategy, it requires documented understanding and often compensating controls, not passive inaction.

569
MCQeasy

Which of the following is the primary purpose of network segmentation?

A.Increase bandwidth
B.Improve network performance
C.Simplify IP address management
D.Enhance security by isolating sensitive systems
E.Reduce hardware cost
AnswerD

Segmentation limits the scope of attacks and protects sensitive data.

Why this answer

Option B is correct because network segmentation enhances security by isolating sensitive systems and limiting lateral movement. Option A is incorrect because segmentation does not directly increase bandwidth. Option C is incorrect while performance may improve due to reduced broadcast domains, security is the primary goal.

Option D is incorrect because segmentation can complicate IP management. Option E is incorrect because segmentation often increases hardware cost.

570
Multi-Selectmedium

Which TWO of the following are effective controls to prevent buffer overflow attacks? (Choose two.)

Select 2 answers
A.Input validation to reject long inputs
B.Address Space Layout Randomization (ASLR)
C.Code obfuscation
D.Non-executable stack (NX bit)
E.Stack canaries
AnswersB, D

ASLR randomizes memory addresses, making it harder to predict target addresses.

Why this answer

Address Space Layout Randomization (ASLR) is a memory protection technique that randomizes the base addresses of executable modules, heap, and stack regions. This makes it significantly harder for an attacker to predict the memory addresses needed to inject and execute shellcode, thereby mitigating many buffer overflow exploits that rely on fixed address references.

Exam trap

ISC2 often tests the misconception that input validation alone is sufficient to prevent buffer overflows, or that stack canaries are a primary control rather than a detection mechanism, leading candidates to select them instead of the memory protection controls ASLR and NX bit.

571
MCQeasy

During a risk assessment, the team identifies that a critical database server is not included in the backup schedule. Which risk term best describes this condition?

A.Threat
B.Risk
C.Exploit
D.Vulnerability
AnswerD

The missing backup is a weakness that could lead to data loss.

Why this answer

A vulnerability is a weakness in a system that can be exploited by a threat. The database server missing from the backup schedule represents a weakness in the organization's data protection and disaster recovery posture, making it susceptible to data loss. This absence of a control (backup) is a classic example of a vulnerability, not an active threat or an exploit.

Exam trap

ISC2 often tests the distinction between a vulnerability (a weakness) and a threat (a potential danger), tricking candidates into selecting 'Threat' because they associate the missing backup with a potential data loss event, rather than recognizing it as the underlying weakness.

How to eliminate wrong answers

Option A is wrong because a threat is a potential event or actor (like a ransomware attack or a natural disaster) that could cause harm, not the absence of a backup. Option B is wrong because risk is the potential for loss or damage when a threat exploits a vulnerability; the missing backup is the vulnerability itself, not the calculated risk. Option C is wrong because an exploit is a specific method or code used to take advantage of a vulnerability (e.g., a SQL injection payload), not the condition of being unbacked.

572
MCQmedium

A company wants to implement a firewall that can track the state of network connections and make decisions based on the context of traffic (e.g., allowing return packets for an established connection). Which type of firewall should they choose?

A.Application proxy firewall
B.Stateless packet filter
C.Next-generation firewall
D.Stateful firewall
AnswerD

Stateful firewall tracks connection state and allows return traffic accordingly.

Why this answer

Stateful firewalls maintain connection state tables and allow return traffic for established sessions.

573
Multi-Selecthard

Which THREE of the following are key steps in performing a business impact analysis (BIA)?

Select 3 answers
A.Assigning likelihood ratings to threats
B.Selecting backup and recovery solutions
C.Assessing the financial and operational impact of disruptions
D.Identifying critical business processes
E.Determining maximum tolerable downtime (MTD)
AnswersC, D, E

Impact analysis is central to BIA.

Why this answer

Option C is correct because assessing the financial and operational impact of disruptions is a core step in a business impact analysis (BIA). The BIA focuses on quantifying the consequences of losing business functions, including revenue loss, regulatory fines, and reputational damage, rather than evaluating threat likelihood or selecting recovery solutions.

Exam trap

ISC2 often tests the distinction between BIA steps (impact-focused) and risk assessment steps (likelihood-focused), so candidates mistakenly include threat likelihood ratings as a BIA step.

