CCNA Risk Identification, Monitoring and Analysis Questions

75 of 78 questions · Page 1/2 · Risk Identification, Monitoring and Analysis · Answers revealed

1
MCQhard

An organization has implemented a SIEM solution and wants to reduce false positives. Which of the following is the most effective approach?

A.Tune correlation rules to exclude known benign activities
B.Increase the number of log sources feeding the SIEM
C.Raise the threshold for each correlation rule to reduce alerts
D.Assign more analysts to manually review all alerts
AnswerA

Tuning allows the SIEM to ignore patterns that are known to be non-malicious.

Why this answer

Option C is correct because tuning correlation rules based on known false positive patterns reduces noise. Option A is wrong because increasing log sources may introduce more noise. Option B is wrong because lowering thresholds may increase false positives.

Option D is wrong because manually verifying all alerts is inefficient and does not reduce false positives.

2
Multi-Selecthard

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select three.)

Select 3 answers
A.Risk retention
B.Risk elimination
C.Risk duplication
D.Risk reduction
E.Risk transfer
AnswersA, D, E

Formal acceptance of residual risk.

Why this answer

Risk retention (A) is a valid risk treatment option under ISO 31000 because it involves accepting the current level of risk, often when the cost of mitigation exceeds the potential impact or when the risk is within the organization's risk appetite. This is a deliberate decision to bear the risk, typically documented in a risk register and monitored for changes.

Exam trap

ISC2 often tests the distinction between ISO 31000's formal terminology and common business jargon, so candidates mistakenly select 'risk elimination' instead of 'risk avoidance' or confuse 'risk duplication' with 'risk transfer' or 'redundancy' as a control measure.

3
MCQmedium

During a quarterly risk review, a hospital's security team identifies that legacy medical devices cannot be patched and run outdated operating systems. Which risk treatment strategy is most appropriate for these devices?

A.Remediate by applying vendor patches
B.Implement compensating controls such as network segmentation and strict access control
C.Retire and replace all devices immediately
D.Transfer the risk by purchasing cyber insurance
AnswerB

Compensating controls mitigate the risk without changing the device itself.

Why this answer

Since the legacy medical devices cannot be patched due to vendor obsolescence, the most appropriate risk treatment strategy is to implement compensating controls. Network segmentation (e.g., VLANs or firewalls) isolates the devices from the main hospital network, while strict access control (e.g., 802.1X or MAC-based filtering) limits exposure to threats. This reduces the likelihood of exploitation without relying on patching the outdated operating systems.

Exam trap

ISC2 often tests the misconception that 'remediate' always means patching, but for legacy systems where patching is impossible, compensating controls are the correct risk treatment strategy, not immediate replacement or insurance.

How to eliminate wrong answers

Option A is wrong because applying vendor patches is not feasible for legacy devices that are no longer supported or have no available patches, making remediation impossible. Option C is wrong because retiring and replacing all devices immediately is often impractical due to cost, downtime, and regulatory approval processes, and is not the most appropriate first step in risk treatment. Option D is wrong because transferring risk via cyber insurance does not reduce the actual vulnerability or likelihood of exploitation; it only provides financial compensation after an incident, which is insufficient for protecting patient safety and data.

4
MCQmedium

An organization wants to identify risks related to a new cloud-based customer relationship management (CRM) system. Which approach would best identify threats and vulnerabilities specific to this system?

A.Run a vulnerability scan on the CRM
B.Execute a business impact analysis (BIA)
C.Perform a threat modeling exercise such as STRIDE
D.Conduct a qualitative risk assessment using a generic framework
AnswerC

Threat modeling is tailored to the system's architecture and identifies relevant threats.

Why this answer

Threat modeling with STRIDE is the best approach because it systematically identifies threats (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) specific to the CRM's architecture, data flows, and trust boundaries. Unlike generic scans or assessments, STRIDE focuses on the unique attack surface of a cloud-based system, such as API endpoints, multi-tenancy risks, and shared responsibility model gaps.

Exam trap

The trap here is that candidates confuse vulnerability scanning (Option A) with threat modeling, assuming that scanning for known flaws is sufficient, when in fact threat modeling is required to identify design-level and cloud-specific threats that scanners cannot detect.

How to eliminate wrong answers

Option A is wrong because a vulnerability scan only identifies known software flaws (e.g., CVEs) but does not uncover design-level threats, business logic flaws, or cloud-specific risks like misconfigured IAM roles or insecure API endpoints. Option B is wrong because a business impact analysis (BIA) prioritizes criticality and recovery objectives (RTO/RPO) but does not identify threats or vulnerabilities; it assumes risks are already known. Option D is wrong because a qualitative risk assessment using a generic framework lacks the structured, system-specific decomposition needed to uncover threats unique to the CRM's cloud architecture, such as tenant isolation failures or data leakage via shared storage.

5
MCQmedium

Refer to the exhibit. A security analyst reviews these logs from a server. What immediate risk is most indicated by this log pattern?

A.Insider threat from user root
B.Active brute-force attack against the SSH service
C.Malware infection on the server
D.Misconfigured SSH settings allowing root login
AnswerB

Multiple failed attempts in quick succession indicate a brute-force attempt.

Why this answer

The log pattern shows repeated failed SSH authentication attempts from multiple IP addresses in rapid succession, followed by a successful login from one of those IPs. This is the classic signature of a brute-force attack where an attacker tries many passwords until one works, indicating an active compromise of the SSH service.

Exam trap

ISC2 often tests the distinction between a vulnerability (e.g., misconfigured SSH allowing root login) and an active threat (the brute-force attack succeeding), where candidates mistakenly choose the root cause instead of the immediate risk.

How to eliminate wrong answers

Option A is wrong because the logs show external IP addresses (not internal) performing the attacks, and the successful login is from an external source, not a trusted insider using the root account. Option C is wrong because the logs only show authentication events (SSH login attempts) with no indicators of malware such as unusual process execution, file modifications, or outbound connections to known malicious domains. Option D is wrong because while root login is allowed, the immediate risk is the active brute-force attack succeeding, not a misconfiguration; the misconfiguration (if any) is a contributing factor, not the immediate risk.

6
MCQhard

You are the security analyst for a mid-sized e-commerce company that processes credit card payments. The company uses a legacy payment application on a Windows Server 2012 R2 system, which is scheduled for decommission in six months. The server is isolated in a separate VLAN with strict firewall rules allowing only outbound HTTPS to the payment processor and inbound management from a jump box on a different subnet. During a routine vulnerability scan, you discover that the server is missing over 50 critical patches, including one for a remote code execution vulnerability (CVE-2023-XXXX) that is being actively exploited in the wild. The server cannot be patched because the vendor stopped support and patches are not available. The company's risk appetite is low due to PCI DSS requirements. You need to recommend a course of action that balances risk reduction with business continuity. What should you do?

A.Implement additional compensating controls such as an application-layer firewall, disable all unnecessary services, restrict outbound traffic to only the payment processor IP, enable detailed logging, and accelerate the migration
B.Immediately decommission the server and migrate to the new payment system, accepting a temporary outage
C.Apply the vendor's hotfix from an unofficial source to patch the vulnerability
D.Accept the risk and purchase additional cyber insurance to cover potential losses
AnswerA

Compensating controls reduce risk while allowing continued operation until decommission.

Why this answer

Option A is correct because it implements compensating controls to reduce the risk of the unpatched remote code execution vulnerability while maintaining business continuity. By deploying an application-layer firewall (e.g., a WAF or host-based IPS), disabling unnecessary services, restricting outbound traffic to only the payment processor's IP via strict egress ACLs, enabling detailed logging for monitoring, and accelerating the migration to a supported system, you align with PCI DSS Requirement 6.2 (timely patching) and Requirement 11.5 (change detection) without causing an outage. This layered defense mitigates the active exploit risk until the legacy server can be decommissioned in six months.

Exam trap

The trap here is that candidates may choose Option B (immediate decommission) thinking it eliminates risk, but they overlook the business continuity requirement and the fact that PCI DSS allows compensating controls for legacy systems with a documented migration plan.

How to eliminate wrong answers

Option B is wrong because immediately decommissioning the server would cause a business outage, which is unacceptable for a mid-sized e-commerce company processing credit card payments; PCI DSS requires maintaining business continuity, and a temporary outage could lead to revenue loss and compliance issues. Option C is wrong because applying a vendor hotfix from an unofficial source introduces significant risk of malware, system instability, or violation of PCI DSS Requirement 6.1 (use only vendor-supplied patches), and it could void any remaining support or insurance. Option D is wrong because accepting the risk and purchasing cyber insurance does not address the active exploitation of CVE-2023-XXXX; PCI DSS requires compensating controls or patching, and insurance only covers financial loss after a breach, not the immediate security risk to cardholder data.

7
MCQhard

A company's risk management policy states that all risks with a residual risk score of 8 or higher (on a scale of 1-10) must be treated. A risk is identified with an inherent risk score of 9, and after applying controls, the residual risk score is 7. What is the appropriate action?

A.Formally accept the residual risk
B.Apply additional controls to reduce the risk further
C.Purchase cyber insurance to transfer the risk
D.Reassess the inherent risk score
AnswerA

Since residual risk is 7 (<8), it can be accepted.

Why this answer

Option B is correct because the residual risk is below the threshold, so it can be accepted after formal acceptance. Option A is wrong because the residual risk is already below the threshold. Option C is wrong because residual risk already accounts for controls.

Option D is wrong because insurance transfers risk but is not required if the risk is acceptable.

8
MCQmedium

A security team is implementing a risk treatment plan for a high-risk vulnerability. The cost to fix the vulnerability is $100,000, but the expected loss if exploited is $1,000,000. The annual likelihood of exploitation is 2%. Which risk treatment strategy is most appropriate?

A.Avoid the risk by decommissioning the asset
B.Remediate the vulnerability immediately
C.Accept the risk and monitor for changes
D.Transfer the risk by purchasing cyber insurance
AnswerC

Expected loss is lower than remediation cost.

Why this answer

The annualized loss expectancy (ALE) is $20,000 (2% × $1,000,000), which is less than the $100,000 remediation cost. Since the cost to fix exceeds the expected loss, accepting the risk and monitoring for changes is the most cost-effective strategy. This aligns with the risk management principle that treatment should be proportional to the risk exposure.

Exam trap

ISC2 often tests the misconception that any high-severity vulnerability must be immediately remediated, ignoring the quantitative cost-benefit analysis that shows accepting risk can be the most appropriate strategy when the annualized loss is lower than the fix cost.

How to eliminate wrong answers

Option A is wrong because decommissioning the asset would eliminate all business value from it, which is an extreme measure not justified when the annual expected loss ($20,000) is far lower than the remediation cost ($100,000). Option B is wrong because immediate remediation would cost $100,000 to prevent a $20,000 annual expected loss, violating the cost-benefit principle of risk management. Option D is wrong because transferring the risk via cyber insurance would still involve premiums and deductibles that likely exceed the $20,000 ALE, and insurance does not reduce the technical vulnerability itself.

9
Multi-Selecteasy

Which THREE of the following are common methods to identify risks in an organization?

Select 3 answers
A.Brainstorming.
B.Hash verification.
C.Fault tree analysis.
D.Delphi technique.
E.SWOT analysis.
AnswersA, D, E

Structured brainstorming sessions are a common qualitative risk identification technique.

