Systems Security Certified Practitioner SSCP (SSCP) — Questions 601675

991 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQmedium

A software developer wants to ensure the authenticity and integrity of an API request but does not require non-repudiation. Which cryptographic method should be used?

A.Digital signature using RSA
B.Symmetric encryption with CBC mode
C.Hash-based message authentication code (HMAC)
D.Elliptic curve Diffie-Hellman (ECDH)
AnswerC

HMAC verifies authenticity and integrity without non-repudiation.

Why this answer

HMAC uses a shared secret key combined with a cryptographic hash function to produce a fixed-size authentication tag. This ensures both authenticity (the request came from a party knowing the key) and integrity (the data has not been altered) without providing non-repudiation, because the same key is shared between sender and receiver, so the receiver could also have generated the tag.

Exam trap

ISC2 often tests the distinction between authentication/integrity (HMAC) and non-repudiation (digital signatures), leading candidates to incorrectly choose digital signatures when non-repudiation is explicitly not required.

How to eliminate wrong answers

Option A is wrong because a digital signature using RSA provides non-repudiation (the sender cannot deny signing) and is computationally heavier than necessary when non-repudiation is not required. Option B is wrong because symmetric encryption with CBC mode provides confidentiality, not authenticity or integrity; CBC mode alone does not prevent an attacker from modifying ciphertext blocks. Option D is wrong because Elliptic Curve Diffie-Hllman (ECDH) is a key exchange protocol used to establish a shared secret over an insecure channel, not a method for authenticating or verifying the integrity of an API request.

602
MCQeasy

What is the primary purpose of account deprovisioning in the account lifecycle?

A.To modify user roles and permissions
B.To immediately disable accounts and preserve evidence
C.To enforce password policies
D.To create new user accounts
AnswerB

Deprovisioning involves disabling and preserving data.

Why this answer

Deprovisioning ensures that when an employee leaves, access is revoked immediately to prevent unauthorized use, and evidence is preserved for investigations.

603
MCQhard

A network engineer configures a VLAN hopping attack prevention by setting all unused switch ports to an unused VLAN and disabling trunking. What vulnerability is being mitigated?

A.STP manipulation
B.ARP spoofing
C.MAC flooding
D.DTP spoofing
E.DHCP starvation
AnswerD

DTP spoofing can turn an access port into a trunk, enabling VLAN hopping.

Why this answer

DTP spoofing is the correct answer because VLAN hopping attacks often exploit Dynamic Trunking Protocol (DTP) to negotiate a trunk link between a switch and an attacker's device, allowing the attacker to send and receive traffic on multiple VLANs. By disabling trunking on all unused ports and assigning them to an unused VLAN, the switch will not respond to DTP negotiation requests, preventing unauthorized trunk establishment.

Exam trap

ISC2 often tests the distinction between DTP spoofing (VLAN hopping via trunk negotiation) and double-tagging attacks (another VLAN hopping method), so candidates may confuse the two or incorrectly associate VLAN hopping with MAC flooding or ARP spoofing.

How to eliminate wrong answers

Option A is wrong because STP manipulation attacks target Spanning Tree Protocol to cause network loops or traffic redirection, not VLAN hopping. Option B is wrong because ARP spoofing involves sending forged ARP replies to associate an attacker's MAC with a legitimate IP address, which is a man-in-the-middle technique unrelated to trunk negotiation. Option C is wrong because MAC flooding overwhelms a switch's CAM table to force it into fail-open mode, causing frames to flood out all ports, but it does not involve trunking or VLAN tagging.

Option E is wrong because DHCP starvation exhausts the DHCP server's address pool by sending many fake DHCP requests, preventing legitimate clients from obtaining IP addresses, and has no connection to DTP or VLAN hopping.

604
MCQhard

During a penetration test, the tester captures traffic on a switch port that is part of a VLAN other than the native VLAN. The tester is able to receive traffic destined for the management VLAN. What configuration flaw is exploited?

A.Spanning tree protocol is enabled
B.Trunk port misconfiguration with native VLAN mismatch
C.Port security is not enabled
D.DHCP snooping is disabled
E.VLAN trunking protocol (VTP) is set to transparent mode
AnswerB

If the native VLAN on trunk matches management VLAN, frames can be double-tagged to hop VLANs.

Why this answer

The correct answer is B because the scenario describes a native VLAN mismatch on a trunk port. When two switches have different native VLANs configured on a trunk, they will not tag frames for their respective native VLANs. This allows an attacker on a non-native VLAN to receive traffic destined for the management VLAN (typically VLAN 1) by sending frames with no 802.1Q tag, which the receiving switch treats as belonging to its own native VLAN, effectively bypassing VLAN segmentation.

Exam trap

ISC2 often tests the native VLAN mismatch concept by describing a scenario where an attacker on a non-native VLAN receives management traffic, and candidates mistakenly choose options like 'VTP transparent mode' or 'STP enabled' because they confuse protocol behavior with security flaws.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) prevents loops, not VLAN hopping or traffic leakage; enabling STP does not cause or mitigate native VLAN mismatches. Option C is wrong because port security limits MAC addresses on an access port, but it does not prevent VLAN hopping attacks exploiting trunk misconfigurations. Option D is wrong because DHCP snooping filters untrusted DHCP messages and prevents rogue DHCP servers, but it does not address native VLAN mismatches or VLAN hopping.

Option E is wrong because VTP transparent mode simply forwards VTP advertisements without processing them; it does not cause or prevent the native VLAN mismatch vulnerability.

605
MCQmedium

An attacker is performing a man-in-the-middle attack at Layer 2 by sending forged ARP messages to associate their MAC address with the IP address of a legitimate host on the same subnet. This attack is known as:

A.ARP spoofing
B.DNS poisoning
C.DHCP spoofing
D.MAC flooding
AnswerA

ARP spoofing sends fake ARP messages to perform MitM.

Why this answer

ARP spoofing involves sending gratuitous ARP replies to poison the ARP cache of other hosts.

606
Multi-Selecthard

A security analyst is reviewing Linux audit logs with auditd. Which TWO events would be of greatest concern for a server that should not have interactive logins? (Select TWO.)

Select 2 answers
A.Successful root login via SSH
B.System reboot logs
C.Multiple failed su attempts
D.Successful cron job execution
E.File permission changes by a non-root user
AnswersA, C

Unauthorized interactive login.

Why this answer

Failed login attempts indicate brute force; successful root login indicates unauthorized access.

607
Multi-Selectmedium

Which TWO of the following are key components of an incident response plan (IRP) according to NIST SP 800-61?

Select 2 answers
A.Acquisition of forensic tools
B.Hardware inventory
C.Communication plan
D.Testing the plan
E.Annual budget
AnswersC, D

A communication plan is a required component of an IRP.

Why this answer

NIST SP 800-61 (Computer Security Incident Handling Guide) explicitly identifies the communication plan and testing the plan as key components of an incident response plan. The communication plan ensures all stakeholders (internal teams, legal, PR, external partners) are notified and coordinated during an incident, while testing validates the plan's effectiveness through exercises like tabletop or functional drills.

Exam trap

ISC2 often tests the distinction between components of the plan itself (like communication and testing) versus operational activities or supporting resources (like forensic tools or budgets), leading candidates to select items that are part of incident response but not key components of the plan.

608
Matchingmedium

Match each authentication factor to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Something you know

Something you have

Something you are

Something you do

Why these pairings

These are the four main authentication factor categories.

609
Multi-Selecthard

A company is deploying a web application and wants to protect against OWASP Top 10 attacks. Which THREE controls should be implemented? (Select THREE.)

Select 3 answers
A.Disable auto-run on user workstations
B.Web Application Firewall (WAF)
C.Input validation and parameterized queries
D.Code signing for application binaries
E.Use a host-based intrusion detection system on the database server
AnswersB, C, D

WAF can detect and block OWASP attacks such as SQL injection and XSS.

Why this answer

Web Application Firewall (WAF) blocks common attacks like injection and XSS. Input validation prevents injection. Code signing ensures software integrity.

Disabling auto-run is unrelated.

610
MCQmedium

During a risk assessment, a team identifies that a legacy application cannot be patched due to vendor end-of-life. The business decides to continue using the application but implement compensating controls such as network segmentation and strict access controls. This risk response strategy is best classified as:

A.Risk mitigation
B.Risk transfer
C.Risk acceptance
D.Risk avoidance
AnswerC

The business accepts the residual risk after applying compensating controls.

Why this answer

Risk acceptance means acknowledging the risk and taking no further action beyond existing controls. Compensating controls do not eliminate the risk; they reduce it to an acceptable level, which is still acceptance.

611
MCQeasy

An organization requires users to authenticate using a password and a one-time code from a mobile app. Which authentication method is being used?

A.Time-based One-Time Password (TOTP)
B.Smart card
C.Hardware token
D.Biometrics
AnswerA

TOTP is a common OTP method using time synchronization.

Why this answer

Time-based One-Time Password (TOTP) generates a temporary code that changes every 30-60 seconds, commonly used with mobile apps like Google Authenticator.

612
MCQhard

An organization experiences malware that injects code into legitimate processes. Which security feature should be enabled to prevent code execution in memory pages?