574
Multi-Selecteasy

A security analyst notices unusual outbound traffic from a server. Which TWO actions should be taken immediately as part of the incident response process?

Select 2 answers
A.Conduct a full vulnerability scan on the system.
B.Isolate the affected system from the network.
C.Reimage the system to remove any malware.
D.Capture memory and network traffic for analysis.
E.Notify law enforcement authorities.
AnswersB, D

Isolation is a critical immediate step to contain the incident.

Why this answer

Isolating the affected system (A) prevents further damage or data exfiltration. Capturing memory and network traffic (D) preserves volatile evidence for analysis. Reimaging (B) is premature before investigation.

Notifying law enforcement (C) is not an immediate step. Vulnerability scanning (E) is part of post-incident analysis, not immediate.

575
MCQmedium

The security team discovers that a user in the finance department can read files in the human resources share. The share permissions on the HR folder are set to deny all except the HR group, and the user is not a member of HR. What is the most likely cause?

A.The user is logging on locally to the server where the files are stored
B.The user is an administrator on the file server
C.The user is using a different file server for HR files
D.The user's token includes a group that has been explicitly denied
AnswerA

Share permissions only apply to network access; local access is governed by NTFS permissions alone, which may allow the user.

Why this answer

When a user logs on locally to the file server, Windows evaluates NTFS permissions directly, bypassing share permissions entirely. Share permissions only apply to network access via SMB, so a local logon allows the user to read files if NTFS permissions grant access, even if share permissions deny all except the HR group.

Exam trap

ISC2 often tests the distinction between share permissions and NTFS permissions, specifically that share permissions only apply to network access, not local logons, leading candidates to overlook the local logon scenario.

How to eliminate wrong answers

Option B is wrong because being an administrator on the file server does not automatically grant read access to files if the NTFS permissions explicitly deny the user or their groups; administrators can take ownership or override permissions, but the most likely cause in this scenario is local logon, not administrative privilege. Option C is wrong because using a different file server would not grant access to files on the original HR share; the user would need appropriate permissions on that specific server. Option D is wrong because if the user's token included a group explicitly denied, that deny would block access, not allow it; the scenario describes the user being able to read files despite not being in the HR group.

576
MCQmedium

An organization wants to implement an access control model where data owners decide who can access resources. Which model should they choose?

A.Attribute-Based Access Control (ABAC)
B.Mandatory Access Control (MAC)
C.Role-Based Access Control (RBAC)
D.Discretionary Access Control (DAC)
AnswerD

DAC allows data owners to grant access to others at their discretion.

Why this answer

Discretionary Access Control (DAC) is the correct model because it allows data owners (the users who create or own the resource) to decide who can access their resources. In DAC, the owner sets permissions (e.g., read, write, execute) on objects like files or directories, typically using Access Control Lists (ACLs). This directly matches the requirement where data owners control access decisions.

Exam trap

ISC2 often tests the misconception that 'data owners decide' implies a role-based or attribute-based model, but the key distinction is that DAC explicitly grants ownership-based control, while RBAC and ABAC centralize decisions with administrators or policies.

How to eliminate wrong answers

Option A is wrong because Attribute-Based Access Control (ABAC) uses policies based on attributes (e.g., user role, time, location) evaluated by a central policy engine, not by the data owner. Option B is wrong because Mandatory Access Control (MAC) enforces system-wide policies set by a central authority (e.g., security labels like Top Secret), and users (including data owners) cannot override these rules. Option C is wrong because Role-Based Access Control (RBAC) assigns permissions based on predefined roles (e.g., 'Manager'), and access decisions are made by administrators, not by the data owner.

577
Multi-Selecthard

During a post-incident review of a data breach, the incident response team is evaluating the chain of custody for forensic evidence. Which THREE practices demonstrate proper evidence handling? (Choose three.)

Select 3 answers
A.The original hard drive was used directly for analysis to avoid delays.
B.A write blocker was used when creating a forensic image of the disk.
C.MD5 hashes were computed only after the analysis was complete.
D.The forensic image was verified by comparing its hash to the hash of the original disk.
E.Each person who handled the evidence documented their name, date, time, and purpose.
AnswersB, D, E

Write blockers prevent any accidental writes to the original evidence during imaging.