Why this answer

Brainstorming is a common method for risk identification because it leverages group creativity to surface potential threats, vulnerabilities, and impacts that might not be captured by automated tools. In an organizational context, structured brainstorming sessions (e.g., using nominal group technique) help elicit a wide range of risks from diverse stakeholders, ensuring coverage across technical, operational, and strategic domains.

Exam trap

ISC2 often tests the distinction between risk identification methods (qualitative, human-driven) and risk analysis or control techniques (quantitative, automated), so candidates may incorrectly select hash verification or fault tree analysis because they sound technical or security-related, but they are not used for identifying new risks in an organizational context.

10
MCQhard

Based on the exhibit, what is the most critical observation?

A.A root user is opening RDP to the world.
B.A user is modifying a security group.
C.The event is from EC2 service.
D.The source IP is internal.
AnswerA

Root access combined with an open RDP rule to 0.0.0.0/0 poses a severe security risk.

Why this answer

The most critical observation is that a root user is opening RDP (TCP/3389) to the world (0.0.0.0/0). This creates an extreme security risk because it exposes the administrative interface to the entire internet, allowing any attacker to attempt brute-force or exploit RDP vulnerabilities. In AWS CloudTrail, this event indicates a direct violation of the principle of least privilege and is a common vector for compromise.

Exam trap

The trap here is that candidates focus on the user or service name (e.g., 'root user' or 'EC2') rather than the actual security impact of opening RDP to the world, which is the most critical observation in this scenario.

How to eliminate wrong answers

Option B is wrong because modifying a security group is a normal administrative action and not inherently critical; the risk depends on what is being modified (e.g., opening RDP to the world). Option C is wrong because the event originating from the EC2 service is irrelevant; the criticality is determined by the action (root user opening RDP to the world), not the source service. Option D is wrong because the source IP being internal is not the critical observation; the critical issue is the destination (0.0.0.0/0) and the user (root), not the source address.

11
MCQhard

You are a security consultant for a hospital that is deploying a new IoT medical device system. The devices wirelessly transmit patient vital signs to a central server. The hospital is subject to HIPAA. The devices were developed by a startup and are not widely field-tested. The IT department wants to connect the devices to the existing network for real-time monitoring. The risk management team has identified potential threats including data interception, device tampering, and denial of service. They have no prior experience with IoT security. Which of the following risk treatment strategies is MOST appropriate given the high uncertainty?

A.Accept the risk because the devices improve patient care
B.Transfer the risk by purchasing cyber insurance
C.Avoid the risk by delaying deployment until a thorough risk assessment and independent security testing are completed
D.Mitigate the risk by segmenting the devices on a separate VLAN and encrypting all communications
AnswerC

Avoidance is justified when risks are not well understood and potential impact is high.

Why this answer

Option C is correct because the high uncertainty surrounding the startup's untested IoT devices, combined with the criticality of patient safety and HIPAA compliance, makes avoidance the most prudent strategy. Delaying deployment allows for a thorough risk assessment and independent security testing to identify vulnerabilities before exposing the hospital network to potential data interception, device tampering, or denial-of-service attacks. This approach directly addresses the risk management team's lack of IoT security experience by preventing exposure until the threat landscape is better understood.

Exam trap

The trap here is that candidates often choose mitigation (Option D) because it seems proactive and technically sound, but they overlook the principle that mitigation is only appropriate when the risk is well-understood and the controls are proven effective—neither of which applies to untested IoT devices with unknown vulnerabilities.

How to eliminate wrong answers

Option A is wrong because accepting risk without understanding the specific vulnerabilities of untested IoT devices could lead to HIPAA violations and patient harm, as the devices transmit protected health information (PHI) over wireless links susceptible to interception. Option B is wrong because cyber insurance transfers financial risk but does not reduce the likelihood or impact of a security incident; it also does not address the immediate technical threats like device tampering or denial of service that could disrupt patient monitoring. Option D is wrong because while VLAN segmentation and encryption (e.g., using TLS 1.3 or IPsec) are valid mitigation techniques, they are insufficient when the devices themselves may have undisclosed backdoors, weak cryptographic implementations, or unpatched firmware flaws that could be exploited despite network controls.

12
MCQhard

An analyst detects outbound traffic from a workstation to a known malicious IP address. The workstation is a developer machine with local admin rights. Which containment action should be taken first?

A.Block the malicious IP on the firewall
B.Isolate the workstation from the network
C.Shut down the workstation immediately
D.Disable the user's domain account
AnswerB

Stops all malicious outbound traffic and lateral movement.

Why this answer

The first step is to isolate the workstation from the network to prevent further communication with the malicious IP and lateral movement. Option C is correct. Option A (blocking only the IP) is insufficient if the malware uses other IPs.

Option B (disabling account) does not stop network traffic. Option D (shutting down) may lose volatile evidence.

13
MCQhard

Based on the exhibit, what is the most appropriate immediate action?

A.Schedule patching during the next change window in 30 days
B.Apply the vendor patch to the host as soon as possible
C.Run another vulnerability scan to confirm the finding
D.Ignore the vulnerability because it's a false positive
AnswerB

Immediate action needed to mitigate critical RCE vulnerability on critical system.

Why this answer

The exhibit shows a critical remote code execution vulnerability with a CVSS score of 9.8, which poses an immediate threat to the host. Applying the vendor patch as soon as possible is the most appropriate action because it directly eliminates the risk without delay, aligning with the principle of timely remediation for high-severity vulnerabilities.

Exam trap

The trap here is that candidates may choose to rescan or delay patching due to change management policies, failing to recognize that critical remote code execution vulnerabilities require immediate out-of-cycle patching to prevent imminent compromise.

How to eliminate wrong answers

Option A is wrong because scheduling patching in 30 days for a critical remote code execution vulnerability (CVSS 9.8) leaves the host exposed to active exploitation, which violates the immediate response required for such high-risk findings. Option C is wrong because running another vulnerability scan would only reconfirm the already validated finding, wasting time that could be used for remediation; the scan result is assumed accurate based on the exhibit. Option D is wrong because ignoring the vulnerability as a false positive is dangerous given the critical severity and known exploitability of the CVE; false positives are rare for such well-documented remote code execution vulnerabilities.

14
MCQhard

An organization uses a SIEM to correlate events. The SIEM receives Windows Security Event ID 4625 (failed login) and 4776 (credential validation). An analyst wants to detect a brute-force attack against a service account. Which correlation rule is most effective?

A.Alert on more than 10 failed logins from a single IP in 5 minutes
B.Alert on successful logins after multiple failures
C.Alert on multiple failed logins for the same account from different source IPs in 10 minutes
D.Alert on any Event ID 4625 or 4776 with severity high
AnswerC

Detects distributed brute force against a single account.

Why this answer

Option C is correct because a brute-force attack against a service account typically involves multiple failed login attempts from different source IPs, as attackers often distribute their attempts to evade IP-based blocking. Correlating Event ID 4625 (failed login) and 4776 (credential validation) across multiple source IPs for the same account within a short time window (e.g., 10 minutes) directly identifies this distributed brute-force pattern, which a single-IP threshold would miss.

Exam trap

The trap here is that candidates often fixate on a single IP threshold (Option A) because it seems intuitive, but the SSCP exam tests the understanding that modern brute-force attacks distribute across many IPs, making account-based correlation across source IPs the correct detection method.

How to eliminate wrong answers

Option A is wrong because alerting on more than 10 failed logins from a single IP in 5 minutes is too narrow; attackers can easily rotate IPs (e.g., using a botnet or proxy chain) to stay under the threshold, missing distributed brute-force attacks. Option B is wrong because alerting on successful logins after multiple failures is a post-compromise indicator, not a detection of the brute-force attempt itself; it may also generate false positives from legitimate password resets or user errors. Option D is wrong because setting severity high on every Event ID 4625 or 4776 would overwhelm analysts with noise from routine failed logins (e.g., mistyped passwords, expired credentials) and lacks the correlation needed to distinguish a brute-force attack from normal activity.

15
MCQhard

During a risk assessment, a team identifies that the annualized loss expectancy (ALE) for a critical asset is $50,000. A proposed control costs $15,000 per year and will reduce the annualized rate of occurrence (ARO) from 5 to 1. The single loss expectancy (SLE) is unchanged at $10,000. What is the net benefit of implementing the control?

A.$40,000
B.$10,000
C.$35,000
D.$25,000
AnswerD

ALE reduction minus control cost equals net benefit.

Why this answer

The current ALE is $50,000 (ARO of 5 × SLE of $10,000). With the control, ARO drops to 1, so the new ALE is $10,000 (1 × $10,000). The reduction in ALE is $40,000.

Subtracting the annual control cost of $15,000 gives a net benefit of $25,000. This aligns with the formula: Net Benefit = (Old ALE – New ALE) – Annual Control Cost.

Exam trap

The trap here is that candidates often forget to subtract the annual control cost from the risk reduction (ALE reduction), mistakenly selecting the risk reduction amount ($40,000) as the net benefit.

How to eliminate wrong answers

Option A is wrong because $40,000 is the reduction in ALE (the risk reduction), not the net benefit after subtracting the $15,000 annual control cost. Option B is wrong because $10,000 is the new ALE after the control, not the net benefit. Option C is wrong because $35,000 would result from incorrectly subtracting the control cost from the old ALE ($50,000 – $15,000) without accounting for the reduced ALE.

16
MCQmedium

A company's log management solution is overwhelmed by high-volume logs from network devices, causing storage and analysis delays. Which strategy would best improve the efficiency of the log management process?

A.Increase the storage capacity of the log server
B.Increase the frequency of log analysis cycles
C.Implement log filtering and prioritization rules
D.Reduce the number of devices sending logs
AnswerC

Filtering reduces volume and focuses on important events.

Why this answer

Implementing log filtering and prioritization rules (Option C) directly addresses the root cause of the problem by reducing the volume of irrelevant or low-priority logs before they are stored or analyzed. This improves both storage efficiency and analysis speed, as the log management system processes only meaningful events, such as those matching security or performance thresholds, rather than being overwhelmed by high-frequency noise like repeated informational syslog messages.

Exam trap

ISC2 often tests the misconception that adding more resources (storage or processing frequency) is the solution to data overload, when in fact the correct approach is to reduce the data volume through intelligent filtering and prioritization.

How to eliminate wrong answers

Option A is wrong because simply increasing storage capacity does not solve the analysis delay; it only postpones the storage issue while the system continues to process and store the same high volume of logs, potentially worsening performance. Option B is wrong because increasing the frequency of log analysis cycles would further strain the already overwhelmed system, leading to greater delays and resource contention, not efficiency. Option D is wrong because reducing the number of devices sending logs is a drastic measure that compromises network visibility and security monitoring, and it does not address the underlying problem of inefficient log handling from the remaining devices.

17
MCQeasy

A security analyst is reviewing vulnerability scan results and finds a critical vulnerability on a web server. The patch is available but requires a reboot. What should the analyst do first?

A.Apply the patch immediately to reduce risk
B.Assess the exploitability and impact to determine remediation priority
C.Re-scan the server to confirm the vulnerability
D.Ignore the vulnerability because the patch is available
AnswerB

Risk assessment ensures proper prioritization.

Why this answer

Option B is correct because the first step in vulnerability management is to assess the exploitability and business impact of the vulnerability before taking action. Even though a patch is available, the analyst must determine if the vulnerability is actively exploitable in the current environment and what the potential impact would be, as a reboot may cause service disruption. This aligns with the risk-based prioritization approach required by frameworks like NIST SP 800-40 and the SSCP's focus on balancing security with operational continuity.