A.Encrypted File System (EFS)
B.Address Space Layout Randomization (ASLR)
C.Mandatory Access Control (MAC)
D.Data Execution Prevention (DEP)
AnswerD

DEP prevents execution from non-executable memory regions.

Why this answer

Data Execution Prevention (DEP) is a hardware and software security feature that marks memory pages as non-executable unless they explicitly contain executable code. By preventing code execution in data-only memory regions (such as the heap and stack), DEP stops malware that attempts to inject and run shellcode within legitimate processes, even if the process is compromised.

Exam trap

The trap here is that candidates often confuse ASLR with DEP, thinking randomization alone prevents code execution, but ASLR only makes addresses unpredictable while DEP actively blocks execution from non-executable pages.

How to eliminate wrong answers

Option A is wrong because Encrypted File System (EFS) protects data at rest by encrypting files on NTFS volumes, but it does not control memory execution permissions or prevent code injection into running processes. Option B is wrong because Address Space Layout Randomization (ASLR) randomizes the memory addresses of process components to make exploitation harder, but it does not enforce non-execution of memory pages; it works alongside DEP but is not a direct prevention mechanism against code execution in memory. Option C is wrong because Mandatory Access Control (MAC) enforces system-wide security policies based on labels and subjects, but it does not manage memory page execution permissions at the hardware or kernel level.

613
MCQeasy

An organization suspects a security incident. Which initial step should the incident response team take?

A.Contain the incident
B.Protect evidence
C.Identify the attacker
D.Notify law enforcement
AnswerB

Preserving volatile evidence is the first priority to support forensic analysis.

Why this answer

The initial step in incident response is to protect evidence (Option B) because preserving forensic data ensures the integrity of logs, memory dumps, and disk images for later analysis. According to NIST SP 800-61, the first priority after detection is to secure volatile data (e.g., RAM, network connections) before it is lost, which is critical for determining the scope and root cause of the incident.

Exam trap

The trap here is that candidates confuse the urgency of containment with the priority of evidence preservation, often selecting 'Contain the incident' because it seems immediately necessary, but the SSCP emphasizes that evidence must be secured first to support legal and forensic processes.

How to eliminate wrong answers

Option A is wrong because containment (e.g., isolating systems via VLAN segmentation or disabling network interfaces) should occur only after evidence has been preserved; premature containment can destroy volatile data like active network connections or running processes. Option C is wrong because identifying the attacker is a later analytical goal, not an initial step—focusing on attribution early can waste time and compromise evidence collection. Option D is wrong because notifying law enforcement is a strategic decision that typically occurs after the incident is confirmed and evidence is secured; premature notification may lead to legal complications or loss of control over the investigation.

614
MCQmedium

During a qualitative risk analysis, an organization assigns a risk rating of 'High' for a specific threat. Which combination of factors most directly leads to this rating?

A.High probability and high impact
B.Low probability and low impact
C.High probability and low impact
D.Low probability and high impact
AnswerA

Both high probability and high impact result in a high risk rating.

Why this answer

In qualitative risk analysis, risk rating is determined by the product of probability and impact. A 'High' rating directly results from both high probability and high impact, as this combination represents the greatest potential for loss. This aligns with the risk matrix approach where the highest risk scores occupy the top-right quadrant.

Exam trap

Cisco often tests the misconception that high impact alone is sufficient for a 'High' risk rating, ignoring that probability must also be high to reach the top risk level.

How to eliminate wrong answers

Option B is wrong because low probability and low impact produce a 'Low' risk rating, not 'High'. Option C is wrong because high probability combined with low impact typically yields a 'Medium' or 'Moderate' rating, as the low impact reduces overall risk severity. Option D is wrong because low probability with high impact often results in a 'Medium' risk rating, as the low likelihood mitigates the overall risk despite the high potential damage.

615
Multi-Selectmedium

A security engineer is hardening a Windows workstation. Which TWO configurations reduce the attack surface by limiting execution of unauthorized code? (Select TWO.)

Select 2 answers
A.Configure AppLocker rules
B.Enable Windows Firewall with Advanced Security
C.Enable BitLocker full-disk encryption
D.Enable Windows Defender Application Control (WDAC)
E.Disable AutoPlay
AnswersA, D

AppLocker restricts which applications can run.

Why this answer

AppLocker whitelists allowed applications; Windows Defender Application Control blocks unsigned drivers and applications.

616
MCQmedium

A healthcare organization uses an electronic health records (EHR) system that stores patient data in a relational database. The system is accessed by doctors and nurses via tablet devices on a wireless network. The security team has detected that some patient records were accessed outside of normal business hours from an IP address not belonging to the organization. The database logs show that the queries originated from the application server. The application logs indicate that the access was performed using a legitimate user account that had been disabled due to employee departure two weeks earlier. Which of the following is the most effective step to prevent recurrence?

A.Require multi-factor authentication for all remote access.
B.Enable audit logging on all database transactions.
C.Implement a process to disable user accounts within one hour of employee termination.
D.Segregate the wireless network from the internal network.
AnswerC

A timely account disable process prevents use of former employees' credentials.

Why this answer

Option A is correct because disabling the account should have been immediate upon employee departure; this is a failure of the account management process. Option B is incorrect while useful, does not address the root cause of the account still being active. Option C is incorrect because network segmentation would not prevent use of a valid account.

Option D is incorrect because MFA helps but if the account is still active, the attacker could have bypassed MFA if not enforced.

617
Multi-Selecthard

Which TWO of the following are effective measures to prevent buffer overflow attacks in software development?

Select 2 answers
A.Validate all input to ensure it meets length constraints
B.Implement stack canaries
C.Obfuscate the code to make exploitation harder
D.Enable Address Space Layout Randomization (ASLR)
E.Use functions that perform bounds checking (e.g., strncpy instead of strcpy)
AnswersB, E

Stack canaries detect if a buffer overflow has occurred by checking a known value.

Why this answer

Options B and D are correct. Option B (using bounds-checking functions) like strncpy instead of strcpy prevents overflows. Option D (stack canaries) detect buffer overflows before they overwrite return addresses.

Option A (ASLR) randomizes memory addresses but does not prevent overflow; it makes exploitation harder. Option C (input validation) helps but is not specific to buffer overflow; E (code obfuscation) does not prevent the vulnerability.

618
MCQhard

A security administrator is configuring a wireless network for a branch office. The office has legacy devices that only support WPA2-PSK. The administrator wants to provide the highest level of security while maintaining compatibility. Which configuration should be used?

A.WPA2-Enterprise with RADIUS
B.WPA2-PSK with AES (CCMP)
C.WPA3-SAE only
D.WPA2-PSK with TKIP
AnswerB

AES is the strongest encryption available for WPA2 and is supported by most devices.

Why this answer

WPA2-PSK with AES (CCMP) is correct because it provides the highest security level compatible with legacy devices that only support WPA2-PSK. AES-CCMP is the mandatory encryption protocol for WPA2, offering strong data confidentiality and integrity, whereas TKIP is deprecated due to known vulnerabilities. This configuration avoids the need for a RADIUS server (required by WPA2-Enterprise) and does not force an upgrade to WPA3, which legacy devices cannot support.

Exam trap

The trap here is that candidates often assume WPA2-Enterprise is always more secure than WPA2-PSK, but the question explicitly requires compatibility with legacy devices that only support WPA2-PSK, making WPA2-Enterprise an invalid choice despite its stronger authentication model.

How to eliminate wrong answers

Option A is wrong because WPA2-Enterprise with RADIUS requires an authentication server and is not supported by legacy devices that only support WPA2-PSK; it would break compatibility. Option C is wrong because WPA3-SAE is not supported by legacy WPA2-only devices, so it would render the network inaccessible to them. Option D is wrong because WPA2-PSK with TKIP uses the deprecated TKIP cipher, which is vulnerable to attacks like Michael and Beck-Tews, and provides weaker security than AES-CCMP.

619
MCQeasy

Which of the following is a primary purpose of a security baseline, such as the CIS Benchmarks?

A.To provide a secure configuration standard for systems
B.To calculate annualized loss expectancy
C.To replace the need for vulnerability scanning
D.To detect intrusions in real-time
AnswerA

Baselines define secure configurations.

Why this answer

A security baseline like the CIS Benchmarks establishes a hardened, consistent configuration standard for operating systems, applications, and network devices. This reduces the attack surface by disabling unnecessary services, enforcing least privilege, and applying specific registry or file permission settings. It is a foundational step in secure system deployment and ongoing compliance.

Exam trap

Cisco often tests the distinction between a proactive security control (baseline) and reactive or ongoing controls (vulnerability scanning, intrusion detection), leading candidates to confuse configuration standards with operational security tools.

How to eliminate wrong answers

Option B is wrong because annualized loss expectancy (ALE) is a quantitative risk analysis formula (SLE × ARO) used in risk management, not a function of a security baseline. Option C is wrong because a security baseline does not replace vulnerability scanning; baselines define secure configurations, while scanning actively identifies missing patches or misconfigurations. Option D is wrong because intrusion detection in real-time is performed by IDS/IPS systems (e.g., Snort, Suricata) that analyze network traffic or host logs, not by a static configuration baseline.

620
MCQhard

Refer to the exhibit. What is the most likely cause of this error?

A.The root CA is not trusted
B.The certificate has been revoked
C.The certificate is expired
D.The certificate uses weak encryption
AnswerA

A self-signed certificate in the chain means the CA is not in the trust store.