Why this answer

Option B is correct because a write blocker is a hardware or software device that prevents any write operations to the original evidence drive during forensic imaging. This ensures the integrity of the original evidence by blocking all commands that could modify data, such as write, erase, or format commands, while allowing read-only access for creating a bit-for-bit copy.

Exam trap

Cisco often tests the misconception that hashing can be done at any point during the investigation, but the trap is that integrity verification must occur before analysis begins to establish a baseline, not after the fact.

578
MCQhard

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. Which risk is most directly introduced by this policy?

A.Unauthorized deletion of objects
B.Lack of encryption at rest
C.Inability to audit access
D.Exposure of bucket contents to the public
AnswerD

The ListBucket action with Principal "*" allows anyone to enumerate objects.

Why this answer

The S3 bucket policy grants public access via a Principal of '*' and an Effect of 'Allow' for the 's3:GetObject' action, which means any unauthenticated user on the internet can read objects in the bucket. This directly exposes the bucket contents to the public, making option D correct.

Exam trap

ISC2 often tests the distinction between read access (GetObject) and write/delete access (PutObject, DeleteObject), so candidates may mistakenly think any public access implies deletion risk, but the policy explicitly only allows reading.

How to eliminate wrong answers

Option A is wrong because the policy only allows 's3:GetObject' (read) and does not include 's3:DeleteObject' or any write/delete actions, so unauthorized deletion is not introduced. Option B is wrong because the policy does not address encryption settings at all; encryption at rest is a separate configuration (e.g., SSE-S3, SSE-KMS) and is not impacted by this access control policy. Option C is wrong because the policy does not disable or affect CloudTrail or other audit logging; auditing remains possible regardless of this policy, though the policy itself does not enable or disable it.

579
MCQeasy

What is the primary purpose of a Privileged Access Management (PAM) solution?

A.Controlling and monitoring access to privileged accounts
B.Managing user password resets
C.Implementing single sign-on for all applications
D.Enforcing password complexity policies
AnswerA

PAM provides vaulting, session recording, and just-in-time access for privileged accounts.

Why this answer

PAM solutions focus on securing, managing, and monitoring privileged accounts to reduce the risk of misuse.

580
MCQmedium

An alert shows a successful login from an unusual geographic location. Which of the following is the BEST initial response?

A.Disable the user account
B.Contact the user to verify the login
C.Block the source IP address
D.Reset the user's password
AnswerA

Immediate containment to stop ongoing unauthorized access.

Why this answer

Option A is correct because disabling the account immediately prevents further unauthorized access while the incident is investigated. Option B is premature without confirmation of compromise. Option C may be done after disabling.

Option D is too slow as the first step.

581
MCQeasy

An organization uses smart cards combined with a PIN to access secure facilities. This is an example of which type of authentication factor?

A.Token-based authentication
B.Single-factor authentication
C.Two-factor authentication
D.Biometric authentication
AnswerC

Combining something you have (smart card) with something you know (PIN) is a classic definition of two-factor authentication.

Why this answer

Smart cards are a possession factor (something you have), and the PIN is a knowledge factor (something you know). Combining both satisfies the requirement for two distinct authentication factors, making this a textbook example of two-factor authentication (2FA). This is not single-factor because two separate categories of credentials are used, and it is not biometric because no physical characteristic is measured.

Exam trap

The trap here is that candidates often confuse 'something you have' (possession factor) with 'something you know' (knowledge factor) and mistakenly classify the combination as single-factor because they think the smart card alone is the authentication, ignoring that the PIN adds a second distinct factor.

How to eliminate wrong answers

Option A is wrong because token-based authentication typically refers to a device that generates a one-time password (OTP) or cryptographic token, not a smart card with a PIN; while a smart card can be considered a token, the combination with a PIN specifically makes it two-factor, not merely token-based. Option B is wrong because single-factor authentication uses only one category of credential (e.g., just a password or just a smart card), but here both a smart card (possession) and a PIN (knowledge) are required, so it is multi-factor. Option D is wrong because biometric authentication relies on unique physical traits such as fingerprints, iris patterns, or voice recognition, not on a smart card and PIN combination.

582
MCQmedium

A company has implemented a new vulnerability scanner and the first scan reports 200 vulnerabilities. The security team needs to prioritize remediation. Which approach should they use first?

