CCNA Risk Identification, Monitoring, and Analysis Questions

74 questions · Risk Identification, Monitoring, and Analysis · All types, answers revealed

1
Multi-Selecthard

A company is implementing a new SIEM. Which THREE factors are most important to ensure log integrity and usefulness for forensic investigations? (Choose THREE.)

Select 3 answers
A.Write-once storage to prevent modification
B.Digital signing of logs to verify authenticity
C.Minimizing log retention to reduce storage costs
D.Ensuring logs are retained for a period consistent with legal and regulatory requirements
E.Aggregating logs from all sources into one centralized repository
AnswersA, B, D

Write-once storage ensures logs cannot be altered after creation.

Why this answer

Write-once storage (e.g., WORM drives or append-only storage systems) prevents modification or deletion of log data after it is written. This immutability is critical for forensic investigations because it ensures that logs cannot be tampered with by an attacker or an insider, preserving the original evidence exactly as it was recorded.

Exam trap

The trap here is that candidates often confuse operational convenience (centralized aggregation) with security controls (integrity and authenticity), leading them to select Option E instead of recognizing that integrity requires write-once or cryptographic protections.

2
MCQeasy

A vulnerability scanner identifies a high-severity vulnerability in a web server that is exposed to the internet. According to common remediation SLAs, what is the typical timeframe to remediate a critical vulnerability?

A.90 days
B.24-72 hours
C.7 days
D.30 days
AnswerB

Correct: Critical vulnerabilities typically have a 24-72 hour SLA.

Why this answer

Option B is correct because critical vulnerabilities in internet-exposed systems typically require remediation within 24–72 hours under common SLAs (e.g., PCI DSS, NIST, or organizational security policies). This timeframe reflects the high risk of remote exploitation, where an attacker can compromise the server before a longer window expires.

Exam trap

Cisco often tests the distinction between critical (24–72 hours), high (7 days), and medium (30 days) SLAs, and the trap here is that candidates confuse 'high' with 'critical' and select 7 days instead of the shorter window.

How to eliminate wrong answers

Option A is wrong because 90 days is far too long for a critical vulnerability on an internet-facing web server; such a window is more typical for low-severity or non-exploitable issues. Option C is wrong because 7 days is a common SLA for high-severity vulnerabilities, not critical ones, which demand faster action due to immediate exploitation risk. Option D is wrong because 30 days is a typical remediation timeframe for medium-severity vulnerabilities, not critical ones, and would leave the server exposed to active attacks.

3
MCQmedium

A security team implements a SIEM solution to collect logs from firewalls, servers, and workstations. They create a correlation rule that triggers an alert when a single user logs in from more than three different geographic locations within one hour. This is an example of which detection method?

A.Heuristic-based detection
B.Behavior-based detection
C.Anomaly-based detection
D.Signature-based detection
AnswerB

Behavior-based detection establishes a baseline and alerts on deviations; multiple logins from different locations is anomalous.

Why this answer

The rule detects deviations from a user's normal login pattern by flagging logins from more than three geographic locations within an hour. This is behavior-based detection because it establishes a baseline of typical user behavior (e.g., logging in from one or two locations) and triggers an alert when the observed behavior deviates from that baseline. It does not rely on known attack signatures or static heuristics, but on learned patterns of user activity.

Exam trap

Cisco often tests the distinction between anomaly-based and behavior-based detection by presenting a rule with a fixed threshold (like 'more than three locations'), which candidates mistakenly classify as anomaly-based because it detects unusual activity, but the key is that behavior-based detection relies on a learned baseline of user behavior, not just statistical rarity.

How to eliminate wrong answers

Option A is wrong because heuristic-based detection uses predefined rules or algorithms (e.g., 'if login count > 5, alert') without learning from historical user behavior; this rule adapts to individual user patterns, making it behavioral, not heuristic. Option C is wrong because anomaly-based detection typically flags any statistically rare event (e.g., a login from a new country) without requiring a specific threshold like 'more than three locations'; this rule uses a fixed threshold, which is more characteristic of behavior-based detection. Option D is wrong because signature-based detection matches known attack patterns (e.g., a specific malware hash or exploit string), whereas this rule monitors for unusual user login patterns, not known malicious signatures.