Why this answer

The error 'The root CA is not trusted' occurs because the client device does not have the root CA certificate installed in its trusted root store. When a server presents a certificate chain, the client must be able to validate the chain up to a trusted root CA; if the root CA is missing or not trusted, the certificate chain is considered invalid, and the connection is rejected.

Exam trap

ISC2 often tests the distinction between certificate chain validation failures (root CA not trusted) versus other certificate errors (expired, revoked, weak key), and the trap here is that candidates confuse a missing root CA with a revoked or expired certificate, which produce different error messages.

How to eliminate wrong answers

Option B is wrong because a revoked certificate would produce a different error, such as 'certificate revoked' or a CRL/OCSP failure message, not a trust-related error. Option C is wrong because an expired certificate would generate a specific 'certificate expired' error, not a root CA trust issue. Option D is wrong because weak encryption (e.g., RSA 512-bit) would cause a security policy violation or cipher mismatch error, not a root CA trust failure.

621
Multi-Selectmedium

An organization is implementing system hardening. Which TWO of the following actions are recommended by CIS Benchmarks? (Select two.)

Select 2 answers
A.Remove unnecessary services and accounts
B.Enable DHCP for all network interfaces
C.Disable autorun and autoplay features
D.Enable User Account Control (UAC)
E.Disable the host-based firewall
AnswersA, C

Reducing the attack surface is a key hardening step.

Why this answer

CIS Benchmarks recommend removing unnecessary services and accounts to reduce attack surface, and disabling autorun/autoplay to prevent malware from spreading via removable media. Enabling UAC is a Windows security control but not specifically a CIS Benchmark recommendation. Using DHCP is not a hardening measure.

Disabling the firewall weakens security.

622
MCQeasy

Which type of IDS uses a baseline of normal behavior to detect anomalies?

A.Host-based IDS (HIDS)
B.Anomaly-based IDS
C.Network-based IDS (NIDS)
D.Signature-based IDS
AnswerB

Anomaly detection relies on behavioral baselines.

Why this answer

Anomaly-based IDS (B) is correct because it establishes a baseline of normal network or system behavior through statistical modeling or machine learning, then flags deviations from that baseline as potential intrusions. This contrasts with signature-based systems that rely on predefined patterns of known attacks. The core mechanism involves profiling metrics such as CPU usage, network traffic volume, or protocol deviations over time to identify anomalies.

Exam trap

Cisco often tests the distinction between detection methodology (anomaly vs. signature) and deployment type (host-based vs. network-based), leading candidates to mistakenly choose HIDS or NIDS because they associate them with behavioral monitoring, when the question specifically asks about the detection method that uses a baseline.

How to eliminate wrong answers

Option A is wrong because Host-based IDS (HIDS) monitors activity on a single host (e.g., system logs, file integrity) but does not inherently use a baseline of normal behavior; it can be signature-based or anomaly-based depending on implementation. Option C is wrong because Network-based IDS (NIDS) analyzes network traffic at the packet level but, like HIDS, is a deployment type, not a detection methodology; it can use signatures or anomalies. Option D is wrong because Signature-based IDS relies on a database of known attack signatures (e.g., Snort rules) and cannot detect novel or zero-day attacks without an existing pattern, whereas anomaly-based detection uses behavioral baselines.

623
MCQeasy

Which protocol is used to securely transfer files between a client and server, typically over TCP port 22?

A.SMTP
B.TFTP
C.SSH
D.FTP
AnswerC

SSH provides secure file transfer over TCP port 22.

Why this answer

SSH (Secure Shell) provides encrypted file transfer capabilities via SCP or SFTP, using port 22.

624
MCQmedium

A security team is investigating a potential data exfiltration incident. They notice that a large amount of data was transferred to an external IP address during off-hours. What should be the first step?

A.Notify senior management of the incident.
B.Block the external IP address at the firewall.
C.Analyze the data transfer logs to determine the scope.
D.Isolate the affected system from the network.
AnswerD

Isolation stops the exfiltration immediately.

Why this answer

Option D is correct because the immediate priority in a suspected data exfiltration incident is to contain the threat and prevent further data loss. Isolating the affected system from the network stops ongoing communication with the external IP address, preserving the system state for forensic analysis. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.

Exam trap

The trap here is that candidates often choose to block the external IP (Option B) thinking it stops the attack, but Cisco tests the principle that containment must be at the host level to prevent the attacker from pivoting or using alternate C2 channels.

How to eliminate wrong answers

Option A is wrong because notifying senior management is a later step in the incident response process; the first action must be technical containment to stop the exfiltration. Option B is wrong because blocking the external IP address at the firewall does not stop the compromised system from using other IPs or protocols, and it may alert the attacker, destroying forensic evidence. Option C is wrong because analyzing data transfer logs to determine scope is part of the investigation phase, which should occur after containment to avoid further data loss while logs are being reviewed.

625
Multi-Selectmedium

A security administrator is designing an identity federation solution. Which THREE of the following are commonly used federation standards?

Select 3 answers
A.LDAP
B.Kerberos
C.SAML
D.RADIUS
E.OAuth / OpenID Connect
AnswersB, C, E

Kerberos can be used in federated environments (e.g., cross-realm).

Why this answer

SAML, OAuth/OIDC, and Kerberos (with extensions) are used for federation. LDAP is a directory protocol, not a federation standard.

626
MCQmedium

A network administrator is unable to ping the server at 10.2.2.100 from a host on the 192.168.1.0/24 network. Based on the exhibit, what is the most likely cause?

A.The static route to 10.3.3.0 is misconfigured.
B.The gateway of last resort is missing.
C.The OSPF route for 10.2.2.0 is not in the routing table.
D.The OSPF neighbor relationship may be unstable, causing intermittent route flapping.
AnswerD

The route is learned but the age (00:05:12) may indicate recent instability.

Why this answer

The exhibit shows that the host on 192.168.1.0/24 cannot reach 10.2.2.100, but the routing table includes both a static route to 10.3.3.0 and an OSPF route to 10.2.2.0. Option D is correct because the symptom of intermittent reachability (sometimes ping works, sometimes not) combined with a known OSPF neighbor relationship points to route flapping, where the OSPF route for 10.2.2.0 is repeatedly added and removed due to an unstable neighbor adjacency, causing the ping to fail when the route is absent.

Exam trap

ISC2 often tests the distinction between a missing route (which would cause a complete failure) and an unstable route (which causes intermittent failure), tricking candidates into choosing a static answer like 'missing route' when the symptom of intermittent connectivity points to route flapping.

How to eliminate wrong answers

Option A is wrong because the static route to 10.3.3.0 is irrelevant to reaching 10.2.2.100; the destination is 10.2.2.0/24, not 10.3.3.0/24, so a misconfigured static route to a different subnet does not affect this connectivity. Option B is wrong because a missing gateway of last resort (default route) would only affect traffic to networks not explicitly in the routing table; here, the routing table already contains an OSPF route for 10.2.2.0/24, so a default route is unnecessary for this specific destination. Option C is wrong because the OSPF route for 10.2.2.0 is present in the routing table (as shown in the exhibit), so the issue is not that the route is missing entirely, but rather that it may be flapping due to an unstable OSPF neighbor relationship.

627
MCQmedium

A company's vulnerability scanner reports a critical vulnerability in a third-party library. The remediation SLA for critical vulnerabilities is 48 hours. However, the patch is not yet available from the vendor. Which of the following is the most appropriate immediate action?

A.Remove the vulnerable software immediately
B.Extend the SLA to 30 days
C.Accept the risk because the vendor has not released a patch
D.Implement compensating controls to mitigate the vulnerability
AnswerD

Compensating controls reduce risk until a patch is available.

Why this answer

Option D is correct because when a patch is unavailable, implementing compensating controls (e.g., network segmentation, WAF rules, disabling unused features) is the immediate action to reduce risk exposure while awaiting an official fix. This aligns with the NIST SP 800-40 risk mitigation framework, which prioritizes compensating controls when patching is not feasible. Simply removing the software (A) may break business operations, extending the SLA (B) violates policy, and accepting risk (C) ignores the need for active mitigation.

Exam trap

The trap here is that candidates assume 'no patch available' means 'no action required' (Option C), but the SSCP exam expects proactive risk mitigation through compensating controls even when patching is delayed.

How to eliminate wrong answers

Option A is wrong because removing the vulnerable software immediately could cause significant operational disruption and is not required if compensating controls can reduce risk to an acceptable level. Option B is wrong because extending the SLA to 30 days violates the established 48-hour remediation policy and does not address the immediate threat; SLAs are not arbitrarily extended without formal risk acceptance. Option C is wrong because accepting risk without implementing any controls is negligent; the absence of a vendor patch does not justify inaction—compensating controls must be applied to reduce the likelihood of exploitation.

628
MCQhard

A security analyst is reviewing firewall logs and notices a high rate of TCP SYN packets to multiple ports on a server, but no corresponding ACK or RST packets. This is characteristic of which type of attack?

A.UDP flood
B.SYN flood
C.Smurf attack
D.Ping of death
AnswerB

SYN flood uses incomplete TCP handshakes to exhaust resources.

Why this answer

SYN flood sends many SYN packets without completing the handshake, exhausting server resources.