A.Remediate only vulnerabilities that are exploitable from the internet
B.Wait for the next scan to confirm the results before action
C.Prioritize based on CVSS score, starting with critical and high severity
D.Remediate all vulnerabilities in alphabetical order by CVE ID
AnswerC

CVSS scores provide a standardized severity rating; focusing on critical/high vulnerabilities aligns with risk management.

Why this answer

Option C is correct because the Common Vulnerability Scoring System (CVSS) provides a standardized, industry-accepted method for rating vulnerability severity based on exploitability, impact, and other metrics. Prioritizing critical and high CVSS scores (e.g., 9.0-10.0 and 7.0-8.9) ensures the team addresses vulnerabilities with the highest potential for damage and exploitation first, which is a fundamental risk-based remediation strategy. This approach aligns with the NIST SP 800-40 guidance on prioritizing vulnerabilities by risk, not by arbitrary ordering or waiting for confirmation.

Exam trap

The trap here is that candidates may think waiting for a second scan (Option B) is prudent to avoid false positives, but the SSCP exam emphasizes proactive risk management and immediate prioritization based on severity, not delaying action.

How to eliminate wrong answers

Option A is wrong because focusing solely on internet-exploitable vulnerabilities ignores internal threats, such as lateral movement by an attacker who has already breached the perimeter, or vulnerabilities in critical internal systems that could be exploited by insiders or via phishing. Option B is wrong because waiting for a second scan delays remediation unnecessarily; vulnerability scanners can produce false positives, but the correct first step is to validate and prioritize based on severity, not to defer action entirely. Option D is wrong because remediating in alphabetical order by CVE ID is arbitrary and ignores the actual risk level, potentially leaving critical vulnerabilities unpatched while wasting resources on low-severity issues.

583
MCQeasy

According to the shared responsibility model in cloud computing, which security responsibility belongs to the customer in a SaaS deployment?

A.Physical security of data centers
B.Securing the application code
C.Data classification and access controls
D.Managing the underlying operating system
AnswerC

Data security is a customer responsibility in all cloud models.

Why this answer

In SaaS, the customer is responsible for securing their data, including classification, access controls, and encryption of data at rest and in transit.

584
MCQeasy

Refer to the exhibit. Which component of the cipher suite provides perfect forward secrecy?

A.ECDHE
B.TLS 1.2
C.AES256-GCM
D.SHA384
AnswerA

ECDHE uses ephemeral keys, ensuring forward secrecy.

Why this answer

ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) provides perfect forward secrecy (PFS) because it generates a unique, ephemeral session key for each TLS session. If the long-term private key is compromised, past session keys cannot be derived, as the ephemeral keys are discarded after use. This is defined in RFC 4492 and is a core property of ephemeral Diffie-Hellman key exchange.

Exam trap

ISC2 often tests the distinction between the protocol version (TLS 1.2) and the cipher suite components that actually implement PFS, leading candidates to incorrectly select TLS 1.2 because they associate it with modern security features.

How to eliminate wrong answers

Option B (TLS 1.2) is wrong because TLS 1.2 is a protocol version, not a component that provides PFS; it can support PFS if ECDHE or DHE cipher suites are negotiated, but the protocol itself does not guarantee PFS. Option C (AES256-GCM) is wrong because AES256-GCM is a symmetric encryption and authenticated encryption algorithm (AEAD) that protects data confidentiality and integrity, but it does not influence key exchange or provide PFS. Option D (SHA384) is wrong because SHA384 is a hash function used for message authentication in HMAC or for integrity checks in TLS, and it has no role in establishing ephemeral keys or PFS.

585
Multi-Selecthard

A security team is implementing a vulnerability management program. According to industry best practices, which THREE of the following are essential components of a mature vulnerability management process?

Select 3 answers
A.Manual patch management
B.Quarterly vulnerability scans
C.False positive management process
D.Remediation SLAs based on severity
E.Continuous scanning capability
AnswersC, D, E

Managing false positives prevents wasted effort.

Why this answer

Option C is correct because a false positive management process is essential for a mature vulnerability management program. Without it, security teams waste resources chasing non-existent vulnerabilities, leading to alert fatigue and missed genuine threats. A formal process to validate, document, and reduce false positives ensures scan results are actionable and trust in the program is maintained.