4
Multi-Selectmedium

A security analyst is reviewing SIEM alerts and wants to identify potential data exfiltration. Which TWO of the following indicators are most relevant?

Select 2 answers
A.Successful logins during business hours
B.Large outbound data transfers to an external IP
C.A user connecting to a known command-and-control server
D.Multiple failed login attempts
E.Elevated CPU usage on a database server
AnswersB, C

Directly indicates potential data exfiltration.

Why this answer

Option B is correct because large outbound data transfers to an external IP are a classic indicator of data exfiltration, where an attacker moves stolen data outside the network. SIEM tools can detect this by monitoring traffic volume anomalies, such as a sudden spike in outbound bytes to a single external destination, which deviates from baseline behavior. This directly aligns with the risk of unauthorized data leakage.

Exam trap

The trap here is that candidates confuse indicators of compromise (like failed logins or CPU spikes) with exfiltration-specific signs, failing to focus on outbound data movement as the core criterion.

5
MCQeasy

Which type of IDS uses a database of known attack patterns to identify malicious activity?

A.Behavior-based IDS
B.Network-based IDS
C.Anomaly-based IDS
D.Signature-based IDS
AnswerD

Signature-based matches known attack signatures.

Why this answer

Signature-based IDS (D) is correct because it relies on a pre-defined database of known attack patterns, or signatures, to match against network traffic or system activity. When a packet or event matches a signature, the IDS generates an alert. This is the traditional method used by systems like Snort, which compares traffic against rule sets containing specific byte sequences or protocol anomalies.

Exam trap

The trap here is confusing the detection method (signature-based) with the deployment type (network-based), leading candidates to pick 'Network-based IDS' because they associate it with monitoring network traffic, even though the question specifically asks about the detection methodology using known attack patterns.

How to eliminate wrong answers

Option A is wrong because behavior-based IDS (also known as anomaly-based) establishes a baseline of normal activity and flags deviations, not known attack patterns. Option B is wrong because network-based IDS describes the deployment location (monitoring network traffic) rather than the detection methodology; a network-based IDS can be either signature-based or anomaly-based. Option C is wrong because anomaly-based IDS uses statistical models or machine learning to detect deviations from a baseline of normal behavior, not a database of known attack signatures.

6
Multi-Selectmedium

Which TWO of the following are examples of technical threat sources that should be considered during risk identification?

Select 2 answers
A.Earthquake
B.Hardware failure
C.Unauthorized access by employee
D.Software bug
E.Social engineering
AnswersB, D

Technical threat.

Why this answer

Hardware failure (B) is a technical threat source because it involves the physical degradation or malfunction of IT infrastructure components such as hard drives, power supplies, or network interfaces. During risk identification, hardware failures are considered technical threats as they can directly cause data loss, service disruption, or system unavailability, requiring specific controls like redundancy and monitoring.

Exam trap

The trap here is that candidates confuse threat categories, mistakenly classifying human-based threats like social engineering or insider actions as technical threat sources, when the SSCP exam strictly separates technical threats (hardware/software failures) from human and environmental threats.

7
MCQmedium

An organization's web application experienced a data breach due to a SQL injection vulnerability. During the risk analysis phase, the security team calculated the SLE as $25,000 and the ARO as 0.5. What is the ALE?

A.$50,000
B.$25,000
C.$6,250
D.$12,500
AnswerD

Correct: ALE = SLE × ARO = $25,000 × 0.5 = $12,500.

Why this answer

The Annualized Loss Expectancy (ALE) is calculated by multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO). Given an SLE of $25,000 and an ARO of 0.5, the ALE is $25,000 × 0.5 = $12,500. This quantifies the expected annual financial loss from the SQL injection vulnerability.