Exam trap

ISC2 often tests the misconception that a critical vulnerability must be patched immediately regardless of operational impact, tempting candidates to choose 'apply the patch immediately' without considering the risk assessment and change management steps required by the SSCP's risk identification domain.

How to eliminate wrong answers

Option A is wrong because applying the patch immediately without assessing impact could cause unnecessary downtime or break dependencies, especially if the web server hosts critical applications; patching should follow a change management process. Option C is wrong because re-scanning to confirm the vulnerability is redundant—the scan already identified it, and the priority is to evaluate risk, not re-validate the scanner's findings. Option D is wrong because ignoring a critical vulnerability simply because a patch exists is negligent; the patch's availability is a reason to act, not to ignore, but action must be prioritized based on risk.

18
Multi-Selecteasy

Which TWO of the following are key components of the risk identification process?

Select 2 answers
A.Identifying assets and their value
B.Prioritizing risks based on impact
C.Selecting risk treatment options
D.Identifying threats and vulnerabilities
E.Calculating the annualized loss expectancy
AnswersA, D

Assets are the foundation for understanding what is at risk.

Why this answer

Option A is correct because identifying assets and their value is a foundational step in the risk identification process. Without knowing what assets exist and their relative importance, you cannot determine which threats and vulnerabilities pose the greatest risk. This step ensures that risk assessment efforts are focused on the most critical resources.

Exam trap

ISC2 often tests the distinction between risk identification and risk analysis, so candidates mistakenly select options like prioritizing risks (B) or calculating ALE (E) as part of identification, when they actually belong to later stages of the risk management process.

19
MCQeasy

You are the security analyst at a mid-sized retail company with 500 employees. The company recently experienced a ransomware attack that encrypted files on a file server. The infection was traced to a phishing email opened by an employee in accounting. The company has antivirus software, a firewall, and daily backups. After the incident, management wants to improve risk identification to prevent future attacks. Which of the following is the MOST effective first step to improve risk identification?

A.Implement a data loss prevention (DLP) solution to monitor email traffic
B.Conduct a risk assessment that includes threat modeling and vulnerability scanning
C.Deploy a SIEM system to aggregate logs from all systems
D.Review the logs of the compromised file server for forensic details
AnswerB

A comprehensive risk assessment identifies all relevant risks.

Why this answer

Option B is correct because performing a comprehensive risk assessment focusing on people, process, and technology will identify gaps like phishing training gaps, technical controls, etc. Option A only addresses one attack vector; C is reactive; D is a control but not a direct identification step.

20
MCQmedium

A government agency requires all employees to use smart cards for network access. The security team notices a pattern of failed authentication attempts from a specific building after hours. The attempts occur every night at 2:00 AM for about 10 minutes. The building has a badge reader at the entrance. The team suspects an attacker is trying to brute-force smart card PINs. However, the building's door logs show no entry at that time. Which of the following should the security team do FIRST to identify the risk?

A.Correlate the authentication logs with physical access logs to see if any employee was present
B.Immediately isolate the building's network segment
C.Change all smart card PINs for that building's employees
D.Notify law enforcement about a potential cyberattack
AnswerA

Identifies whether the attempts are from legitimate users or external attacks.

Why this answer

Option B is correct because correlating network logs with physical access logs can confirm if the attempts are from inside or outside. Option A is too slow; C assumes outcome; D is premature.

21
MCQeasy

A security analyst notices repeated failed login attempts from a single IP address on the VPN gateway. The analyst adjusts the threshold for account lockout and enables geo-ip blocking. This activity is part of which risk management process?

A.Risk identification
B.Risk assessment
C.Risk reporting
D.Risk monitoring
AnswerD

Adjusting controls based on observed events is a core risk monitoring activity.

Why this answer

Option D is correct because the analyst is actively monitoring the VPN gateway for security events (failed logins) and then adjusting controls (lockout threshold, geo-IP blocking) in response to observed threats. This continuous observation and adjustment is the essence of risk monitoring, which is the ongoing process of tracking identified risks and evaluating the effectiveness of controls. The actions taken are not about identifying new risks, assessing their likelihood/impact, or formally reporting them, but rather about reacting to real-time data to maintain an acceptable risk posture.

Exam trap

The trap here is that candidates confuse 'monitoring' (ongoing observation and adjustment) with 'risk assessment' (quantitative/qualitative analysis), because adjusting thresholds feels like evaluating risk, but the question explicitly describes a reactive, operational action rather than a formal assessment process.

How to eliminate wrong answers

Option A is wrong because risk identification is the initial step of discovering and documenting potential risks (e.g., 'failed logins could indicate a brute-force attack'), but the analyst has already identified the risk and is now adjusting controls based on observed events. Option B is wrong because risk assessment involves evaluating the likelihood and impact of a risk (e.g., calculating the annualized loss expectancy), not implementing or tuning technical controls like lockout thresholds or geo-IP blocking. Option C is wrong because risk reporting is the formal communication of risk findings to stakeholders (e.g., via a risk register or executive summary), not the real-time operational adjustment of security configurations.

22
Multi-Selectmedium

Which TWO of the following are key components of a Security Information and Event Management (SIEM) system? (Select two.)

Select 2 answers
A.Vulnerability scanning
B.Centralized log collection and storage
C.Correlation and analysis engine
D.Intrusion detection system (IDS)
E.Data loss prevention (DLP)
AnswersB, C

Core function of SIEM.

Why this answer

Centralized log collection and storage is a core SIEM component because it aggregates logs from diverse sources (servers, firewalls, applications) into a single repository, enabling unified analysis and forensic investigation. Without this centralized data lake, the correlation engine would have no data to process, making the SIEM ineffective.

Exam trap

ISC2 often tests the misconception that SIEM includes active security controls like IDS or DLP, when in fact SIEM is a passive analysis and management platform that aggregates data from those tools.

23
Drag & Dropmedium

Drag and drop the steps for properly disposing of a hard drive containing sensitive data into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Sanitization: backup, overwrite, verify, destroy, document.

24
MCQmedium

A financial institution uses a risk management framework based on ISO 31000. During a quarterly risk review, the risk manager identifies that the residual risk for a critical trading application remains high despite multiple controls. The application's risk score has not decreased after implementing two-factor authentication and encryption. The risk appetite statement says 'no high residual risk for systems processing transactions over $10M.' What should the risk manager do next?

A.Reduce the risk by disabling non-essential features of the application.
B.Transfer the risk by purchasing cyber insurance.
C.Escalate to senior management for a decision on additional controls or risk acceptance.
D.Accept the risk because controls are already in place.
AnswerC

Escalation ensures that senior management, who own the risk appetite, decide on additional controls or formally accept the residual risk.

Why this answer

Option D is correct because risk management best practices require that when residual risk exceeds the risk appetite, it must be escalated to senior management for a decision. Option A is wrong because accepting the risk violates the stated risk appetite. Option B is wrong because disabling features may not reduce the risk sufficiently and could impact business operations.

Option C is wrong because transferring risk via insurance does not eliminate the residual risk; it only covers financial loss, and the risk appetite likely requires risk to be at an acceptable level regardless of insurance.

25
MCQmedium

Refer to the exhibit. The analyst sees this IDS alert. What is the most likely outcome if the target web application is vulnerable?

A.Buffer overflow and remote code execution
B.Authentication bypass or data extraction
C.Cross-site scripting (XSS) attack
D.Privilege escalation on the database server
AnswerB

The payload tries to bypass authentication by always returning true.

Why this answer

The IDS alert indicates a SQL injection attempt (e.g., '1=1' or similar pattern). If the web application is vulnerable, the attacker can manipulate SQL queries to bypass authentication (e.g., logging in without valid credentials) or extract data from the database (e.g., dumping user tables). This is the most direct outcome of a successful SQL injection.

Exam trap

ISC2 often tests the distinction between SQL injection and other web attacks (like XSS or buffer overflows), and the trap here is that candidates may confuse the outcome of SQL injection with remote code execution or privilege escalation, when the primary and most likely result is authentication bypass or data extraction.

How to eliminate wrong answers

Option A is wrong because buffer overflow and remote code execution are typically associated with memory corruption vulnerabilities (e.g., stack overflows), not SQL injection. Option C is wrong because cross-site scripting (XSS) exploits client-side script injection into web pages, not server-side SQL query manipulation. Option D is wrong because privilege escalation on the database server is a secondary effect that may follow data extraction, but the immediate and most likely outcome of a SQL injection is authentication bypass or data extraction, not direct privilege escalation.

26
MCQmedium

You are a risk analyst at a healthcare organization. The organization recently deployed a new electronic health records (EHR) system. During the first month of operation, the IT helpdesk received multiple reports from doctors that the system becomes unresponsive for 10-15 seconds several times a day. The EHR vendor attributes this to insufficient database connection pooling, but the organization's system administrator notes that the database server's CPU and memory utilization never exceed 30%. The organization has a risk management policy that requires any system with availability <99.5% to be treated as a high risk. Based on initial data, the system has been unavailable for about 0.1% of the time (excluding planned maintenance). However, doctors report that the brief unresponsiveness is causing frustration and potential misdiagnosis due to interrupted workflows. You need to recommend a risk treatment approach. What should you do?

A.Accept the current risk because the system meets the 99.5% availability threshold
B.Reduce the risk by implementing a load balancer and additional application servers
C.Document the system as high risk and require immediate remediation, such as upgrading the database server hardware
D.Conduct a deeper analysis to quantify the impact of these brief outages on clinical workflows and patient safety, then reassess risk
AnswerD

A deeper analysis will clarify the true risk level before deciding on treatment.

Why this answer

Option D is correct because the risk management policy defines high risk based on availability <99.5%, and the system currently shows 99.9% availability (0.1% unavailability). However, the brief 10-15 second unresponsiveness may still pose a clinical safety risk that is not captured by a simple uptime metric. A deeper analysis is required to quantify the actual impact on clinical workflows and patient safety before deciding on risk treatment, as the policy may need to consider functional availability rather than just binary uptime.

Exam trap

The trap here is that candidates focus on the 99.5% availability threshold and assume the risk is acceptable (Option A) or immediately high (Option C), without recognizing that the policy requires a risk assessment that includes impact analysis, and that the technical symptom (connection pooling) may not be resolved by hardware upgrades or load balancers.

How to eliminate wrong answers

Option A is wrong because accepting the risk based solely on the 99.5% availability threshold ignores the qualitative reports of frustration and potential misdiagnosis; the policy may require a risk assessment that includes impact on patient safety, not just uptime percentage. Option B is wrong because implementing a load balancer and additional application servers addresses a different problem (scalability under load) while the vendor attributes the issue to insufficient database connection pooling, which is a database-tier configuration problem, not an application-tier capacity issue. Option C is wrong because documenting the system as high risk and requiring immediate hardware upgrade is premature without first quantifying the clinical impact; the database server CPU and memory are below 30%, indicating the bottleneck is likely connection pooling configuration, not hardware capacity.

27
Multi-Selectmedium

Which THREE of the following are examples of detective controls?

Select 3 answers
A.Intrusion detection system (IDS)
B.Security information and event management (SIEM)
C.Data encryption at rest
D.Log monitoring and analysis
E.Firewall with default-deny rule
AnswersA, B, D

IDS detects intrusions and alerts.