Exam trap

Cisco often tests the misconception that quarterly scans are sufficient for compliance, but a mature program requires continuous or frequent scanning to address the rapid pace of vulnerability disclosures and changes in the attack surface.

586
MCQeasy

What is the primary purpose of account deprovisioning?

A.To revoke access and disable accounts when no longer needed
B.To create new user accounts
C.To audit user activity
D.To modify user roles
AnswerA

Deprovisioning removes access rights and disables accounts.

Why this answer

Deprovisioning ensures that when an employee leaves or changes roles, access is removed promptly to prevent unauthorized use.

587
MCQeasy

A system administrator needs to assign permissions to a new employee who will be performing database backups. The employee should only be able to execute the backup command but not read or modify the data. Which access control principle should be applied?

A.Need to know
B.Least privilege
C.Separation of duties
D.Defense in depth
AnswerB

Least privilege grants only the permissions required to perform the job.

Why this answer

The least privilege principle dictates that a user should be granted only the minimum permissions necessary to perform their job function. In this scenario, the employee needs only the ability to execute the backup command (e.g., using a tool like `pg_dump` or `mysqldump` with a read-only snapshot), not read or modify the underlying data files. Applying least privilege ensures the backup process can run without granting broader SELECT or FILE privileges that would allow data access or alteration.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'need to know' because both limit access, but least privilege focuses on the minimum permissions to perform an action (execute a command), while need to know focuses on whether the user requires access to specific data content.

How to eliminate wrong answers

Option A is wrong because 'need to know' is a confidentiality principle that restricts access to information based on whether the user requires that specific data to perform their duties, not the minimum permissions to execute a command; it does not address the granularity of execute-only versus read/modify. Option C is wrong because separation of duties divides critical tasks among multiple people to prevent fraud (e.g., the backup operator cannot also restore), but the question is about limiting the backup operator's own permissions, not splitting tasks. Option D is wrong because defense in depth is a layered security strategy using multiple controls (firewalls, IDS, encryption), not a principle for assigning a single user's permissions to a specific command.

588
MCQmedium

A security team is implementing Network Access Control (NAC) to enforce endpoint compliance before granting network access. Which technology allows port-based authentication on wired networks?

A.RADIUS
B.WPA2-Enterprise
C.802.1X
D.MAC filtering
AnswerC

802.1X provides port-based authentication for wired networks.

Why this answer

802.1X is the IEEE standard for port-based network access control, commonly used with RADIUS for authentication.

589
MCQhard

After a patch is deployed to a critical server, the system becomes unstable. The change management plan includes a rollback procedure. What should be done FIRST?

A.Create a new change request for the rollback
B.Conduct a post-implementation review
C.Execute the rollback procedure
D.Notify the Change Advisory Board
AnswerC

Correct. Rollback is the immediate corrective action.

Why this answer

When a patch deployment causes system instability, the immediate priority is to restore service stability by executing the pre-approved rollback procedure. The change management plan already includes this procedure, so no new approvals are needed; acting quickly minimizes downtime and risk.

Exam trap

The trap here is that candidates confuse the structured change management process with emergency response, thinking they must follow the full approval chain again, when in fact the rollback is already approved as part of the original change plan.

How to eliminate wrong answers

Option A is wrong because creating a new change request would introduce unnecessary delay; the rollback is already authorized under the original change plan. Option B is wrong because a post-implementation review is conducted after stability is restored, not during an active incident. Option D is wrong because notifying the Change Advisory Board (CAB) is not the first action; the rollback should be executed immediately, and notification can follow as per the plan.

590
MCQmedium

A database administrator notices unusual queries that seem to be trying to extract data via SQL injection. The application uses parameterized queries for most queries, but some dynamic queries are built using string concatenation. What is the BEST remediation?

A.Restrict database user permissions to only necessary tables
B.Implement strict input validation for all user inputs
C.Deploy a web application firewall (WAF) in front of the application
D.Rewrite all dynamic queries to use parameterized queries
AnswerD

Parameterized queries prevent interpretation of user input as SQL code.

Why this answer

Option A is correct because converting all dynamic queries to use parameterized queries eliminates the possibility of SQL injection. Option B is wrong because input validation alone is insufficient if concatenation is used. Option C is wrong because WAF is a detection/blocking control but not a code-level fix.

Option D is wrong because least privilege reduces impact but does not prevent injection.