629
MCQeasy

Which term describes the risk that remains after implementing risk mitigation controls?

A.Accepted risk
B.Residual risk
C.Inherent risk
D.Control risk
AnswerB

Residual risk remains after mitigation.

Why this answer

Residual risk is the risk that remains after all risk mitigation controls have been applied. It represents the portion of the original risk that cannot be eliminated or reduced further, and it must be accepted by management if it falls within the organization's risk appetite.

Exam trap

The trap here is that candidates confuse 'residual risk' with 'accepted risk,' but accepted risk is the subset of residual risk that management formally approves to tolerate, not the risk that remains after controls.

How to eliminate wrong answers

Option A is wrong because accepted risk is a decision to formally acknowledge and tolerate a specific risk, often after evaluating residual risk, not the risk that remains after controls. Option C is wrong because inherent risk is the level of risk before any controls are implemented, not after. Option D is wrong because control risk is the risk that a control may fail or be ineffective, not the leftover risk after controls are applied.

630
MCQeasy

What is the PRIMARY purpose of a lessons learned meeting after an incident?

A.To assign blame for the incident
B.To satisfy regulatory compliance requirements
C.To calculate the financial cost of the incident
D.To identify improvements in the incident response process
AnswerD

Correct. It helps refine the IR plan and procedures.

Why this answer

The primary purpose of a lessons learned meeting is to analyze the incident response process to identify what worked well and what did not, enabling the team to update procedures, playbooks, and tools to improve future responses. This aligns with the continuous improvement cycle mandated by frameworks like NIST SP 800-61, which emphasizes post-incident activity to refine detection and remediation capabilities.

Exam trap

The trap here is that candidates confuse the primary goal of process improvement with secondary outcomes like cost calculation or compliance, but the SSCP exam emphasizes that the core purpose is to enhance the incident response plan's effectiveness, not to assign blame or tally expenses.

How to eliminate wrong answers

Option A is wrong because lessons learned meetings are explicitly non-punitive and focus on process improvement, not assigning blame, which would discourage open reporting and hinder future incident handling. Option B is wrong while regulatory compliance may require documentation of post-incident reviews, the primary purpose is not compliance but operational improvement; compliance is a secondary benefit. Option C is wrong because calculating financial cost is typically part of a separate damage assessment or forensic accounting, not the core objective of a lessons learned meeting, which centers on process effectiveness.

631
Multi-Selectmedium

Which TWO of the following are types of intrusion detection systems (IDS) based on the detection method?

Select 2 answers
A.Anomaly-based IDS
B.Host-based IDS
C.Rule-based IDS
D.Signature-based IDS
E.Network-based IDS
AnswersA, D

Detects deviations from baseline behavior.

Why this answer

Options B and D are correct. Signature-based detection matches known patterns, and anomaly-based detection identifies deviations from normal behavior. Option A is wrong because network-based refers to placement, not detection method.

Option C is wrong because host-based is also placement. Option E is wrong because rule-based is a subset of signature-based.

632
MCQmedium

A security analyst notices a sudden increase in failed login attempts from a single IP address across multiple user accounts. Which risk response strategy is most appropriate to implement immediately?

A.Risk mitigation by blocking the IP address
B.Risk remediation by changing all user passwords
C.Risk transfer
D.Risk acceptance
AnswerA

Blocking the source IP mitigates the ongoing brute-force attempt.

Why this answer

Option C is correct because blocking the IP address reduces the immediate risk of further unauthorized access. Option A is wrong because accepting risk is not appropriate when an active threat is present. Option B is wrong because transferring risk (e.g., cyber insurance) does not stop the ongoing attack.

Option D is wrong because remediation might involve patching or changing passwords, but this is not the immediate action; blocking is faster.

633
MCQmedium

A security administrator is reviewing backup procedures for a database server. The current backup policy mandates a full backup every Sunday and differential backups Tuesday through Friday. On Wednesday, a failure occurs, and the database is lost. The last successful full backup was completed on Sunday, and the last differential backup was completed on Tuesday. How many backup sets are needed to restore the database to its state as of Tuesday?

A.4
B.3
C.2
D.1
AnswerC

Full backup plus the latest differential backup.

Why this answer

To restore the database to its state as of Tuesday, you need the last full backup (Sunday) and the last differential backup (Tuesday). A differential backup contains all changes since the last full backup, so applying the Tuesday differential to the Sunday full backup recovers all data up to Tuesday. The Wednesday failure does not affect the Tuesday state, and no other backups are required.

Exam trap

The trap here is confusing differential backups with incremental backups, leading candidates to think they need all backups from Sunday through Tuesday (3 or 4 sets), when differential backups only require the last full and the most recent differential.

How to eliminate wrong answers

Option A is wrong because 4 backup sets would be needed only if you were using incremental backups (which require all backups since the last full), but the policy uses differential backups. Option B is wrong because 3 backup sets would be needed if you had to restore from Sunday full, Tuesday differential, and Wednesday differential (if it existed), but the Wednesday backup was never completed. Option D is wrong because 1 backup set (only the full backup) would restore the database to Sunday's state, not Tuesday's state, missing the changes captured in the Tuesday differential.

634
Multi-Selectmedium

A company is implementing single sign-on (SSO) for its internal applications. Which TWO of the following protocols are commonly used for SSO?

Select 2 answers
A.Kerberos
B.OAuth
C.LDAP
D.RADIUS
E.SAML
AnswersA, E

Kerberos provides SSO within a domain.

Why this answer

Kerberos and SAML are both widely used for SSO. Kerberos is common in Windows domains, while SAML is used for web-based federated SSO. LDAP is a directory protocol, OAuth is for authorization (though OIDC adds authentication), and RADIUS is for network access.

635
Multi-Selecthard

Which THREE of the following are considered cryptographic best practices for key management? (Select exactly 3.)

Select 3 answers
A.Separate keys used for encryption and digital signatures
B.Rotate keys periodically
C.Use hardware security modules (HSMs) for key storage
D.Publish symmetric keys on the company website for transparency
E.Store keys with the encrypted data for convenience
AnswersA, B, C

Using the same key for both purposes weakens security.

Why this answer

Option A is correct because using separate keys for encryption and digital signatures ensures that compromising one key does not affect the other. This separation aligns with the principle of key usage restrictions, as defined in NIST SP 800-57, which mandates distinct keys for different cryptographic operations to prevent misuse and maintain non-repudiation.

Exam trap

ISC2 often tests the misconception that convenience (like storing keys with data) is acceptable, when in fact it violates the core security principle of key separation and confidentiality.

636
Multi-Selecteasy

Which TWO of the following are examples of key risk indicators (KRIs)?

Select 2 answers
A.Number of unpatched critical vulnerabilities
B.Total number of employees
C.Percentage of systems with antivirus disabled
D.Average user satisfaction score
E.Number of security incidents this quarter
AnswersA, C

A high number indicates higher risk of exploitation.

Why this answer

Option A is correct because the number of unpatched critical vulnerabilities directly measures the organization's exposure to known exploits. A KRI must be quantifiable and predictive of risk; unpatched vulnerabilities are a leading indicator of potential breaches, as attackers actively scan for and exploit such weaknesses. This metric is commonly tracked in vulnerability management programs to prioritize remediation efforts.

Exam trap

ISC2 often tests the distinction between leading indicators (KRIs) and lagging indicators (outcome metrics), so candidates mistakenly select 'Number of security incidents this quarter' because it seems risk-related, but it is a historical outcome, not a predictive risk indicator.

637
MCQhard

During a malware outbreak, a security analyst needs to contain the spread. The affected systems are on the same VLAN as critical servers. Which of the following containment actions should be performed FIRST to minimize impact?

A.Disable user accounts associated with the infected systems
B.Isolate the affected systems by applying VLAN quarantine or ACLs
C.Reboot the affected systems to clear malware from memory
D.Restore the affected systems from backup
AnswerB

Network isolation quickly stops communication with other systems.

Why this answer

Isolating the affected systems by applying VLAN quarantine or ACLs is the correct first action because it immediately stops the malware from spreading laterally across the same VLAN to critical servers, while preserving forensic evidence. This network-level containment is faster and less disruptive than account or system-level changes, and it prevents the outbreak from propagating before any remediation begins.

Exam trap

Cisco often tests the principle that containment must occur at the network layer first, not at the host or user layer, and the trap here is that candidates mistakenly choose to reboot or disable accounts, thinking they are stopping the infection, when in fact they are ignoring the immediate lateral spread risk.

How to eliminate wrong answers

Option A is wrong because disabling user accounts does not stop network-level propagation of malware; the infected systems can still communicate and spread the malware via network protocols even if the user account is disabled. Option C is wrong because rebooting may clear malware from memory but does not prevent reinfection from persistent components or lateral movement, and it can destroy volatile forensic evidence. Option D is wrong because restoring from backup is a recovery step, not a containment step; it should only be performed after the threat is contained and the root cause is understood, to avoid reintroducing the infection.

638
Multi-Selecthard

An organization is enhancing its backup strategy. According to the 3-2-1 rule, which THREE characteristics must the backup strategy include? (Select THREE)

Select 3 answers
A.At least two different media types
B.Daily full backups
C.At least one copy stored offsite
D.At least three copies of the data
E.Encryption of all backups
AnswersA, C, D

e.g., disk and tape.