Why this answer

An intrusion detection system (IDS) is a detective control because it passively monitors network traffic or system activity for signs of malicious behavior or policy violations, generating alerts when suspicious patterns are detected. Unlike a preventive control, an IDS does not block traffic; it only identifies and reports incidents after they occur or in real-time, making it a classic example of a detective security measure.

Exam trap

The trap here is that candidates often confuse preventive controls (like firewalls and encryption) with detective controls, mistakenly thinking that any security tool that 'stops' or 'protects' data also detects attacks, when in fact detective controls only identify and report incidents without blocking them.

28
MCQmedium

A company has deployed an intrusion detection system (IDS) that generates numerous false positives. Which approach would best reduce false positives while maintaining detection capability?

A.Increase the alert generation threshold
B.Replace the IDS with an intrusion prevention system (IPS)
C.Disable the IDS until a full review is completed
D.Tune the IDS signatures and rules
AnswerD

Tuning reduces false positives by refining detection criteria.

Why this answer

Tuning IDS signatures and rules (option D) directly addresses the root cause of false positives by refining detection patterns to match legitimate traffic more accurately. This approach preserves the IDS's ability to detect genuine threats while eliminating noise, unlike threshold adjustments which can miss low-and-slow attacks.

Exam trap

The trap here is that candidates confuse 'increasing the threshold' (option A) with tuning, but threshold adjustments are a blunt instrument that can suppress true positives, whereas signature tuning refines detection granularity without sacrificing sensitivity.

How to eliminate wrong answers

Option A is wrong because increasing the alert generation threshold reduces sensitivity across all events, potentially causing true positives (e.g., stealthy attacks) to be missed, which compromises detection capability. Option B is wrong because replacing the IDS with an IPS does not inherently reduce false positives; an IPS uses the same detection mechanisms and may block legitimate traffic if false positives persist, introducing availability risks. Option C is wrong because disabling the IDS eliminates all detection capability, leaving the network blind to attacks during the review period, which is an unacceptable security gap.

29
MCQmedium

Given the exhibit, what is the most likely conclusion?

A.The SIEM alert is a false positive and can be ignored
B.The authentication server logs are misconfigured
C.The successful login is unrelated and coincidental
D.The brute-force attack was successful and the admin account may be compromised
AnswerD

The pattern indicates successful compromise.

Why this answer

The exhibit shows a brute-force attack with multiple failed login attempts followed by a successful login from the same source IP. This pattern indicates that the attacker likely guessed or cracked the password, making the admin account compromised. Option D is correct because the sequence of events directly correlates with a successful brute-force attack.

Exam trap

The trap here is that candidates may dismiss the successful login as a false positive or coincidence, failing to recognize that the sequential pattern of failures followed by a success from the same source is the definitive signature of a successful brute-force attack.

How to eliminate wrong answers

Option A is wrong because the alert is not a false positive; the pattern of repeated failures followed by a success is a classic indicator of a successful brute-force attack, not a benign event. Option B is wrong because the authentication server logs are not misconfigured; they correctly recorded both the failed and successful logins, which is expected behavior. Option C is wrong because the successful login is not coincidental; it is directly linked to the preceding brute-force attempts, as evidenced by the same source IP and target account.

30
MCQmedium

During a vulnerability scan, a critical vulnerability is found on a publicly accessible web server. The server hosts a legacy application that cannot be patched immediately. What should the risk manager do first?

A.Implement compensating controls.
B.Remove the server from the network.
C.Notify the application owner.
D.Accept the risk.
AnswerA

Compensating controls mitigate the vulnerability without patching, buying time for a permanent fix.

Why this answer

Option A is correct because when a critical vulnerability cannot be patched immediately, implementing compensating controls is the appropriate first step to reduce risk while maintaining business operations. Compensating controls, such as a web application firewall (WAF) with custom rules to block exploit attempts or network segmentation with strict access control lists (ACLs), provide a temporary mitigation layer. This aligns with the risk management principle of reducing risk to an acceptable level without disrupting critical services.

Exam trap

ISC2 often tests the misconception that immediate removal from the network is always the correct first step, but the SSCP exam emphasizes balancing security with business continuity, making compensating controls the preferred initial action.

How to eliminate wrong answers

Option B is wrong because removing the server from the network would cause immediate denial of service for the legacy application, which may be critical to business operations, and is an extreme measure that should only be taken if the vulnerability is actively exploited and no other controls exist. Option C is wrong because notifying the application owner is a procedural step that should occur after or in parallel with implementing compensating controls; it does not directly address the immediate risk reduction required. Option D is wrong because accepting the risk without first attempting to mitigate it through compensating controls is premature and violates the risk management hierarchy, which prioritizes mitigation over acceptance when feasible.

31
MCQmedium

Based on the exhibit, which conclusion is most likely?

A.Two hosts are consistently downloading malware.
B.The downloads are false positives.
C.The threat has been contained.
D.The proxy is blocking the downloads.
AnswerA

The logs show repeated successful GET requests for an executable from a known malware domain by two IPs.

Why this answer

Option A is correct because two internal hosts (192.168.1.10 and .20) repeatedly download an executable from a known malware domain. The HTTP status 200 indicates successful downloads. Option B is incorrect because 'TCP_MISS' and 'DIRECT' show the proxy allowed the request.

Option C is unlikely given the repeated connections to a malware domain. Option D is incorrect because the activity is ongoing.

32
MCQeasy

In the context of risk assessment, which of the following best describes a vulnerability?

A.A potential event that can cause harm
B.The likelihood of a threat exploiting a weakness
C.An actual occurrence of a harmful event
D.A weakness in a system that can be exploited
AnswerD

Correct definition.

Why this answer

In risk assessment, a vulnerability is specifically a weakness in a system, application, or process that can be exploited by a threat. Option D correctly defines this as a weakness that can be exploited, which aligns with the NIST SP 800-30 definition of vulnerability as a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

Exam trap

The trap here is that candidates confuse 'vulnerability' with 'threat' (Option A) or 'risk' (Option B), because risk assessment terminology is often used interchangeably in casual conversation, but the SSCP exam strictly defines vulnerability as a weakness, not the event or likelihood.

How to eliminate wrong answers

Option A is wrong because it describes a threat (a potential event that can cause harm), not a vulnerability. Option B is wrong because it describes risk (the likelihood of a threat exploiting a weakness), which combines threat, vulnerability, and impact. Option C is wrong because it describes an incident or actual occurrence of a harmful event, which is the realization of a threat exploiting a vulnerability, not the vulnerability itself.

33
MCQhard

A SOC analyst reviews an alert for a user who downloaded a large amount of data from a sensitive database at 3:00 AM. The user's manager confirms the user was not on call. Which type of risk indicator is this activity best described as?

A.Technical vulnerability indicator
B.User behavior risk indicator
C.Error log indicator
D.Configuration drift indicator
AnswerB

The unusual access pattern is a behavioral indicator of potential insider threat or compromise.

Why this answer

The activity describes a user downloading a large volume of sensitive data at an anomalous time (3:00 AM) without authorization, which directly maps to a User Behavior Risk Indicator (UBRI). UBRI focuses on deviations from established baselines of user actions, such as unusual access times, data volumes, or locations, to detect potential insider threats or compromised accounts. This is not a technical vulnerability, error log, or configuration issue, but a behavioral anomaly that requires investigation.

Exam trap

ISC2 often tests the distinction between technical indicators (like vulnerabilities or errors) and behavioral indicators, trapping candidates who confuse a user's anomalous action with a system-level flaw or log entry.

How to eliminate wrong answers

Option A is wrong because a technical vulnerability indicator refers to a flaw in software, hardware, or network design (e.g., an unpatched CVE in the database server) that could be exploited, not an anomalous user action. Option C is wrong because an error log indicator is derived from system or application error messages (e.g., failed login attempts, disk I/O errors), not from successful but suspicious user behavior. Option D is wrong because configuration drift indicator tracks changes to system settings or policies over time (e.g., a firewall rule being altered or a registry key modified), not a user's data access pattern.

34
Matchingmedium

Match each security policy type to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines proper use of resources

Requirements for password strength

Categorizes data sensitivity

Procedures for handling breaches

Why these pairings

These policies are foundational in information security.

35
Multi-Selecthard

Which THREE of the following are common techniques for identifying risks?

Select 3 answers
A.Stakeholder interviews
B.Penetration testing
C.SWOT analysis
D.Quantitative risk analysis
E.Brainstorming sessions
AnswersA, C, E

Interviews with knowledgeable individuals are a key identification technique.

Why this answer

Stakeholder interviews are a common technique for identifying risks because they leverage the knowledge and experience of individuals who have a direct interest in or are affected by the project or system. By engaging stakeholders, you can uncover risks that may not be apparent from documentation or technical analysis, as they provide insights into operational, regulatory, and business-specific threats. This aligns with the risk identification process in the SSCP domain, which emphasizes gathering input from diverse sources to build a comprehensive risk profile.

Exam trap

ISC2 often tests the distinction between risk identification techniques and risk analysis or validation techniques, so the trap here is confusing a method like penetration testing (which validates controls) or quantitative analysis (which evaluates risk) with the initial discovery process of risk identification.

36
Multi-Selecthard

Which THREE of the following are key elements of a security incident response plan?

Select 3 answers
A.Vendor management process
B.Preparation and training
C.Restoring all systems from backup
D.Containment, eradication, and recovery
E.Detection and analysis
AnswersB, D, E

Preparation is the first phase of the incident response process.

Why this answer

Preparation and training (Option B) is a key element because an incident response plan must include establishing and rehearsing procedures, roles, and tools before an incident occurs. Without trained personnel and tested playbooks, the response will be chaotic and ineffective, regardless of other plan components.

Exam trap

ISC2 often tests the misconception that 'restoring all systems from backup' is a standalone key element, when in fact it is a sub-step of the recovery phase and must be preceded by containment and eradication to avoid reinfection.

37
MCQeasy

A small financial services company has deployed a SIEM solution collecting logs from their firewall, web server, and domain controller. They also have an IDS monitoring the network perimeter. The security analyst receives an alert from the IDS indicating a potential exploit attempt against the web server from an external IP. The analyst checks the SIEM and sees that the firewall log shows the connection was allowed, but the web server log does not show any corresponding request. The domain controller logs show no abnormal activity. The company has a policy to immediately contain any confirmed threats. What should the analyst do first based on this information?

A.Reboot the web server to clear any potential memory-resident malware
B.Block the external IP at the firewall
C.Verify the web server's integrity by checking for filesystem changes or anomalous processes
D.Escalate the alert to the incident response team
AnswerC

The missing log entry could be an anomaly; checking the server ensures no compromise occurred.

Why this answer

The IDS alert indicates a possible exploit, but the missing web server log suggests the request may have been blocked or the IDS generated a false positive. However, the firewall allowed the connection, so it is possible the traffic reached the web server but the log entry is missing or delayed. The safest first step is to verify the web server's integrity by checking for signs of compromise (Option B).

Immediately blocking the external IP (Option A) might disrupt legitimate traffic if the alert is false. Rebooting (C) could destroy forensic evidence. Escalating (D) without verification wastes time.

38
MCQhard

A security analyst is reviewing logs and sees an alert for a known malware signature on an endpoint. Upon investigation, the file is identified as a false positive. What should the analyst do next?