591
MCQmedium

A security team uses a risk matrix with likelihood (Low, Medium, High) and impact (Low, Medium, High). A vulnerability scan finds a buffer overflow in a customer-facing web application. The application is not critical but has high availability requirements. The likelihood of exploitation is considered Medium due to internal network segmentation. What is the risk level?

A.Medium
B.Extreme
C.High
D.Low
AnswerC

Standard 3x3 risk matrix: Medium likelihood + High impact = High risk.

Why this answer

The risk level is High because the likelihood is Medium (due to internal network segmentation reducing but not eliminating the chance of exploitation) and the impact is High (the application has high availability requirements, so a buffer overflow could cause a denial of service or code execution, severely affecting availability). In a standard 3x3 risk matrix, Medium likelihood combined with High impact yields a High risk rating.

Exam trap

ISC2 often tests the misconception that internal network segmentation automatically lowers the risk to Medium or Low, but the high availability requirement elevates the impact, resulting in a High risk level despite the reduced likelihood.

How to eliminate wrong answers

Option A is wrong because Medium risk would require either Low likelihood with High impact, or Medium likelihood with Medium impact, but here the impact is High due to the application's high availability requirements. Option B is wrong because Extreme risk typically requires both High likelihood and High impact, or a combination like High likelihood with Medium impact in some matrices, but the likelihood is only Medium. Option D is wrong because Low risk would require Low likelihood and Low impact, or Low likelihood with Medium impact, but the impact is High and the likelihood is Medium.

592
MCQeasy

A small business wants to implement an access control system where employees can access files based on their department (e.g., HR, Finance). They want simplicity and ease of administration. Which access control model is BEST suited?

A.Mandatory Access Control (MAC)
B.Attribute-Based Access Control (ABAC)
C.Discretionary Access Control (DAC)
D.Role-Based Access Control (RBAC)
AnswerD

RBAC assigns permissions to roles, and users are assigned roles based on their department, providing a straightforward and manageable solution.

Why this answer

Role-Based Access Control (RBAC) is best suited because it maps access permissions directly to job functions (roles) such as HR or Finance, rather than to individual users. This simplifies administration: when an employee changes departments, the administrator simply updates their role assignment, and all associated permissions are automatically applied or revoked. RBAC is designed for environments where access decisions are based on organizational roles, providing a balance of security and ease of management.

Exam trap

The trap here is that candidates often confuse RBAC with DAC because both involve user-based permissions, but RBAC centralizes control through roles while DAC delegates control to individual resource owners, making RBAC the correct choice for department-based access.

How to eliminate wrong answers

Option A is wrong because Mandatory Access Control (MAC) uses system-enforced labels (e.g., security classifications like Top Secret) and is typically used in military or high-security environments, not for simple department-based access in a small business. Option B is wrong because Attribute-Based Access Control (ABAC) evaluates multiple attributes (e.g., time, location, resource type) using policy rules, which adds complexity and administrative overhead beyond what is needed for straightforward department-based access. Option C is wrong because Discretionary Access Control (DAC) allows individual users to control access to their own files (e.g., via file permissions), which does not scale well for department-wide access and can lead to inconsistent enforcement.

593
MCQeasy

Which of the following physical security controls is designed to prevent tailgating by requiring two doors to be interlocked?

A.Security guard
B.Biometric reader
C.Mantrap
D.CCTV
AnswerC

A mantrap uses two interlocking doors to control access and prevent tailgating.

Why this answer

A mantrap is a physical security control consisting of two interlocking doors that create a small vestibule. Only one door can be opened at a time, preventing an unauthorized person from following an authorized person through a single entry point (tailgating). This design forces each individual to be authenticated before the second door unlocks, ensuring only one person passes per authentication event.

Exam trap

The trap here is that candidates confuse a mantrap with a simple turnstile or revolving door, which also limit passage but do not require two interlocked doors; the key distinction is the interlocking mechanism that prevents both doors from being open simultaneously.

How to eliminate wrong answers

Option A is wrong because a security guard can deter tailgating through observation but does not mechanically enforce the interlocking of two doors; tailgating can still occur if the guard is distracted. Option B is wrong because a biometric reader authenticates identity but does not physically prevent a second person from slipping through the same door; it lacks the interlocking door mechanism. Option D is wrong because CCTV provides surveillance and recording of tailgating incidents but does not actively prevent the act; it is a detective control, not a preventive one.