Exam trap

The trap here is that candidates often confuse multiplication with division or forget to apply the ARO, selecting the SLE value directly instead of computing the product.

How to eliminate wrong answers

Option A is wrong because $50,000 results from incorrectly dividing SLE by ARO (i.e., $25,000 / 0.5) rather than multiplying. Option B is wrong because $25,000 equals the SLE itself, ignoring the ARO factor entirely. Option C is wrong because $6,250 comes from dividing SLE by 4 or multiplying by 0.25, which does not correspond to any standard risk calculation formula.

8
MCQmedium

A security analyst notices repeated failed login attempts from a single IP address targeting a domain controller. The SIEM alerts after 10 failed attempts within 5 minutes. Which detection type is most likely used?

A.Anomaly-based detection
B.Signature-based detection
C.Rule-based detection
D.Behavior-based detection
AnswerA

Correct: It detects unusual spikes in failed logins compared to a baseline.

Why this answer

The detection is triggered by a threshold of 10 failed attempts within 5 minutes, which is a predefined rule (not a learned baseline). This is classic rule-based detection, not anomaly-based detection. Anomaly-based detection would require establishing a baseline of normal behavior and flagging deviations, not a static count.

Exam trap

The trap here is confusing 'anomaly-based' with any detection that triggers on unusual activity, but the key distinction is that anomaly detection requires a learned baseline, not a hard-coded threshold.

How to eliminate wrong answers

Option A is wrong because anomaly-based detection relies on statistical baselines and deviations from normal behavior, not a fixed threshold like 10 attempts in 5 minutes. Option B is wrong because signature-based detection matches known attack patterns (e.g., specific payloads or exploit signatures), not volumetric thresholds. Option D is wrong because behavior-based detection analyzes patterns of user or entity behavior over time (e.g., UEBA), not a simple count of failed logins from a single IP.

9
MCQhard

After a security incident, the incident response team needs to analyze logs from multiple sources to reconstruct the timeline. The SIEM retains logs for 90 days, but the incident occurred 120 days ago. Which action should the organization have taken to ensure log availability?

A.Use a different SIEM vendor
B.Increase log verbosity
C.Implement real-time alerting
D.Extend log retention period to at least 1 year
AnswerD

Longer retention ensures logs are available for investigations.

Why this answer

Option D is correct because the organization's log retention policy was insufficient to cover the incident timeline. The SIEM retained logs for only 90 days, but the incident occurred 120 days ago, meaning the logs were overwritten or purged before the incident was discovered. Extending the retention period to at least one year ensures logs are available for post-incident forensic analysis, aligning with industry best practices (e.g., NIST SP 800-61) and regulatory requirements that often mandate 6–12 months of log retention.

Exam trap

The trap here is that candidates confuse log verbosity (option B) with log retention, thinking that capturing more data inherently preserves it longer, when in fact retention is a separate storage policy parameter.

How to eliminate wrong answers

Option A is wrong because switching SIEM vendors does not change the underlying retention policy; the new vendor would still need to be configured to retain logs for an adequate duration. Option B is wrong because increasing log verbosity (e.g., logging more events or details) does not extend the retention window; it actually consumes more storage and could shorten retention if capacity is fixed. Option C is wrong because real-time alerting helps detect incidents sooner but does not preserve historical logs beyond the configured retention period; logs older than 90 days would still be unavailable for timeline reconstruction.

10
MCQhard

An organization is calculating the Annualized Loss Expectancy (ALE) for a server. The Asset Value (AV) is $50,000, the Exposure Factor (EF) is 40%, and the Annualized Rate of Occurrence (ARO) is 0.5. What is the Single Loss Expectancy (SLE) and ALE?

A.SLE = $20,000, ALE = $10,000
B.SLE = $50,000, ALE = $25,000
C.SLE = $10,000, ALE = $5,000
D.SLE = $20,000, ALE = $40,000
AnswerA

Correct calculation: SLE = $50,000 * 0.4 = $20,000; ALE = $20,000 * 0.5 = $10,000.