A.Create an exception in the detection rule.
B.Quarantine the endpoint anyway.
C.Escalate to management.
D.Delete the alert from the SIEM.
AnswerA

An exception reduces noise and improves detection fidelity for actual threats.

Why this answer

Creating an exception in the detection rule is the correct next step because the file has been confirmed as a false positive. This action prevents the security tool from generating future alerts for the same benign file, reducing noise and allowing the analyst to focus on genuine threats. It is a standard whitelisting practice in endpoint detection and response (EDR) or antivirus systems to maintain operational efficiency without compromising security.

Exam trap

The trap here is that candidates may confuse 'false positive' with 'true positive' and choose to quarantine or escalate, failing to recognize that the correct response is to tune the detection rule to eliminate noise.

How to eliminate wrong answers

Option B is wrong because quarantining a known false positive would disrupt legitimate operations and waste resources, as the file is not malicious. Option C is wrong because escalating a confirmed false positive to management is unnecessary and bypasses the analyst's responsibility to handle routine tuning of detection rules. Option D is wrong because deleting the alert from the SIEM removes forensic evidence and audit trails; instead, the alert should be closed with a reason or suppressed via an exception rule.

39
MCQeasy

A security analyst notices repeated failed login attempts from a single IP address within a short time window. Which control should be implemented to automatically mitigate this behavior?

A.Set session timeout to 15 minutes
B.Implement account lockout policy
C.Enforce complex password policy
D.Require multi-factor authentication
AnswerB

Account lockout disables the account after a set number of failed attempts.

Why this answer

An account lockout policy automatically disables an account after a specified number of failed login attempts within a defined time window, directly mitigating brute-force attacks from a single IP. This control is specifically designed to prevent repeated authentication failures by temporarily or permanently locking the account, stopping further attempts without manual intervention.

Exam trap

ISC2 often tests the distinction between preventive controls (like complex passwords or MFA) and corrective/detective controls (like account lockout), leading candidates to choose MFA because it seems stronger, but the question specifically asks for automatic mitigation of repeated failed attempts, which only lockout directly addresses.

How to eliminate wrong answers

Option A is wrong because setting a session timeout to 15 minutes controls idle session duration, not failed login attempts; it does not prevent repeated authentication failures from a single IP. Option C is wrong because enforcing a complex password policy makes passwords harder to guess but does not automatically stop repeated failed login attempts; it is a preventive control, not a detective or corrective one. Option D is wrong because requiring multi-factor authentication (MFA) adds an additional layer of security but does not automatically mitigate repeated failed login attempts; MFA can still be bypassed if the first factor is guessed, and it does not lock out the account after failures.

40
Multi-Selecteasy

Which THREE of the following are common methods for identifying risks? (Select three.)

Select 3 answers
A.SWOT analysis
B.Threat modeling
C.Brainstorming sessions
D.Penetration testing
E.Vulnerability scanning
AnswersB, C, E

Systematic approach to identify threats and vulnerabilities.

Why this answer

Threat modeling is a structured approach for identifying risks by analyzing potential threats, vulnerabilities, and attack vectors in a system. It involves creating diagrams, identifying assets, and applying frameworks like STRIDE or PASTA to systematically uncover risks before they are exploited. This makes it a core risk identification method in the SSCP domain.

Exam trap

The trap here is that candidates confuse risk identification methods (like threat modeling and brainstorming) with risk validation or assessment techniques (like penetration testing and vulnerability scanning), leading them to select options D or A instead of the correct set.

41
MCQmedium

After a security incident, the CSIRT is conducting lessons learned. Which output is most directly used to update the risk management process?

A.Updated incident response plan.
B.Risk register updates.
C.Corrective actions.
D.Forensic report.
AnswerB

New threats or control failures from the incident should be documented in the risk register to inform future risk assessments.

Why this answer

The risk management process is directly updated by incorporating new risk information derived from incident analysis. Risk register updates (option B) capture newly identified risks, changes in risk likelihood or impact, and the effectiveness of existing controls, which are the primary outputs that feed back into risk treatment decisions.

Exam trap

The trap here is that candidates confuse operational outputs (corrective actions, updated IR plans) with the formal risk management artifact (risk register) that directly influences risk acceptance, mitigation, or transfer decisions.

How to eliminate wrong answers

Option A is wrong because updating the incident response plan is a corrective action to improve future response, not a direct input to the risk management process; the plan itself does not modify risk registers or risk assessments. Option C is wrong because corrective actions address specific incident root causes and may reduce risk, but they are operational fixes, not the formal risk documentation updates that directly feed the risk management process. Option D is wrong because a forensic report documents evidence and findings for legal or investigative purposes, but it does not directly update risk registers or risk treatment plans unless its findings are abstracted into risk entries.

42
MCQeasy

A small business wants to identify vulnerabilities in its network. Which type of scan should they perform first to get an overview?

A.Vulnerability scan.
B.Stealth scan.
C.Full port scan.
D.Ping sweep.
AnswerD

A ping sweep quickly identifies which IP addresses are active, providing a starting point.

Why this answer

A ping sweep (ICMP Echo Request) is the correct first step because it quickly identifies which hosts are alive on the network, providing a baseline of active IP addresses. This overview allows the business to scope the subsequent vulnerability scan to only live targets, reducing noise and scan time. Without a ping sweep, a full port or vulnerability scan would waste resources scanning dead or unresponsive hosts.

Exam trap

The trap here is that candidates often confuse 'vulnerability scan' (a deep assessment of known weaknesses) with 'host discovery' (a lightweight enumeration of live systems), leading them to select Option A as the first step instead of the correct ping sweep.

How to eliminate wrong answers

Option A is wrong because a vulnerability scan is a deeper, more resource-intensive assessment that should be performed after identifying live hosts; starting with it would waste time and bandwidth scanning non-responsive IPs. Option B is wrong because a stealth scan (e.g., SYN scan) is a port scanning technique that attempts to evade detection, not a host-discovery method; it is inappropriate for an initial overview and may trigger IDS/IPS alerts unnecessarily. Option C is wrong because a full port scan (e.g., scanning all 65,535 TCP ports) is exhaustive and time-consuming, and should only be run against known live hosts to avoid excessive network traffic and false positives from dead targets.

43
Multi-Selectmedium

Which TWO of the following are effective methods for monitoring risk in real-time?

Select 2 answers
A.User access reviews
B.Security information and event management (SIEM) systems
C.Quarterly vulnerability scanning
D.Annual penetration testing
E.Intrusion detection systems (IDS)
AnswersB, E

SIEM collects and analyzes logs in real-time.

Why this answer

Security information and event management (SIEM) systems aggregate and correlate logs from multiple sources in real-time, enabling immediate detection and response to security incidents. They provide continuous monitoring and alerting, which is essential for real-time risk management.

Exam trap

The trap here is that candidates confuse periodic review activities (like access reviews or vulnerability scans) with real-time monitoring, failing to recognize that only SIEM and IDS provide continuous, automated analysis of live data.

44
MCQeasy

Based on the exhibit, which type of attack is most likely occurring?

A.Denial of service.
B.Brute force attack.
C.Dictionary attack.
D.Man-in-the-middle.
AnswerB

Multiple rapid failed attempts for the same user from one IP is characteristic of brute force.

Why this answer

The exhibit shows a high number of failed authentication attempts (e.g., 1000+ failures) from a single source IP within a short time window, targeting a specific user account. This pattern is characteristic of a brute force attack, where an attacker systematically tries many password combinations to gain unauthorized access. Unlike a dictionary attack, which uses a predefined list of likely passwords, a brute force attack exhaustively tests all possible combinations, as indicated by the sheer volume of attempts.

Exam trap

The trap here is that candidates may confuse a brute force attack with a dictionary attack, but the key differentiator is the exhaustive, non-selective nature of the attempts versus the use of a precompiled wordlist.

How to eliminate wrong answers

Option A is wrong because a denial of service (DoS) attack aims to overwhelm system resources or disrupt service availability, not to repeatedly attempt authentication. Option C is wrong because a dictionary attack uses a curated list of common passwords or phrases, not the exhaustive, high-volume attempts shown in the exhibit. Option D is wrong because a man-in-the-middle (MITM) attack involves intercepting or altering communications between two parties, not directly targeting authentication endpoints with repeated login attempts.

45
MCQeasy

During a risk assessment, the team identifies that a critical database server is not included in the backup schedule. Which risk term best describes this condition?

A.Threat
B.Risk
C.Exploit
D.Vulnerability
AnswerD

The missing backup is a weakness that could lead to data loss.

Why this answer

A vulnerability is a weakness in a system that can be exploited by a threat. The database server missing from the backup schedule represents a weakness in the organization's data protection and disaster recovery posture, making it susceptible to data loss. This absence of a control (backup) is a classic example of a vulnerability, not an active threat or an exploit.

Exam trap

ISC2 often tests the distinction between a vulnerability (a weakness) and a threat (a potential danger), tricking candidates into selecting 'Threat' because they associate the missing backup with a potential data loss event, rather than recognizing it as the underlying weakness.

How to eliminate wrong answers

Option A is wrong because a threat is a potential event or actor (like a ransomware attack or a natural disaster) that could cause harm, not the absence of a backup. Option B is wrong because risk is the potential for loss or damage when a threat exploits a vulnerability; the missing backup is the vulnerability itself, not the calculated risk. Option C is wrong because an exploit is a specific method or code used to take advantage of a vulnerability (e.g., a SQL injection payload), not the condition of being unbacked.

46
Multi-Selecthard

Which THREE of the following are key steps in performing a business impact analysis (BIA)?

Select 3 answers
A.Assigning likelihood ratings to threats
B.Selecting backup and recovery solutions
C.Assessing the financial and operational impact of disruptions
D.Identifying critical business processes
E.Determining maximum tolerable downtime (MTD)
AnswersC, D, E

Impact analysis is central to BIA.

Why this answer

Option C is correct because assessing the financial and operational impact of disruptions is a core step in a business impact analysis (BIA). The BIA focuses on quantifying the consequences of losing business functions, including revenue loss, regulatory fines, and reputational damage, rather than evaluating threat likelihood or selecting recovery solutions.

Exam trap

ISC2 often tests the distinction between BIA steps (impact-focused) and risk assessment steps (likelihood-focused), so candidates mistakenly include threat likelihood ratings as a BIA step.

47
MCQhard

Refer to the exhibit. A security engineer is reviewing an S3 bucket policy. Which risk is most directly introduced by this policy?

A.Unauthorized deletion of objects
B.Lack of encryption at rest
C.Inability to audit access
D.Exposure of bucket contents to the public
AnswerD

The ListBucket action with Principal "*" allows anyone to enumerate objects.

Why this answer

The S3 bucket policy grants public access via a Principal of '*' and an Effect of 'Allow' for the 's3:GetObject' action, which means any unauthenticated user on the internet can read objects in the bucket. This directly exposes the bucket contents to the public, making option D correct.

Exam trap

ISC2 often tests the distinction between read access (GetObject) and write/delete access (PutObject, DeleteObject), so candidates may mistakenly think any public access implies deletion risk, but the policy explicitly only allows reading.