Why this answer

Option A is correct because the 3-2-1 rule requires at least two different media types (e.g., tape and disk, or disk and cloud) to mitigate the risk of a single media failure or vulnerability. This ensures that if one media type becomes corrupted or obsolete, the other remains viable for recovery.

Exam trap

Cisco often tests the 3-2-1 rule by including plausible but non-essential elements like encryption or backup frequency, tricking candidates into selecting them as mandatory components when they are not part of the rule's core definition.

639
MCQhard

An organization is implementing configuration management and wants to detect unauthorized changes to server configurations. Which of the following tools would be most effective for this purpose?

A.Configuration management database (CMDB)
B.SIEM with change detection rules
C.Vulnerability scanner
D.Patch management tool
AnswerB

A SIEM can aggregate logs and trigger alerts on specific configuration changes, making it effective for deviation detection.

Why this answer

SIEM (Security Information and Event Management) systems can collect and correlate logs from various sources. When configured with rules to detect configuration changes, such as modifications to registry keys or system files, a SIEM can generate alerts on unauthorized changes.

640
Multi-Selecthard

Which THREE are required components of a core role-based access control (RBAC) system according to NIST? (Choose three.)

Select 3 answers
A.Constraints
B.Users
C.Permissions
D.Sessions
E.Roles
AnswersB, C, E

Users are the subjects that are assigned to roles.

Why this answer

Option B (Users) is correct because in NIST's RBAC model (INCITS 359-2012), users are the human actors who are assigned to roles. The core components of RBAC are users, roles, and permissions; users are the subjects that ultimately receive permissions through their role membership. Without users, there is no entity to which roles and permissions can be assigned.

Exam trap

ISC2 often tests the distinction between core and advanced RBAC components, and the trap here is that candidates mistakenly include constraints or sessions as mandatory because they are commonly discussed in security policies, but NIST explicitly defines them as optional extensions to the core model.

641
MCQhard

A cloud security team is deploying a new web application on an IaaS platform. According to the shared responsibility model, which of the following security tasks is the customer responsible for?

A.Network infrastructure security such as DDoS protection at the provider edge
B.Hypervisor security and vulnerability management
C.Patching the guest operating system and web server software
D.Physical security of the data center hosting the servers
AnswerC

The customer manages the OS and applications in IaaS, including patching.

Why this answer

In IaaS, the customer is responsible for securing the operating system, applications, and data, while the provider secures the physical infrastructure.

642
MCQhard

A security analyst discovers that an internal DNS server is returning incorrect IP addresses for legitimate domains. The analyst suspects that an attacker has compromised the DNS resolver's cache. Which type of attack has likely occurred?

A.DNS amplification attack
B.SYN flood
C.DNS tunneling
D.DNS poisoning
AnswerD

The attacker corrupted the cache to redirect traffic.

Why this answer

DNS poisoning involves inserting false DNS records into a resolver's cache, redirecting users to malicious sites.

643
MCQhard

Based on the exhibit, if the user attempts to upload (put) a file to the S3 bucket corporate-data, what is the result?

A.Allowed because the bucket policy likely allows public puts
B.Denied because the explicit deny overrides any allow
C.Denied because PutObject is not explicitly allowed
D.Allowed because the policy also allows GetObject
AnswerB

The explicit deny for PutObject overrides any potential allows, so the request is denied.

Why this answer

The correct answer is B because the bucket policy includes an explicit deny statement that denies s3:PutObject for the user's principal. In AWS IAM and resource-based policies, an explicit deny always overrides any allow, regardless of other permissions. Therefore, even if other statements allow PutObject, the explicit deny blocks the upload.

Exam trap

The trap here is that candidates often assume an explicit allow for PutObject would override a deny, but AWS's explicit deny always wins, making the presence of any deny statement the decisive factor.

How to eliminate wrong answers

Option A is wrong because the bucket policy does not allow public puts; it contains an explicit deny that overrides any potential allow. Option C is wrong because the issue is not the absence of an explicit allow but the presence of an explicit deny, which takes precedence. Option D is wrong because GetObject permission is irrelevant to PutObject; each action is evaluated independently, and the explicit deny for PutObject still applies.

644
MCQeasy

Refer to the exhibit. An analyst sees these logs and is concerned about a potential attack. What is the most likely scenario?

A.Denial of service (DoS)
B.SSH brute force
C.Successful RDP connection
D.Port scan
AnswerC

The full handshake and FIN indicate a normal RDP session to port 3389.

Why this answer

The log shows a successful RDP connection (source IP 10.0.0.5, destination port 3389, with 'Session established' or similar success indicator). RDP is a common target for lateral movement after initial compromise, and a single successful connection from an external IP to an internal host is a strong indicator of an attacker gaining remote access, not a brute force attempt (which would show multiple failures) or a scan (which would show many ports).

Exam trap

The trap here is that candidates see a single connection to a common service and assume it is a brute force or scan, but the key is the 'successful' indicator—brute force attacks show failures, and scans show multiple attempts, not a single established session.

How to eliminate wrong answers

Option A is wrong because a denial of service attack would show a flood of traffic, high packet rates, or resource exhaustion indicators, not a single successful session log. Option B is wrong because an SSH brute force would target port 22, not 3389, and would show numerous failed authentication attempts before any success, not a single established session. Option D is wrong because a port scan would show connection attempts to multiple ports (e.g., SYN packets to a range of ports) from the same source, not a single successful connection to one specific port.

645
MCQeasy

When implementing a digital signature, which key is used to create the signature?

A.Receiver's private key
B.Sender's private key
C.Sender's public key
D.Receiver's public key
AnswerB

The private key is used to sign documents.

Why this answer

In a digital signature scheme, the sender uses their own private key to create the signature. This ensures non-repudiation because only the sender possesses that private key, and the corresponding public key can verify the signature. The process involves encrypting a hash of the message with the sender's private key, as specified in standards like PKCS#1 and RFC 8017.

Exam trap

The trap here is that candidates often confuse the roles of keys in encryption versus signing, mistakenly thinking the receiver's private key or the sender's public key is used to create the signature because they associate 'private' with secrecy and 'public' with sharing, without understanding the specific asymmetric operations required for non-repudiation.

How to eliminate wrong answers

Option A is wrong because the receiver's private key is used for decryption in asymmetric encryption, not for creating a digital signature; using it would allow anyone with the receiver's public key to forge the signature. Option C is wrong because the sender's public key is used to verify the signature, not create it; using it to sign would allow anyone to create a valid signature since the public key is widely known. Option D is wrong because the receiver's public key is used for encrypting messages to the receiver, not for signing; it cannot provide non-repudiation as the sender does not possess the corresponding private key.

646
MCQeasy

After a security incident, the CISO asks for a report detailing which assets were affected, the attack vector, and the financial impact. Which of the following best describes this report?

A.Lessons learned report
B.Incident response plan
C.Risk register
D.Business impact analysis (BIA)
AnswerA

A lessons learned report captures post-incident details and improvements.

Why this answer

A lessons learned report is a post-incident document that captures what happened during a security incident, including affected assets, the attack vector, and financial impact. It is used to improve future incident response processes and is distinct from operational plans or risk assessments.

Exam trap

ISC2 often tests the distinction between proactive planning documents (incident response plan, BIA) and reactive post-incident reports (lessons learned), leading candidates to confuse the BIA's financial impact analysis with the incident-specific financial impact in the lessons learned report.

How to eliminate wrong answers

Option B is wrong because an incident response plan is a pre-defined set of procedures for detecting, responding to, and recovering from incidents, not a post-incident summary of specific impacts. Option C is wrong because a risk register is a living document that logs identified risks, their likelihood, and mitigation status, not a retrospective report on a single incident. Option D is wrong because a business impact analysis (BIA) identifies critical business functions and their recovery priorities, not the details of a specific security event.

647
MCQhard

During a forensic investigation, a responder must collect evidence from a live Windows system. Which of the following represents the correct order for collecting volatile data?

A.Disk image, memory dump, process list, network connections
B.Memory dump, network connections, process list, disk image
C.Process list, memory dump, disk image, network connections
D.Network connections, memory dump, process list, disk image
AnswerB

Correct. Memory is the most volatile data.

Why this answer

Option B is correct because volatile data must be collected in order of decreasing volatility to avoid losing critical evidence. Memory (RAM) is the most volatile, followed by network connections and process lists (which change rapidly), and finally disk images (persistent storage). This order ensures that transient data is captured before it disappears.

Exam trap

The trap here is that candidates often think disk imaging is the most critical step and should be done first, but the SSCP exam tests the principle that volatile data (memory) must be captured before any non-volatile collection to prevent evidence loss.

How to eliminate wrong answers

Option A is wrong because it starts with a disk image, which is non-volatile, and places memory dump after it, risking loss of volatile data like running processes and network connections. Option C is wrong because it places process list before memory dump, but process list data resides in memory and can change if the system is altered during memory capture; memory must be collected first. Option D is wrong because it starts with network connections, which are more volatile than memory dump; memory should be captured before network state to avoid changes from system activity.

648
Multi-Selectmedium

An organization wants to implement separation of duties to reduce the risk of fraud. Which THREE of the following are common techniques used to enforce separation of duties?