594
MCQhard

A financial services organization deploys a new web application that allows customers to check account balances and transfer funds. The application uses a RESTful API with JSON payloads. Shortly after deployment, the security team notices unusual traffic patterns: many requests contain excessively long JSON strings in the 'amount' field, and some of these requests return 500 Internal Server Errors. The application logs show that these requests cause high CPU usage on the application server. The developers confirm that the input validation only checks for negative numbers and characters. Which type of attack is most likely occurring, and what is the best immediate mitigation?

A.The attack is a brute-force attempt on the amount field; implement rate limiting.
B.The attack is cross-site scripting; sanitize output.
C.The attack is a Denial of Service using large payloads; implement input size limits and validation.
D.The attack is SQL injection; use parameterized queries.
AnswerC

Large JSON payloads can exhaust server resources; validation should restrict field sizes.

Why this answer

Option B is correct because the symptoms indicate a Denial of Service attack via large payloads that consume server resources. Input validation should reject oversized inputs. Option A is incorrect because brute force would not cause high CPU from large payloads.

Option C is incorrect because SQL injection would likely return specific error messages rather than 500s from CPU exhaustion. Option D is incorrect because XSS targets browser execution, not server CPU.

595
Multi-Selecthard

Which TWO protocols are used to secure email communication at the message level?

Select 2 answers
A.IPsec
B.PGP
C.S/MIME
D.SSL/TLS
E.SSH
AnswersB, C

Provides encryption and signing for email.

Why this answer

PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions) are the two primary protocols that secure email at the message level. They encrypt the entire email body and attachments, ensuring end-to-end confidentiality and integrity regardless of the transport path. PGP uses a web of trust model, while S/MIME relies on a hierarchical public key infrastructure (PKI) with X.509 certificates.

Exam trap

ISC2 often tests the distinction between transport-layer security (SSL/TLS) and message-level security (PGP/SMIME), so candidates mistakenly choose SSL/TLS because they associate it with email security (e.g., SMTPS), but it does not provide end-to-end message encryption.

596
MCQhard

During a risk assessment, a company identifies that a legacy system has a known CVE with a CVSS score of 9.8. The system is critical but cannot be patched immediately. The management decides to implement strict network segmentation and monitor the system continuously. This risk response is best described as:

A.Risk acceptance
B.Risk avoidance
C.Risk transfer
D.Risk mitigation
AnswerD

Correct: Mitigation reduces risk through controls like segmentation and monitoring.

Why this answer

The correct answer is D, risk mitigation, because the company is implementing strict network segmentation and continuous monitoring to reduce the likelihood and impact of the vulnerability being exploited. This reduces the risk without eliminating it entirely, which is the essence of mitigation. The CVSS score of 9.8 indicates critical severity, and the controls (e.g., ACLs, VLANs, IDS/IPS) directly address the attack surface.

Exam trap

The trap here is that candidates confuse 'risk mitigation' with 'risk acceptance' because the system remains vulnerable, but the key distinction is that active controls are applied to reduce risk, not merely acknowledged.

How to eliminate wrong answers

Option A is wrong because risk acceptance would involve acknowledging the risk without taking any active controls, but here the company actively deploys segmentation and monitoring. Option B is wrong because risk avoidance would require removing the system or ceasing its operation entirely, which is not done since the system remains in use. Option C is wrong because risk transfer would involve shifting the financial burden or liability to a third party (e.g., insurance or outsourcing), not implementing technical controls.

597
MCQmedium

Which of the following encryption protocols should be used to secure wireless traffic in an enterprise environment?

A.WPA3-Enterprise
B.WEP
C.WPA3-PSK
D.WPA2-PSK
E.WPA2-Enterprise
AnswerA

Provides the strongest security with 802.1X authentication and GCMP-256 encryption.

Why this answer

WPA3-Enterprise is the correct choice because it provides the highest level of security for enterprise wireless networks, incorporating mandatory 192-bit Suite B cryptographic suites (AES-256 in GCM mode, HMAC-SHA384, and ECDHE key exchange) to protect against offline dictionary attacks, forward secrecy, and brute-force attempts. It also uses Simultaneous Authentication of Equals (SAE) for the handshake, replacing the vulnerable 4-way handshake of WPA2, and supports 802.1X/EAP authentication with RADIUS for centralized user management.