How to eliminate wrong answers

Option A is wrong because the policy only allows 's3:GetObject' (read) and does not include 's3:DeleteObject' or any write/delete actions, so unauthorized deletion is not introduced. Option B is wrong because the policy does not address encryption settings at all; encryption at rest is a separate configuration (e.g., SSE-S3, SSE-KMS) and is not impacted by this access control policy. Option C is wrong because the policy does not disable or affect CloudTrail or other audit logging; auditing remains possible regardless of this policy, though the policy itself does not enable or disable it.

48
MCQmedium

A security team uses a risk matrix with likelihood (Low, Medium, High) and impact (Low, Medium, High). A vulnerability scan finds a buffer overflow in a customer-facing web application. The application is not critical but has high availability requirements. The likelihood of exploitation is considered Medium due to internal network segmentation. What is the risk level?

A.Medium
B.Extreme
C.High
D.Low
AnswerC

Standard 3x3 risk matrix: Medium likelihood + High impact = High risk.

Why this answer

The risk level is High because the likelihood is Medium (due to internal network segmentation reducing but not eliminating the chance of exploitation) and the impact is High (the application has high availability requirements, so a buffer overflow could cause a denial of service or code execution, severely affecting availability). In a standard 3x3 risk matrix, Medium likelihood combined with High impact yields a High risk rating.

Exam trap

ISC2 often tests the misconception that internal network segmentation automatically lowers the risk to Medium or Low, but the high availability requirement elevates the impact, resulting in a High risk level despite the reduced likelihood.

How to eliminate wrong answers

Option A is wrong because Medium risk would require either Low likelihood with High impact, or Medium likelihood with Medium impact, but here the impact is High due to the application's high availability requirements. Option B is wrong because Extreme risk typically requires both High likelihood and High impact, or a combination like High likelihood with Medium impact in some matrices, but the likelihood is only Medium. Option D is wrong because Low risk would require Low likelihood and Low impact, or Low likelihood with Medium impact, but the impact is High and the likelihood is Medium.

49
MCQmedium

A security analyst notices a sudden increase in failed login attempts from a single IP address across multiple user accounts. Which risk response strategy is most appropriate to implement immediately?

A.Risk mitigation by blocking the IP address
B.Risk remediation by changing all user passwords
C.Risk transfer
D.Risk acceptance
AnswerA

Blocking the source IP mitigates the ongoing brute-force attempt.

Why this answer

Option C is correct because blocking the IP address reduces the immediate risk of further unauthorized access. Option A is wrong because accepting risk is not appropriate when an active threat is present. Option B is wrong because transferring risk (e.g., cyber insurance) does not stop the ongoing attack.

Option D is wrong because remediation might involve patching or changing passwords, but this is not the immediate action; blocking is faster.

50
Multi-Selecteasy

Which TWO of the following are examples of key risk indicators (KRIs)?

Select 2 answers
A.Number of unpatched critical vulnerabilities
B.Total number of employees
C.Percentage of systems with antivirus disabled
D.Average user satisfaction score
E.Number of security incidents this quarter
AnswersA, C

A high number indicates higher risk of exploitation.

Why this answer

Option A is correct because the number of unpatched critical vulnerabilities directly measures the organization's exposure to known exploits. A KRI must be quantifiable and predictive of risk; unpatched vulnerabilities are a leading indicator of potential breaches, as attackers actively scan for and exploit such weaknesses. This metric is commonly tracked in vulnerability management programs to prioritize remediation efforts.

Exam trap

ISC2 often tests the distinction between leading indicators (KRIs) and lagging indicators (outcome metrics), so candidates mistakenly select 'Number of security incidents this quarter' because it seems risk-related, but it is a historical outcome, not a predictive risk indicator.

51
MCQeasy

After a security incident, the CISO asks for a report detailing which assets were affected, the attack vector, and the financial impact. Which of the following best describes this report?

A.Lessons learned report
B.Incident response plan
C.Risk register
D.Business impact analysis (BIA)
AnswerA

A lessons learned report captures post-incident details and improvements.

Why this answer

A lessons learned report is a post-incident document that captures what happened during a security incident, including affected assets, the attack vector, and financial impact. It is used to improve future incident response processes and is distinct from operational plans or risk assessments.

Exam trap

ISC2 often tests the distinction between proactive planning documents (incident response plan, BIA) and reactive post-incident reports (lessons learned), leading candidates to confuse the BIA's financial impact analysis with the incident-specific financial impact in the lessons learned report.

How to eliminate wrong answers

Option B is wrong because an incident response plan is a pre-defined set of procedures for detecting, responding to, and recovering from incidents, not a post-incident summary of specific impacts. Option C is wrong because a risk register is a living document that logs identified risks, their likelihood, and mitigation status, not a retrospective report on a single incident. Option D is wrong because a business impact analysis (BIA) identifies critical business functions and their recovery priorities, not the details of a specific security event.

52
MCQmedium

A system administrator receives an alert from the SIEM indicating a possible brute-force attack on a server. The logs show 100 failed logins in 2 minutes from a single source. Which of the following is the best immediate action to verify and respond?

A.Immediately disable the user account that was targeted most
B.Check firewall logs for the source IP and block it in the firewall
C.Reset all user passwords and enable multi-factor authentication
D.Ignore the alert because it is likely a false positive
AnswerB

This confirms the attack and stops it at network perimeter.

Why this answer

Option B is correct because the immediate priority is to stop the ongoing attack by blocking the source IP at the firewall. Checking firewall logs confirms the source IP and ensures the block is applied to the correct address, preventing further authentication attempts. This aligns with the principle of containment before remediation in incident response.

Exam trap

The trap here is that candidates confuse immediate containment (blocking the source IP) with long-term remediation (resetting passwords or disabling accounts), leading them to choose a reactive user-focused action instead of a network-level control to stop the attack in progress.

How to eliminate wrong answers

Option A is wrong because disabling the targeted user account does not stop the brute-force attack; the attacker can simply target another account or continue with different usernames, and it may disrupt legitimate user access without addressing the source. Option C is wrong because resetting all passwords and enabling MFA is a long-term remediation step, not an immediate action; it is premature without first verifying the attack and containing it, and it could cause widespread disruption. Option D is wrong because ignoring the alert assumes a false positive without verification; 100 failed logins in 2 minutes from a single source is a strong indicator of a brute-force attack and requires investigation, not dismissal.

53
Drag & Dropmedium

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes require global config mode and must specify the destination network, subnet mask, and next-hop address or exit interface.

54
Multi-Selecthard

Which TWO of the following are key indicators of a potential data exfiltration attempt?

Select 2 answers
A.Large number of failed login attempts from multiple accounts
B.Unusual outbound traffic to a known malicious IP address
C.Multiple firewall rule changes in a short period
D.Successful logins from unusual geolocations for multiple users
E.Sudden increase in database read operations by a single user account
AnswersB, E

This is a direct indicator of data being sent to an external threat actor.

Why this answer

Unusual outbound traffic to a known bad IP (A) and a sudden increase in database read operations from a single user (D) are both strong indicators of data exfiltration. Failed logins (B) and unusual geolocations (C) are more indicative of credential abuse or lateral movement, while firewall rule changes (E) could be part of normal administration or a precursor to exfiltration but are not direct indicators.

55
Multi-Selectmedium

Which TWO of the following are key components of a Business Impact Analysis (BIA)?

Select 2 answers
A.Recovery time objective.
B.Vulnerability assessment.
C.Criticality analysis.
D.Likelihood estimation.
E.Threat modeling.
AnswersA, C

RTO specifies the maximum acceptable downtime for a process.

Why this answer

A Recovery Time Objective (RTO) is a key component of a Business Impact Analysis (BIA) because it defines the maximum acceptable downtime for a business process or system after a disruption. The BIA identifies critical functions and their dependencies, and RTO is derived from the financial and operational impact of downtime, directly informing recovery strategy and resource allocation.

Exam trap

ISC2 often tests the distinction between BIA components (RTO, criticality analysis) and risk assessment components (vulnerability assessment, likelihood, threat modeling), causing candidates to conflate impact analysis with risk analysis.

56
MCQhard

A financial institution uses a quantitative risk analysis to evaluate a new online payment system. The asset value is $5 million, the exposure factor is 40%, and the annualized rate of occurrence (ARO) is 0.5. What is the annualized loss expectancy (ALE)?

A.$1,000,000
B.$800,000
C.$2,000,000
D.$2,500,000
AnswerA

Correct calculation: SLE = $5M × 0.4 = $2M; ALE = $2M × 0.5 = $1M.

Why this answer

The annualized loss expectancy (ALE) is calculated as single loss expectancy (SLE) multiplied by the annualized rate of occurrence (ARO). SLE is asset value ($5,000,000) times exposure factor (40%) = $2,000,000. Then ALE = $2,000,000 × 0.5 = $1,000,000.

This quantitative risk analysis formula is standard in financial risk assessments for payment systems.

Exam trap

ISC2 often tests the distinction between SLE and ALE, trapping candidates who stop after calculating SLE ($2,000,000) and forget to multiply by the ARO (0.5).

How to eliminate wrong answers

Option B ($800,000) is wrong because it incorrectly multiplies the asset value by the ARO without applying the exposure factor (i.e., $5,000,000 × 0.5 × 0.4? No, it's $5,000,000 × 0.4 × 0.5 = $1,000,000; $800,000 suggests a miscalculation like using 0.4 × 0.5 = 0.2 then $5,000,000 × 0.2 = $1,000,000? Actually $800,000 would come from $5,000,000 × 0.4 × 0.4 or similar error). Option C ($2,000,000) is wrong because it represents the SLE only (asset value × exposure factor) and fails to multiply by the ARO of 0.5. Option D ($2,500,000) is wrong because it incorrectly multiplies the asset value by the ARO only ($5,000,000 × 0.5) and ignores the exposure factor entirely.

57
MCQmedium

Based on the exhibit, which type of attack is most likely being attempted?

A.Cross-site scripting (XSS)
B.SQL injection
C.Directory traversal
D.Buffer overflow
AnswerB

The parameter contains SQL syntax designed to drop a table, which is characteristic of a SQL injection attack.

Why this answer

The exhibit shows a URL parameter containing SQL injection syntax (DROP TABLE users;). The %22%3B%20 sequence decodes to "; " which is used to break out of a SQL query. The destination is an internal host (10.0.0.100), likely a web application server.

A status code of 500 indicates a server error, possibly due to the malicious input. Thus, SQL injection (Option D) is correct. The other options do not match the pattern.

58
MCQhard

A company is implementing a risk monitoring program. Which of the following is the best key performance indicator (KPI) to measure the effectiveness of the vulnerability management process?

A.Mean time to remediate (MTTR) critical vulnerabilities
B.Percentage of systems with up-to-date patches
C.Number of vulnerability scans performed per month
D.Number of vulnerabilities discovered per scan
AnswerA

MTTR directly measures how quickly critical risks are addressed.

Why this answer

Mean time to remediate (MTTR) critical vulnerabilities directly measures how quickly the organization closes the window of exposure for the highest-risk flaws. This KPI reflects the efficiency of the remediation workflow—from detection through patching or compensating control deployment—and is a standard metric in frameworks like NIST SP 800-40 and the CVSS scoring system. A lower MTTR indicates a more effective vulnerability management process because it reduces the time attackers have to exploit known weaknesses.

Exam trap

The trap here is that candidates often confuse activity metrics (like scan frequency or patch coverage) with outcome metrics (like remediation speed), leading them to choose a KPI that sounds operational but does not directly measure the effectiveness of the vulnerability management process.