Select 3 answers
A.Audit logging and monitoring of privileged actions
B.Role-based access control with mutually exclusive roles
C.Enforcing complex password policies
D.Using biometric authentication
E.Requiring two or more people to approve a transaction
AnswersA, B, E

Logging provides accountability, a key component of separation of duties.

Why this answer

Separation of duties is enforced through role-based access control (assigning conflicting roles to different users), requiring dual authorization for critical actions, and audit logging for accountability. Password complexity and biometrics are authentication, not separation of duties.

649
MCQmedium

A company's security policy requires that employees must change their passwords every 60 days. However, help desk tickets show that many users are locked out after forgetting their new passwords. Which of the following would BEST balance security and usability?

A.Require users to use a password manager
B.Extend the password change interval to 90 days
C.Disable account lockout after failed attempts
D.Implement single sign-on (SSO) for all applications
AnswerD

SSO reduces password fatigue and thus forgotten passwords.

Why this answer

Single sign-on (SSO) reduces the number of passwords users must remember to one set of credentials, which decreases the likelihood of forgotten passwords and lockouts. By centralizing authentication, SSO allows the organization to enforce a strong password policy (e.g., 60-day rotation) while improving usability, as users only need to manage a single password. This balances security (centralized control, stronger authentication) with usability (fewer password resets).

Exam trap

The trap here is that candidates may choose to extend the password change interval (Option B) thinking it reduces user burden, but the SSCP exam emphasizes that usability improvements must not weaken security controls like password rotation frequency or account lockout policies.

How to eliminate wrong answers

Option A is wrong because requiring a password manager does not reduce the number of passwords users must remember or change; it only stores them, and users may still forget the master password or fail to update stored passwords, leading to continued lockouts. Option B is wrong because extending the password change interval to 90 days reduces security by increasing the window of exposure for compromised credentials, and it does not address the root cause of forgotten passwords (users still have multiple passwords to remember). Option C is wrong because disabling account lockout removes a critical security control that prevents brute-force attacks, violating security policy and increasing risk of unauthorized access.

650
MCQmedium

A security analyst is evaluating encryption modes for a new system that requires authenticated encryption to ensure both confidentiality and integrity of data in transit. Which AES mode should the analyst recommend?

A.ECB
B.CBC
C.CTR
D.GCM
AnswerD

GCM provides authenticated encryption.

Why this answer

GCM (Galois/Counter Mode) is the correct choice because it provides authenticated encryption, combining the confidentiality of CTR mode with integrity verification via a Galois field authentication tag. This makes it ideal for securing data in transit, as it ensures both privacy and tamper detection in a single, efficient operation.

Exam trap

The trap here is that candidates often confuse confidentiality-only modes (like CBC or CTR) with authenticated encryption, overlooking that GCM is the only option listed that natively provides both encryption and integrity in a single mode.

How to eliminate wrong answers

Option A is wrong because ECB (Electronic Codebook) mode encrypts each block independently, producing identical ciphertext for identical plaintext blocks, which leaks patterns and provides no integrity protection. Option B is wrong because CBC (Cipher Block Chaining) mode ensures confidentiality through chaining but does not inherently provide authentication or integrity; it requires a separate MAC (e.g., HMAC) for authenticated encryption. Option C is wrong because CTR (Counter) mode offers confidentiality by encrypting a counter value, but like CBC, it lacks built-in integrity verification and is vulnerable to bit-flipping attacks without an additional authentication mechanism.

651
MCQmedium

A security analyst notices unusual outbound traffic from a server in the DMZ to an external IP address on port 4444. The server runs a web application. Which action should the analyst take first?

A.Disconnect the server from the network.
B.Reboot the server to clear any malware.
C.Check the server's running processes and established connections.
D.Block the outbound traffic at the firewall.
AnswerC

This provides immediate visibility into potential compromise without destroying evidence.

Why this answer

Option C is correct because the first step in incident response is to gather forensic evidence and understand the scope of the compromise. Checking running processes and established connections allows the analyst to identify the malicious process, its parent, and the active command-and-control (C2) channel on port 4444, which is commonly associated with reverse shells or backdoor traffic. This data is volatile and must be captured before any disruptive action like disconnection or reboot, which would destroy evidence.

Exam trap

The trap here is that candidates often choose to immediately block or disconnect, confusing containment with the first step of incident response, which must always be evidence preservation and scoping.

How to eliminate wrong answers

Option A is wrong because immediately disconnecting the server from the network destroys volatile evidence (e.g., active network connections, memory-resident malware) and may alert the attacker, hindering forensic analysis. Option B is wrong because rebooting clears memory-resident malware and volatile forensic data, such as running processes and network connections, making root cause analysis impossible. Option D is wrong because blocking outbound traffic at the firewall without first investigating the source may disrupt the attacker's C2 channel, but it also prevents the analyst from observing the attacker's actions and collecting evidence; it should be done only after evidence is preserved.

652
MCQmedium

After an incident, the team identifies that the incident was caused by a missing security patch. Which of the following is the MOST effective way to prevent recurrence?

A.Conduct phishing simulations
B.Increase network monitoring
C.Implement a patch management policy
D.Update the incident response plan
AnswerC

A policy ensures patches are applied in a timely manner, preventing recurrence.

Why this answer

A missing security patch indicates a failure in the vulnerability management lifecycle. Implementing a patch management policy ensures that patches are systematically identified, tested, and deployed, directly addressing the root cause. This is the most effective preventive measure because it establishes a recurring process to close known vulnerabilities before they can be exploited.

Exam trap

The trap here is that candidates often confuse reactive measures (monitoring, response plans) with proactive prevention, or they mistakenly think user training (phishing simulations) addresses a technical configuration failure.

How to eliminate wrong answers

Option A is wrong because phishing simulations address social engineering attacks, not missing patches; they test user awareness, not system configuration. Option B is wrong because increasing network monitoring improves detection of ongoing attacks but does not prevent exploitation of unpatched vulnerabilities. Option D is wrong because updating the incident response plan improves future response efficiency but does not prevent the initial cause—the missing patch—from recurring.

653
Multi-Selecteasy

A network administrator is implementing segmentation to limit the spread of malware. Which two technologies can achieve network segmentation? (Choose two.)

Select 2 answers
A.Firewalls
B.VPN
C.NAT
D.Subnetting
E.VLANs
AnswersA, E

Firewalls can segment by controlling traffic between network zones.

Why this answer

Firewalls are correct because they can enforce network segmentation by controlling traffic between network segments based on security policies. By placing firewalls at segment boundaries, administrators can filter traffic using rules that inspect source/destination IP addresses, ports, and application-layer data, thereby limiting the lateral spread of malware.

Exam trap

The trap here is that candidates often confuse subnetting with segmentation, not realizing that subnetting alone provides no traffic filtering or isolation without a firewall or router ACL, and that VPNs are for secure tunneling, not internal network partitioning.

654
MCQmedium

A security administrator is implementing an access control system that uses sensitivity labels on subjects and objects. The policy dictates that a subject can only read objects with a label equal to or lower than the subject's clearance, and can only write to objects with a label equal to or higher than the subject's clearance. Which access control model and principle is being enforced?

A.MAC with Bell-LaPadula model
B.MAC with Biba model
C.DAC with owner-based permissions
D.RBAC with role hierarchy
AnswerA

Bell-LaPadula uses mandatory labels and enforces no read up and no write down for confidentiality.

Why this answer

Bell-LaPadula model enforces confidentiality through the simple security property (no read up) and the *-property (no write down). The described rules match Bell-LaPadula's restrictions.

655
MCQeasy

A network administrator implements the firewall rules above. What is the effect of this rulebase?

A.HTTP and HTTPS traffic from all networks is blocked
B.HTTP and HTTPS traffic from the 10.0.0.0/8 network is allowed
C.All traffic from the 10.0.0.0/8 network is blocked
D.The deny rule is redundant because permit rules exist
AnswerB

The permit rules (1 and 2) are listed before the deny rule, so they match first.

Why this answer

Option A is correct because the permit rules come before the deny rule; traffic from the 10.0.0.0/8 network is explicitly denied by Rule 3, but only after being permitted by Rules 1 and 2? Actually, firewall rules are processed top-down; first match applies. So for a web request from 10.0.1.1 to destination port 80, Rule 1 matches and permits it, so the deny rule is not evaluated. Therefore, traffic from the 10.0.0.0/8 network is allowed for HTTP and HTTPS because the permit rules are first.

Option B is wrong because it ignores rule order. Option C is wrong because the rules are not redundant. Option D is wrong because traffic to other ports is implicitly denied (default deny), but the question asks about effect.

656
Multi-Selecteasy

Which TWO protocols are considered insecure and should be replaced with secure alternatives? (Choose two.)

Select 2 answers
A.IPsec
B.Telnet
C.HTTPS
D.SNMPv3
E.FTP
AnswersB, E

Telnet sends data in plaintext.

Why this answer

Telnet (B) is insecure because it transmits all data, including login credentials, in cleartext over TCP port 23. It lacks encryption and authentication mechanisms, making it vulnerable to packet sniffing and man-in-the-middle attacks. Secure alternatives like SSH (port 22) should be used instead.