Exam trap

ISC2 often tests the distinction between 'PSK' and 'Enterprise' modes, trapping candidates who see 'WPA3' and assume it is always best, but the question's 'enterprise environment' requirement specifically demands the Enterprise mode (with 802.1X/RADIUS), not the PSK variant, even though both use SAE.

How to eliminate wrong answers

Option B (WEP) is wrong because it uses the insecure RC4 stream cipher with a static 40- or 104-bit key, making it trivially crackable with tools like aircrack-ng in minutes. Option C (WPA3-PSK) is wrong because it uses a pre-shared key (PSK) mode, which lacks the per-user authentication and centralized management required in an enterprise environment, and is more suited for small office/home office (SOHO) deployments. Option D (WPA2-PSK) is wrong because it relies on the vulnerable 4-way handshake with a pre-shared key, making it susceptible to offline dictionary attacks (e.g., using hashcat) and KRACK attacks, and it lacks enterprise-grade user authentication.

Option E (WPA2-Enterprise) is wrong because while it supports 802.1X/EAP, it uses the older 4-way handshake which is vulnerable to KRACK (CVE-2017-13077) and lacks forward secrecy and the stronger cryptographic suites mandated in WPA3-Enterprise.

598
MCQmedium

A security administrator needs to ensure that only authorized personnel can reset user passwords in Active Directory. Which of the following is the BEST method to delegate this responsibility without granting unnecessary privileges?

A.Place the personnel in the Account Operators group.
B.Add the personnel to the Domain Admins group.
C.Use Delegation of Control wizard to assign the 'Reset user passwords and force password change at next logon' permission.
D.Give the personnel physical access to the domain controller.
AnswerC

This provides exactly the needed permission without extra rights.

Why this answer

The Delegation of Control wizard allows granular assignment of specific Active Directory permissions, such as 'Reset user passwords and force password change at next logon', without granting broader administrative rights. This follows the principle of least privilege by limiting the delegated personnel to only the necessary task. Option C is correct because it directly addresses the requirement with a built-in, secure delegation mechanism.

Exam trap

The trap here is that candidates often assume built-in groups like Account Operators are the simplest delegation method, overlooking that they grant far more permissions than the specific task requires, which is a common violation of the principle of least privilege tested on the SSCP.

How to eliminate wrong answers

Option A is wrong because the Account Operators group can create, delete, and modify most user accounts and groups, which includes the ability to reset passwords but also grants excessive privileges beyond the required task. Option B is wrong because Domain Admins have full administrative control over the entire domain, including all user and computer objects, which is far more privilege than needed and violates least privilege. Option D is wrong because physical access to a domain controller does not inherently grant the ability to reset passwords; it could allow unauthorized actions but is not a controlled delegation method and introduces significant security risks.

599
Multi-Selectmedium

During a wireless site survey, a security engineer identifies several security weaknesses. Which TWO measures should be implemented to improve wireless security for a corporate network using WPA2-Enterprise?

Select 2 answers
A.Use 802.1X authentication with EAP-TLS and certificate-based authentication
B.Implement MAC address filtering to allow only known devices
C.Disable SSID broadcast to hide the network
D.Ensure the RADIUS server uses a trusted certificate and validate client certificates
E.Enable WPS for easy client configuration
AnswersA, D

EAP-TLS provides strong mutual authentication.

Why this answer

Using 802.1X with EAP-TLS and disabling WPS are key improvements. WPA2-PSK is weaker than Enterprise, and MAC filtering is ineffective against determined attackers.

600
MCQeasy

Which of the following is the FIRST step in the volatile evidence collection order when responding to an incident on a live system?

A.Capture a RAM dump using a tool like Magnet RAM Capture or WinPmem
B.Disconnect the system from the network
C.Run antivirus scans to identify malware
D.Create a forensic image of the hard drive
AnswerA

Memory is the most volatile; capturing it first preserves running processes, network connections, and encryption keys.

Why this answer

Volatile evidence is collected starting with the most volatile (memory) to preserve data that can be lost when the system is powered down. RAM dump must be done first.

Page 7

Page 8 of 14

Page 9