How to eliminate wrong answers

Option B is wrong because the percentage of systems with up-to-date patches is a compliance-oriented metric that does not account for the severity or criticality of vulnerabilities; a system could be fully patched against low-severity issues while still harboring an unpatched critical vulnerability. Option C is wrong because the number of vulnerability scans performed per month measures activity volume, not process effectiveness; frequent scans are useless if findings are not remediated promptly. Option D is wrong because the number of vulnerabilities discovered per scan is a measure of the attack surface or scan coverage, not the effectiveness of remediation; a high discovery count could indicate a thorough scan but says nothing about how quickly or completely those vulnerabilities are fixed.

59
Matchingmedium

Match each security control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Firewall

IDS

Backup restoration

Warning signs

Why these pairings

These are common examples of security control categories.

60
MCQeasy

Which of the following is the primary purpose of a risk register?

A.To record all security incidents after they occur
B.To track changes made to system configurations
C.To document and track identified risks and their treatment
D.To automatically detect vulnerabilities in the network
AnswerC

Correct purpose of a risk register.

Why this answer

The primary purpose of a risk register is to document and track identified risks along with their treatment plans, including risk owners, likelihood, impact, and mitigation status. This aligns with the Risk Identification, Monitoring and Analysis domain, where the risk register serves as a central repository for risk management activities throughout the system development life cycle.

Exam trap

The trap here is that candidates confuse the risk register with an incident log or vulnerability scanner output, but the risk register is specifically a forward-looking planning document for managing identified risks, not a reactive or automated detection tool.

How to eliminate wrong answers

Option A is wrong because a risk register is a proactive tool for documenting potential risks before they occur, not a reactive log for recording security incidents after they happen (incident response logs serve that purpose). Option B is wrong because tracking changes to system configurations is the function of a change management system or configuration management database (CMDB), not a risk register. Option D is wrong because automatic vulnerability detection is performed by vulnerability scanners (e.g., Nessus, OpenVAS) or SIEM tools, not by a risk register, which is a manual or semi-automated documentation and tracking artifact.

61
MCQmedium

A security analyst reviews the exhibit. The internal IP 10.0.0.1 is a web server, and 203.0.113.5 is an external IP. What is the most likely issue?

A.The web server may be exfiltrating data to an external host
B.The external IP is scanning the web server for vulnerabilities
C.The web server is experiencing a DDoS attack from the external IP
D.An internal user is browsing a malicious website
AnswerA

Increasing outgoing data to a single external host is suspicious of data exfiltration.

Why this answer

The exhibit shows a high volume of outbound traffic from internal IP 10.0.0.1 (the web server) to external IP 203.0.113.5 on port 443 (HTTPS). This pattern is consistent with data exfiltration, where a compromised web server sends sensitive data to an external command-and-control (C2) server. The traffic is initiated by the internal server, not inbound, which rules out scanning or DDoS attacks.

Exam trap

The trap here is that candidates confuse the direction of traffic—assuming any external IP communicating with a web server must be an attacker scanning or attacking, rather than recognizing that the server itself may be the compromised source of outbound data.

How to eliminate wrong answers

Option B is wrong because vulnerability scanning typically involves inbound probes (e.g., SYN scans) from the external IP to the web server, not sustained outbound data flows. Option C is wrong because a DDoS attack would show a flood of inbound traffic from many sources, not a single external IP sending or receiving a steady outbound stream. Option D is wrong because an internal user browsing a malicious website would generate outbound traffic from a client workstation, not from a web server IP like 10.0.0.1.

62
MCQhard

An organization's risk register shows a high risk for phishing attacks. Which controls are considered detective controls for this risk?

A.Security awareness training.
B.Email filtering.
C.User reporting mechanism.
D.Multi-factor authentication.
AnswerC

User reporting detects phishing attacks that have reached users, enabling response.

Why this answer

A user reporting mechanism is a detective control because it enables users to identify and report suspected phishing emails after they have been received, allowing the security team to investigate and respond. Unlike preventive controls that block attacks, detective controls discover incidents that have already occurred, such as a user recognizing a malicious link or attachment in their inbox.

Exam trap

ISC2 often tests the distinction between preventive and detective controls, and the trap here is that candidates confuse 'user reporting' as a reactive or corrective control rather than recognizing it as a detective control that identifies an ongoing or past incident.

How to eliminate wrong answers

Option A is wrong because security awareness training is a preventive/deterrent control that educates users to avoid falling for phishing, not a control that detects attacks after they occur. Option B is wrong because email filtering is a preventive control that blocks phishing emails before they reach the user's inbox, not a detective measure that identifies incidents post-delivery. Option D is wrong because multi-factor authentication is a preventive control that protects accounts even if credentials are compromised, not a detective control that identifies phishing attempts or compromises.

63
Multi-Selectmedium

Which TWO of the following are primary purposes of a risk register?

Select 2 answers
A.Track the status of risk treatment plans
B.Document identified risks and their characteristics
C.Record network traffic logs
D.Store vulnerability scan results
E.Provide a checklist for compliance audits
AnswersA, B

The risk register tracks mitigation actions and their progress.

Why this answer

Option A is correct because a risk register is a living document used to track the status of risk treatment plans, including whether controls have been implemented, are in progress, or are overdue. This ensures that risk owners are accountable and that residual risk is managed over time. Option B is correct because the primary function of a risk register is to document identified risks along with their characteristics, such as probability, impact, risk score, and owner.

These two functions are core to the risk management process as defined by frameworks like NIST SP 800-37 and ISO 31000.

Exam trap

The trap here is that candidates confuse the risk register with operational security tools like vulnerability scanners or log management systems, leading them to select options that describe technical data storage rather than the risk management documentation and tracking functions.

64
MCQhard

Refer to the exhibit. An analyst reviews the sshd log. What should be the immediate response?

A.Block the source IP 203.0.113.5 on the firewall
B.Disable SSH service on the server
C.Inform the server administrator of the suspicious activity
D.Change the root password and disable root SSH login
AnswerD

Immediately revoke access for the compromised account and prevent further use.

Why this answer

The sshd log shows repeated failed root login attempts from IP 203.0.113.5, indicating a brute-force attack targeting the root account. The immediate response is to change the root password and disable root SSH login (e.g., set `PermitRootLogin no` in `/etc/ssh/sshd_config`), as this directly mitigates the attack vector by removing the ability to authenticate as root via SSH. This aligns with the principle of least privilege and is a standard first step in SSH security hardening.

Exam trap

The trap here is that candidates often choose to block the source IP (Option A) because it seems like a quick fix, but they overlook that the root account remains exposed and the attacker can simply switch IPs, making the password change and disabling root login the correct immediate response.

How to eliminate wrong answers

Option A is wrong because blocking the source IP 203.0.113.5 on the firewall is a reactive measure that only addresses this specific attacker; the root account remains vulnerable to future attacks from other IPs, and the underlying misconfiguration (root SSH login enabled) is not fixed. Option B is wrong because disabling the SSH service on the server would deny legitimate administrative access entirely, causing unnecessary disruption; the goal is to secure SSH, not disable it. Option C is wrong because informing the server administrator of the suspicious activity is a notification step, not an immediate response; it delays action while the attack continues, and the administrator would still need to perform the corrective steps (change password, disable root login).

65
MCQmedium

A security team is conducting a qualitative risk assessment for a new cloud application. They want to prioritize risks based on likelihood and impact. Which method should they use to combine these factors?

A.Risk matrix (heat map)
B.SWOT analysis
C.Annualized loss expectancy (ALE)
D.Business Impact Analysis (BIA)
AnswerA

A qualitative risk matrix uses ordinal scales for likelihood and impact to produce risk ratings.

Why this answer

A risk matrix (heat map) is the correct method because it combines qualitative assessments of likelihood and impact into a single visual grid, allowing the team to prioritize risks by their position in the matrix. This approach is standard for qualitative risk assessments where numerical data is unavailable, as it maps ordinal ratings (e.g., low, medium, high) to a color-coded priority level.

Exam trap

The trap here is that candidates often confuse qualitative risk assessment with quantitative methods like ALE, assuming any combination of likelihood and impact requires numerical calculation, but the question explicitly states 'qualitative', which directly points to a risk matrix.

How to eliminate wrong answers

Option B is wrong because SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) is a strategic planning tool used to identify internal and external factors, not a method for combining likelihood and impact to prioritize risks. Option C is wrong because Annualized Loss Expectancy (ALE) is a quantitative metric (SLE × ARO) that requires numerical values for asset value and frequency, making it unsuitable for a purely qualitative assessment. Option D is wrong because Business Impact Analysis (BIA) focuses on identifying critical business functions and recovery priorities, not on combining likelihood and impact for risk prioritization.

66
MCQeasy

A small company uses a single firewall at the network perimeter. The security team receives alerts from an IDS but cannot correlate them with firewall logs because logs are stored on separate servers with different timestamps. The CEO wants to reduce false positives and improve incident response. What should the security team do first?

A.Increase the IDS sensitivity to catch more threats.
B.Replace the IDS with a next-generation firewall.
C.Implement a SIEM to aggregate and correlate logs from multiple sources.
D.Manually align timestamps on each server daily.
AnswerC

A SIEM centralizes logs and normalizes timestamps, enabling correlation and reducing false positives.

Why this answer

A SIEM (Security Information and Event Management) system aggregates logs from multiple sources, normalizes timestamps, and correlates events to reduce false positives and improve incident response. This directly addresses the core problem of disparate log sources with unsynchronized timestamps, enabling effective correlation between IDS alerts and firewall logs without replacing existing infrastructure.

Exam trap

The trap here is that candidates may think a next-generation firewall (NGFW) replaces the need for log correlation, but NGFWs still generate logs that require aggregation and correlation with other sources to reduce false positives and enable effective incident response.

How to eliminate wrong answers

Option A is wrong because increasing IDS sensitivity would generate more alerts, exacerbating the false positive problem and making correlation harder without fixing the timestamp mismatch. Option B is wrong because replacing the IDS with a next-generation firewall (NGFW) does not solve the log correlation issue; NGFWs still generate logs that need to be correlated with other sources, and the underlying timestamp synchronization problem remains. Option D is wrong because manually aligning timestamps daily is impractical, error-prone, and does not scale; it also fails to provide automated correlation or reduce false positives in real time.

67
MCQmedium

A security team discovers that an employee's credentials were used to access the HR database from an unrecognized IP address in a foreign country. The employee is currently in the office. Which risk identification technique is most directly responsible for detecting this anomaly?

A.User and entity behavior analytics (UEBA)
B.Manual log review
C.Vulnerability scanning
D.Threat intelligence feeds
AnswerA

UEBA detects deviations from normal behavior, such as login from unusual location.

Why this answer

UEBA is the correct answer because it uses machine learning and statistical models to establish a baseline of normal user behavior (e.g., typical login times, geolocations, and access patterns). When the employee's credentials are used from a foreign IP address while the employee is physically in the office, UEBA detects this as an anomalous deviation from the baseline, triggering an alert. This technique is specifically designed for real-time anomaly detection in user and entity activities, making it the most direct method for identifying this type of credential misuse.

Exam trap

The trap here is that candidates may confuse threat intelligence feeds (Option D) with anomaly detection, assuming that an unrecognized foreign IP would be flagged by a threat feed, but UEBA is the only technique that directly detects behavioral anomalies without relying on known-bad indicators.