Exam trap

ISC2 often tests the distinction between secure and insecure versions of protocols, where candidates mistakenly think SNMPv3 or IPsec are insecure because they confuse them with older versions (SNMPv1/v2c) or assume all VPN protocols are vulnerable.

657
MCQeasy

A company wants to ensure that data transmitted between its two branch offices remains confidential. Which cryptographic goal is primarily being addressed?

A.Availability
B.Non-repudiation
C.Integrity
D.Confidentiality
AnswerD

Confidentiality is the goal of keeping data secret, achieved via encryption.

Why this answer

Confidentiality ensures that data is accessible only to authorized parties, typically achieved through encryption. In this scenario, the company wants to prevent unauthorized interception of data between branch offices, which is the core goal of confidentiality. Technologies such as IPsec VPNs or TLS are used to encrypt the data in transit, directly addressing this requirement.

Exam trap

The trap here is that candidates often confuse confidentiality with integrity, mistakenly thinking that protecting data from modification also prevents it from being read, but encryption alone does not guarantee integrity unless combined with a MAC or authenticated encryption mode like GCM.

How to eliminate wrong answers

Option A is wrong because availability ensures that systems and data are accessible when needed, often through redundancy or fault tolerance, not by protecting data from eavesdropping. Option B is wrong because non-repudiation provides proof of origin or delivery of data, typically via digital signatures, and does not prevent unauthorized reading of the data. Option C is wrong because integrity ensures that data has not been altered during transit, often using hashing or MACs, but does not protect against unauthorized viewing of the data.

658
MCQhard

A company is preparing for a PCI DSS assessment. According to PCI DSS requirements, how frequently must internal vulnerability scans be performed?

A.Annually
B.Monthly
C.Weekly
D.Quarterly
AnswerD

PCI DSS mandates quarterly scans.

Why this answer

PCI DSS Requirement 11.2.1 mandates that internal vulnerability scans must be performed at least quarterly and after any significant change in the network. This frequency ensures that new vulnerabilities introduced since the last scan are identified and remediated before they can be exploited. Quarterly scans are a minimum; more frequent scanning is recommended for high-risk environments.

Exam trap

The trap here is that candidates often confuse the quarterly internal scan requirement with the weekly external scan requirement (for internet-facing systems), leading them to incorrectly select 'Weekly' as the answer.

How to eliminate wrong answers

Option A is wrong because annual scans are far too infrequent to meet PCI DSS requirements, which demand a minimum of quarterly scans to keep pace with emerging vulnerabilities. Option B is wrong because monthly scans, while more frequent than required, are not the mandated minimum; PCI DSS specifically requires quarterly scans, not monthly. Option C is wrong because weekly scans are not required by PCI DSS for internal scans; the standard explicitly states quarterly as the baseline frequency, though weekly scans may be used for external scans or as a best practice.

659
MCQmedium

A system administrator receives an alert from the SIEM indicating a possible brute-force attack on a server. The logs show 100 failed logins in 2 minutes from a single source. Which of the following is the best immediate action to verify and respond?

A.Immediately disable the user account that was targeted most
B.Check firewall logs for the source IP and block it in the firewall
C.Reset all user passwords and enable multi-factor authentication
D.Ignore the alert because it is likely a false positive
AnswerB

This confirms the attack and stops it at network perimeter.

Why this answer

Option B is correct because the immediate priority is to stop the ongoing attack by blocking the source IP at the firewall. Checking firewall logs confirms the source IP and ensures the block is applied to the correct address, preventing further authentication attempts. This aligns with the principle of containment before remediation in incident response.

Exam trap

The trap here is that candidates confuse immediate containment (blocking the source IP) with long-term remediation (resetting passwords or disabling accounts), leading them to choose a reactive user-focused action instead of a network-level control to stop the attack in progress.

How to eliminate wrong answers

Option A is wrong because disabling the targeted user account does not stop the brute-force attack; the attacker can simply target another account or continue with different usernames, and it may disrupt legitimate user access without addressing the source. Option C is wrong because resetting all passwords and enabling MFA is a long-term remediation step, not an immediate action; it is premature without first verifying the attack and containing it, and it could cause widespread disruption. Option D is wrong because ignoring the alert assumes a false positive without verification; 100 failed logins in 2 minutes from a single source is a strong indicator of a brute-force attack and requires investigation, not dismissal.

660
Multi-Selecthard

During a post-implementation review of a recent change, it is found that the change introduced a security vulnerability. What TWO actions should be taken? (Select TWO)

Select 2 answers
A.Immediately apply a patch
B.Document the findings and update processes
C.Roll back the change
D.Blame the change implementer
E.Proceed and accept the risk
AnswersB, C

Improves future change management.

Why this answer

Option B is correct because documenting findings and updating processes is a fundamental part of the change management lifecycle. It ensures that the security vulnerability is formally recorded, root causes are analyzed, and preventive measures are incorporated into future changes. This aligns with the post-implementation review (PIR) phase, where lessons learned are captured to improve security operations and administration.

Exam trap

The trap here is that candidates often confuse the immediate operational response (rollback or patch) with the post-review documentation step, but the question specifically asks for actions during the post-implementation review, not the initial incident response.

661
Multi-Selecthard

Which THREE of the following are appropriate techniques for securely disposing of magnetic hard disk drives that contain sensitive data? (Choose three.)

Select 3 answers
A.Low-level format
B.Shredding
C.Quick format
D.Overwriting with random patterns
E.Degaussing
AnswersB, D, E

Physical destruction renders the drive unreadable.

Why this answer

Shredding (B) physically destroys the platters, making data recovery impossible regardless of the magnetic state. This is a definitive disposal method for sensitive data on magnetic hard disk drives.

Exam trap

The trap here is that candidates often confuse 'low-level format' or 'quick format' with secure erasure, not realizing these methods leave recoverable data on the platters.

662
Multi-Selectmedium

Which TWO of the following are characteristics of a Mandatory Access Control (MAC) system?

Select 2 answers
A.Access decisions are based on security labels.
B.Access is determined by the owner of the object.
C.It uses roles to assign permissions.
D.Users can change permissions on their own objects.
E.It is commonly used in military environments.
AnswersA, E

MAC relies on labels assigned to subjects and objects to determine access.

Why this answer

Option A is correct because Mandatory Access Control (MAC) systems use security labels (e.g., classifications like Top Secret, Secret, Confidential) attached to subjects and objects. The operating system or reference monitor enforces access decisions based on these labels and a set of rules (e.g., the Bell-LaPadula model's simple security property and *-property), not at the discretion of users or owners. This ensures that access is determined by a central policy, typically implemented via labels in systems like SELinux or Trusted Solaris.

Exam trap

The trap here is that candidates often confuse MAC with DAC or RBAC, mistakenly thinking that owners or roles can override label-based policies, when in fact MAC strictly enforces system-wide rules that neither users nor owners can modify.

663
MCQeasy

During which phase of the NIST SP 800-61 incident response lifecycle are incident response plan updates and lessons learned typically documented?

A.Preparation
B.Containment, Eradication, and Recovery
C.Detection and Analysis
D.Post-Incident Activity
AnswerD

Correct. This phase is dedicated to learning from the incident and improving future response.

Why this answer

Option D is correct because the Post-Incident Activity phase of NIST SP 800-61 is specifically designed for conducting lessons learned meetings, documenting improvements, and updating the incident response plan based on findings from the incident. This phase ensures that the organization captures feedback to refine procedures, tools, and training for future incidents.

Exam trap

The trap here is that candidates confuse the Post-Incident Activity phase with the Preparation phase, mistakenly thinking that plan updates occur before incidents, but NIST SP 800-61 explicitly places lessons learned and plan updates after the incident is resolved.

How to eliminate wrong answers

Option A is wrong because the Preparation phase focuses on establishing policies, tools, and training before an incident occurs, not on documenting updates after an incident. Option B is wrong because Containment, Eradication, and Recovery phases are operational steps to stop the incident, remove threats, and restore systems, not for retrospective documentation. Option C is wrong because Detection and Analysis involves identifying and analyzing potential incidents, not capturing lessons learned or updating plans.

664
Multi-Selecthard

Which THREE of the following are critical elements of a patch management policy? (Select THREE)

Select 3 answers
A.Patch prioritization based on CVSS score and asset criticality
B.Immediate deployment of all patches without testing
C.Annual review of patch status
D.Vulnerability scanning to identify missing patches
E.Testing patches in a staging environment
AnswersA, D, E

Prioritization ensures critical patches are applied first.

Why this answer

Option A is correct because patch prioritization based on CVSS score and asset criticality ensures that resources are allocated to the most impactful vulnerabilities first. CVSS provides a standardized severity rating (0-10), while asset criticality accounts for the business value and exposure of the system, enabling risk-based decision-making rather than a one-size-fits-all approach.

Exam trap

Cisco often tests the misconception that patch management is solely about speed (immediate deployment) or infrequent reviews, when in fact it requires a balanced, risk-based process with testing, prioritization, and continuous verification.

665
MCQmedium

A security analyst notices an unusual number of ARP replies on the network where one MAC address is claiming to be multiple IP addresses. Which type of attack is most likely occurring?

A.ARP spoofing
B.SYN flood
C.DNS poisoning
D.DHCP starvation
AnswerA

Attacker sends gratuitous ARP replies to poison the ARP cache.

Why this answer

ARP spoofing involves sending forged ARP replies to associate the attacker's MAC with the victim's IP, enabling man-in-the-middle attacks at Layer 2.

666
MCQhard

During a user offboarding process, the security team must ensure that the former employee's access is revoked immediately. However, the user's manager requests that the account remain active for a week to review files. What is the BEST practice?

A.Change the account to a service account and keep it active
B.Disable the account immediately and transfer ownership of files to the manager
C.Keep the account active but change the password and share it with the manager
D.Leave the account as-is and monitor activity for the week
AnswerB

Correct. This balances security with business needs.

Why this answer

Best practice is to disable the account immediately to prevent unauthorized access, then transfer ownership of necessary files to another user for review. Keeping the account active poses a security risk.

667
MCQmedium

A company experiences a security breach where an attacker gained access to the network through a compromised vendor account. Which of the following controls would have BEST prevented this attack?

A.Install a network-based intrusion detection system.
B.Require vendors to sign an NDA.
C.Create a separate VLAN for vendor access.
D.Enable multi-factor authentication for vendor accounts.
AnswerD

MFA makes it harder for attackers to use stolen credentials.

Why this answer

Multi-factor authentication (MFA) for vendor accounts is the best preventive control because it adds an additional layer of security beyond just a password. Even if the attacker compromises the vendor's credentials, MFA requires a second factor (e.g., a one-time code from a token or biometric) to authenticate, effectively blocking unauthorized access. This directly addresses the attack vector of credential theft, which was the root cause of the breach.

Exam trap

The trap here is that candidates often confuse network segmentation (VLANs) with access control, mistakenly believing that isolating vendor traffic on a separate VLAN prevents credential-based attacks, when in fact VLANs do not authenticate users or validate the legitimacy of the account being used.

How to eliminate wrong answers

Option A is wrong because a network-based intrusion detection system (NIDS) is a detective control that monitors traffic for suspicious patterns after the attack has begun, not a preventive control that stops initial access via compromised credentials. Option B is wrong because a non-disclosure agreement (NDA) is a legal contract that addresses confidentiality after access is granted, not a technical control that prevents unauthorized access through a compromised account. Option C is wrong because creating a separate VLAN for vendor access segments network traffic but does not prevent an attacker from using stolen credentials to authenticate into that VLAN; VLANs provide network isolation, not authentication security.

668
MCQmedium

You are a security analyst at a financial institution. The company uses a role-based access control (RBAC) system for its internal banking application. Recently, the compliance team discovered that a teller, who should only have access to customer account information for their branch, was able to view account details for customers in other branches. The RBAC system assigns roles based on job titles. You review the configuration and find that the 'Teller' role has a permission that allows viewing all customer accounts, regardless of branch. The company wants to enforce branch-level restrictions. Which of the following is the best approach to address this issue?

A.Implement attribute-based access control (ABAC) to incorporate branch location as an attribute.
B.Use mandatory access control (MAC) with labels for each customer account.
C.Create separate roles for each branch, such as 'Teller_Branch1', 'Teller_Branch2', etc.
D.Modify the 'Teller' role to remove the permission to view all accounts.
AnswerA

ABAC adds context like branch to RBAC, providing necessary restrictions.

Why this answer

Adding an attribute for branch location and using ABAC in conjunction with RBAC allows fine-grained control. Option A is correct. B would create many roles, C is not granular, and D is not relevant.

669
Multi-Selecthard

Which TWO of the following are key indicators of a potential data exfiltration attempt?

Select 2 answers
A.Large number of failed login attempts from multiple accounts
B.Unusual outbound traffic to a known malicious IP address
C.Multiple firewall rule changes in a short period
D.Successful logins from unusual geolocations for multiple users
E.Sudden increase in database read operations by a single user account
AnswersB, E

This is a direct indicator of data being sent to an external threat actor.

Why this answer

Unusual outbound traffic to a known bad IP (A) and a sudden increase in database read operations from a single user (D) are both strong indicators of data exfiltration. Failed logins (B) and unusual geolocations (C) are more indicative of credential abuse or lateral movement, while firewall rule changes (E) could be part of normal administration or a precursor to exfiltration but are not direct indicators.

670
Multi-Selectmedium

Which THREE activities are part of the post-incident phase?

Select 3 answers
A.Lessons learned meeting
B.Conduct root cause analysis
C.Notify affected customers
D.Reimage infected computers
E.Update incident response plan
AnswersA, B, E

Post-incident review includes identifying improvements.

Why this answer

Options A, B, and D are correct. Lessons learned meetings, updating the IR plan, and conducting root cause analysis are post-incident activities. Reimaging is eradication, and notifying customers is part of response, though post-incident review may include notification timing.

671
MCQhard

A vulnerability scanner reports a medium-severity finding on a server. After investigation, the security team determines that the vulnerability is not exploitable due to existing compensating controls. How should this finding be classified in the vulnerability management process?

A.True positive
B.Risk acceptance
C.False positive
D.False negative
AnswerC

False positive indicates the scanner incorrectly identified a vulnerability.

Why this answer

A false positive occurs when a vulnerability scanner reports a finding that, upon investigation, is determined not to be a real security risk. In this case, the vulnerability is not exploitable due to compensating controls, meaning the scanner's alert was incorrect in the context of the actual environment. Therefore, the finding should be classified as a false positive, not a true vulnerability.

Exam trap

The trap here is that candidates confuse a non-exploitable vulnerability with a true positive, failing to recognize that the classification depends on actual exploitability in the current environment, not just the presence of a potential weakness.

How to eliminate wrong answers

Option A is wrong because a true positive would mean the vulnerability is actually exploitable and poses a real risk, which contradicts the investigation finding that it is not exploitable. Option B is wrong because risk acceptance is a management decision to accept the risk of a real vulnerability, not a classification for a finding that is not actually exploitable. Option D is wrong because a false negative would mean the scanner failed to report a real vulnerability, which is the opposite of this scenario where a reported finding is determined to be non-exploitable.

672
Multi-Selecthard

Which THREE of the following are characteristics of a stateful firewall?

Select 3 answers
A.Is generally slower than a stateless firewall
B.Maintains a state table of active connections
C.Can make decisions based on traffic patterns
D.Operates only at the network layer (Layer 3)
E.Performs deep packet inspection (DPI)
AnswersA, B, C

Stateful inspection requires more processing.

Why this answer

Stateful firewalls maintain a state table that tracks the state of active connections, allowing them to make decisions based on the context of traffic patterns, such as the TCP three-way handshake. This additional processing overhead generally makes them slower than stateless firewalls, which only inspect packet headers individually without connection tracking.

Exam trap

ISC2 often tests the misconception that stateful firewalls perform deep packet inspection, but DPI is a separate capability of NGFWs, while stateful firewalls focus on session-layer tracking.

673
Multi-Selecteasy

Which TWO of the following are best practices for securing a wireless network? (Choose two.)

Select 2 answers
A.Disable SSID broadcast
B.Set a short, simple pre-shared key for convenience
C.Use WEP encryption
D.Enable MAC address filtering
E.Use WPA3 encryption
AnswersA, E

Hiding SSID reduces visibility to casual scanners.

Why this answer

Disabling SSID broadcast prevents the access point from including the network name in beacon frames, making the network less visible to casual scanning tools. However, it is not a security measure because the SSID is still transmitted in probe requests and responses, and can be easily discovered using packet capture tools like Wireshark or airodump-ng. It is considered a best practice only as a minor obscurity layer, not a replacement for strong encryption.

Exam trap

ISC2 often tests the misconception that disabling SSID broadcast is a strong security measure, when in reality it is only a minor obscurity technique that does not prevent determined attackers from discovering the network.

674
Multi-Selectmedium

Which TWO of the following are key components of a Business Impact Analysis (BIA)?

Select 2 answers
A.Recovery time objective.
B.Vulnerability assessment.
C.Criticality analysis.
D.Likelihood estimation.
E.Threat modeling.
AnswersA, C

RTO specifies the maximum acceptable downtime for a process.

Why this answer

A Recovery Time Objective (RTO) is a key component of a Business Impact Analysis (BIA) because it defines the maximum acceptable downtime for a business process or system after a disruption. The BIA identifies critical functions and their dependencies, and RTO is derived from the financial and operational impact of downtime, directly informing recovery strategy and resource allocation.

Exam trap

ISC2 often tests the distinction between BIA components (RTO, criticality analysis) and risk assessment components (vulnerability assessment, likelihood, threat modeling), causing candidates to conflate impact analysis with risk analysis.

675
MCQhard

A security engineer is designing a system that must ensure data integrity at all costs, even if it means sacrificing availability. Which access control model and corresponding principle should be applied?

A.Bell-LaPadula with no read-down
B.Biba with no read-up
C.Biba with no write-up and no read-down
D.Bell-LaPadula with no write-up
AnswerC

Biba enforces no write-up (to protect higher integrity) and no read-down (to prevent corruption). This prioritizes integrity over availability.

Why this answer

Biba is a MAC model that focuses on integrity, preventing subjects from writing to higher integrity levels (no write-up) and preventing subjects from reading lower integrity levels (no read-down). This can impact availability.

Page 8

Page 9 of 14

Page 10
Systems Security Certified Practitioner SSCP SSCP Questions 601–675 | Page 9/14 | Courseiva