How to eliminate wrong answers

Option B (Manual log review) is wrong because it is a reactive, labor-intensive process that relies on human analysts to sift through logs after an incident, making it inefficient for real-time anomaly detection; it would not directly detect the anomaly without prior suspicion or automated correlation. Option C (Vulnerability scanning) is wrong because it focuses on identifying known security weaknesses in systems (e.g., unpatched software, misconfigurations) rather than monitoring user behavior or detecting anomalous access patterns. Option D (Threat intelligence feeds) is wrong because they provide information about known malicious IPs, domains, or indicators of compromise (IOCs) from external sources, but they do not establish a baseline of normal user behavior; an unrecognized IP from a foreign country may not be in any threat feed, so the anomaly would be missed without behavioral analysis.

68
MCQeasy

Which metric is used to measure the potential loss from a single occurrence of a risk?

A.Exposure Factor (EF)
B.Annualized Loss Expectancy (ALE)
C.Annualized Rate of Occurrence (ARO)
D.Single Loss Expectancy (SLE)
AnswerD

SLE is the monetary loss from a single occurrence.

Why this answer

The Single Loss Expectancy (SLE) is the metric used to measure the potential loss from a single occurrence of a risk. It is calculated as Asset Value (AV) multiplied by the Exposure Factor (EF), providing a dollar value for one incident. This directly answers the question of loss per single event.

Exam trap

ISC2 often tests the distinction between SLE and ALE, trapping candidates who confuse a single-event loss with an annualized figure, especially when the question explicitly asks for 'single occurrence' but the answer options include ALE as a distractor.

How to eliminate wrong answers

Option A is wrong because Exposure Factor (EF) is a percentage representing the proportion of asset value lost per incident, not a direct monetary loss measure. Option B is wrong because Annualized Loss Expectancy (ALE) measures the expected loss per year, calculated as SLE × ARO, not per single occurrence. Option C is wrong because Annualized Rate of Occurrence (ARO) is a frequency metric (events per year), not a loss measurement.

69
MCQmedium

A security team is conducting a penetration test. In which phase would they attempt to exploit vulnerabilities found during scanning?

A.Maintaining access.
B.Scanning.
C.Reconnaissance.
D.Gaining access.
AnswerD

This phase uses exploits to achieve initial access based on scan results.

Why this answer

The gaining access phase is where the penetration tester actively exploits vulnerabilities discovered during scanning to obtain unauthorized entry into the system. This phase involves using tools like Metasploit or custom exploits to leverage specific weaknesses, such as unpatched software or misconfigured services, to achieve initial foothold. It directly follows the scanning phase and precedes maintaining access, making D the correct choice.

Exam trap

The trap here is confusing the scanning phase with the gaining access phase, as candidates often think vulnerability scanning includes exploitation, but scanning only identifies potential weaknesses without actively compromising the system.

How to eliminate wrong answers

Option A is wrong because maintaining access occurs after gaining access, focusing on persistence mechanisms like backdoors or rootkits, not the initial exploitation of vulnerabilities. Option B is wrong because scanning is the phase where vulnerabilities are identified through port scans (e.g., Nmap) and service enumeration, but exploitation is not performed here. Option C is wrong because reconnaissance is the initial information-gathering phase (e.g., OSINT, DNS lookups) that precedes scanning and does not involve active exploitation of vulnerabilities.

70
MCQmedium

You work for a financial services firm that must comply with GDPR and PCI DSS. The company uses a cloud-based CRM to store customer data. The security team recently discovered that the CRM vendor had a data breach that exposed the company's customer records. An investigation shows that the breach occurred because the vendor did not have multi-factor authentication (MFA) enabled for administrative accounts. The contract with the vendor states that the vendor is responsible for security of their platform. However, your company had not conducted a risk assessment of the vendor before signing the contract. Management wants to improve risk identification for third-party relationships. Which of the following is the BEST long-term solution?

A.Implement a third-party risk management program with periodic security assessments and contractual security requirements
B.Demand that the vendor reimburse the company for breach costs
C.Cancel the contract with the vendor and move to a private cloud solution
D.Require all vendors to provide SOC 2 reports
AnswerA

A program ensures ongoing risk identification and mitigation.

Why this answer

Option A is correct because a third-party risk management (TPRM) program with periodic security assessments and contractual security requirements directly addresses the root cause: the lack of pre-contract risk identification and ongoing vendor oversight. By embedding MFA requirements into contracts and performing regular assessments (e.g., reviewing SOC 2 reports, conducting penetration tests), the company can proactively enforce security controls like MFA for administrative accounts, preventing future breaches. This is a sustainable, long-term solution that aligns with GDPR and PCI DSS due diligence obligations.

Exam trap

The trap here is that candidates may choose Option D (SOC 2 reports) as a quick fix, mistakenly believing a single compliance report guarantees security, when in fact SOC 2 is a point-in-time audit that does not enforce ongoing contractual obligations or address specific risks like MFA configuration.

How to eliminate wrong answers

Option B is wrong because demanding reimbursement is a reactive, financial remedy that does not prevent future breaches; it fails to address the systemic lack of risk identification and vendor oversight. Option C is wrong because canceling the contract and moving to a private cloud solution is an extreme, short-term reaction that ignores the need for a scalable, ongoing vendor risk management process; it also may not be feasible or cost-effective for all third-party relationships. Option D is wrong because requiring SOC 2 reports alone is insufficient; while SOC 2 provides a snapshot of controls, it does not ensure continuous compliance or contractual enforcement of specific security measures like MFA, and it does not replace the need for periodic assessments tailored to the company's risk appetite.

71
MCQmedium

Refer to the exhibit. During a security review, an analyst finds these firewall rules. Which recommendation should be made to reduce risk?

A.Restrict the source for rule 10 to specific administrative IPs
B.Enable logging on rule 15 as well
C.Require VPN access for all internal traffic
D.Remove rule 15 entirely
AnswerA

Limiting source reduces attack surface for SQL Server.

Why this answer

Rule 10 allows SSH (TCP/22) from any source (0.0.0.0/0) to the internal server, which exposes the management interface to the entire internet. Restricting the source to specific administrative IPs reduces the attack surface by limiting who can initiate SSH connections, mitigating brute-force and unauthorized access risks. This aligns with the principle of least privilege and is a fundamental access control recommendation.

Exam trap

The trap here is that candidates may focus on logging (option B) or overly broad solutions (option C) instead of directly addressing the most critical risk—unrestricted inbound SSH access—which is the classic 'permit any any' mistake in firewall rules.

How to eliminate wrong answers

Option B is wrong because enabling logging on rule 15 (which likely permits all outbound traffic) does not reduce risk; it only improves visibility, but the rule itself remains overly permissive and could allow malicious outbound traffic. Option C is wrong because requiring VPN for all internal traffic is excessive and unnecessary; VPN is typically used for remote access, not for internal LAN traffic, and would add latency and complexity without addressing the specific exposure of rule 10. Option D is wrong because removing rule 15 entirely might break legitimate outbound connectivity (e.g., DNS, updates) and is not the most direct fix for the inbound SSH exposure; a more targeted approach is to restrict the source of rule 10.

72
Multi-Selecthard

Which TWO of the following are examples of preventive controls for data leakage?

Select 2 answers
A.Encryption.
B.Data Loss Prevention (DLP) system.
C.Log monitoring.
D.Security awareness training.
E.User access reviews.
AnswersA, B

Encryption renders data unreadable without a key, preventing leakage.

Why this answer

Encryption is a preventive control because it renders data unreadable to unauthorized parties, thereby preventing data leakage even if the data is intercepted or accessed without authorization. By transforming plaintext into ciphertext using algorithms like AES-256, encryption ensures that only entities with the correct decryption key can access the original data, effectively blocking data exfiltration at rest or in transit.

Exam trap

The trap here is that candidates often confuse detective controls (like log monitoring) or administrative controls (like training) with preventive controls, because they seem to 'prevent' issues indirectly, but the SSCP exam strictly classifies controls by their primary function—preventive controls must actively block the threat before it occurs.

73
Multi-Selecteasy

Which TWO of the following are key components of a risk assessment process?

Select 2 answers
A.Control testing
B.Asset identification
C.Vulnerability identification
D.Risk treatment selection
E.Threat identification
AnswersB, E

Assets must be identified to assess risk to them.

Why this answer

Asset identification (B) is a key component because you cannot assess risk without knowing what assets need protection. Threat identification (E) is also essential because risk is defined as the likelihood of a threat exploiting a vulnerability to cause harm to an asset. Together, asset and threat identification form the foundational inputs for calculating risk.

Exam trap

ISC2 often tests the distinction between risk assessment (identifying assets, threats, and vulnerabilities) and risk management (selecting and implementing controls), so candidates mistakenly select control testing or risk treatment selection as part of the assessment process.

74
MCQeasy

A risk manager is calculating the annualized loss expectancy (ALE) for a server. The single loss expectancy (SLE) is $5,000 and the annualized rate of occurrence (ARO) is 0.2. What is the ALE?

A.$25,000
B.$1,000
C.$5,000
D.$100
AnswerB

Correct calculation.

Why this answer

The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). Here, SLE = $5,000 and ARO = 0.2, so ALE = $5,000 × 0.2 = $1,000. This represents the expected annual financial loss from the server risk.

Exam trap

The trap here is that candidates often confuse the ALE formula by dividing SLE by ARO instead of multiplying, leading to the inflated $25,000 figure in option A.

How to eliminate wrong answers

Option A is wrong because $25,000 results from dividing SLE by ARO ($5,000 / 0.2), which is a common arithmetic reversal error. Option C is wrong because $5,000 is simply the SLE value, ignoring the ARO multiplier entirely. Option D is wrong because $100 would come from multiplying SLE by ARO but misplacing a decimal (e.g., $5,000 × 0.02), indicating a calculation mistake.

75
MCQhard

A company uses a SIEM to monitor security events. Recently, they are experiencing false positives from a new IDS rule. Which approach would best reduce false positives while maintaining detection?

A.Disable the rule.
B.Increase the log review frequency.
C.Whitelist false positive sources.
D.Adjust the rule threshold.
AnswerD

Fine-tuning the threshold balances false positive reduction with detection capability.

Why this answer

Adjusting the rule threshold (Option D) is the best approach because it fine-tunes the sensitivity of the IDS rule to reduce false positives without completely disabling detection. By raising the threshold (e.g., increasing the number of matching packets or the time window), the SIEM will only generate an alert when the rule's criteria are met more persistently, filtering out noise while still capturing genuine threats. This maintains the rule's detection capability for actual attacks that exceed the adjusted threshold.

Exam trap

The trap here is that candidates often choose to whitelist false positive sources (Option C) because it seems like a quick fix, but this approach can inadvertently suppress alerts for real attacks from those same sources, whereas threshold tuning preserves detection capability.

How to eliminate wrong answers

Option A is wrong because disabling the rule eliminates detection entirely, which could allow real attacks to go unnoticed and violates the principle of maintaining detection. Option B is wrong because increasing log review frequency does not reduce false positives; it only increases the volume of alerts to review, potentially overwhelming analysts and not addressing the root cause of the false positives. Option C is wrong because whitelisting false positive sources only suppresses alerts from those specific sources, which can mask legitimate attacks originating from the same sources and does not address the underlying rule sensitivity issue.

Page 1 of 2 · 78 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Risk Identification, Monitoring and Analysis questions.