Why this answer

The Single Loss Expectancy (SLE) is calculated as Asset Value (AV) × Exposure Factor (EF) = $50,000 × 0.40 = $20,000. The Annualized Loss Expectancy (ALE) is then SLE × Annualized Rate of Occurrence (ARO) = $20,000 × 0.5 = $10,000. This matches option A exactly.

Exam trap

Cisco often tests the distinction between SLE and ALE formulas, and the trap here is that candidates may forget to apply the EF to the AV when calculating SLE, or they may invert the ARO (e.g., using 2 instead of 0.5) when computing ALE.

How to eliminate wrong answers

Option B is wrong because it incorrectly uses the full AV as the SLE ($50,000) instead of applying the EF, and then multiplies by ARO to get $25,000, which is not the correct ALE. Option C is wrong because it mistakenly halves the AV to get SLE = $10,000 (perhaps confusing EF with ARO) and then multiplies by ARO to get ALE = $5,000, misapplying both formulas. Option D is wrong because it correctly calculates SLE = $20,000 but then multiplies by the reciprocal of ARO (2) instead of ARO (0.5), yielding ALE = $40,000 instead of $10,000.

11
Multi-Selectmedium

A vulnerability management team is scanning a network. Which THREE factors should be considered to minimize false positives?

Select 3 answers
A.Scanning only during peak hours
B.Using default scan profiles
C.Tuning the scanner based on the environment
D.Performing authenticated scans
E.Manually verifying results
AnswersC, D, E

Correct: Tuning reduces false positives by adjusting to the environment.

Why this answer

Option C is correct because tuning the scanner to the specific environment (e.g., adjusting port ranges, timing, and service detection patterns) reduces the likelihood of misidentifying benign traffic or non-vulnerable services as vulnerabilities. Untuned scanners often flag default banner responses or open ports that are actually part of normal operations, leading to false positives.

Exam trap

Cisco often tests the misconception that scanning during peak hours yields more accurate results, when in fact it degrades scan reliability and increases false positives due to network load and timeouts.

12
MCQhard

A vulnerability scan identifies a critical vulnerability with a CVSS score of 9.8. According to standard remediation SLAs, within what timeframe should this vulnerability typically be remediated?

A.30 days
B.24-72 hours
C.7 days
D.90 days
AnswerB

Critical vulnerabilities require immediate attention.

Why this answer

A CVSS score of 9.8 falls into the 'Critical' severity range (9.0–10.0). Standard remediation SLAs for critical vulnerabilities typically require action within 24–72 hours because such vulnerabilities often allow remote code execution or complete compromise without authentication, posing an immediate and severe risk to the organization.

Exam trap

The trap here is that candidates may confuse the CVSS severity categories with the typical SLA timeframes, often assuming that all 'critical' vulnerabilities have a 7-day window, when in fact the most severe (9.0–10.0) require remediation within 24–72 hours per standard industry frameworks like PCI DSS or NIST.

How to eliminate wrong answers

Option A is wrong because 30 days is the typical SLA for high-severity vulnerabilities (CVSS 7.0–8.9), not critical ones. Option C is wrong because 7 days is a common SLA for medium-severity vulnerabilities (CVSS 4.0–6.9) or for high-severity in some frameworks, but it is too long for a critical 9.8 score. Option D is wrong because 90 days is the typical SLA for low-severity vulnerabilities (CVSS 0.1–3.9) or for informational findings, and would be dangerously negligent for a critical vulnerability.

13
MCQmedium

During a qualitative risk analysis, an organization assesses a threat of a data breach due to weak encryption. The likelihood is rated as 'Medium' and the impact as 'High'. According to a standard 3x3 risk matrix, what is the overall risk rating?

A.Medium
B.High
C.Low
D.Critical
AnswerB

Medium likelihood and High impact typically map to High risk.

Why this answer

In a typical 3x3 risk matrix, a combination of Medium likelihood and High impact results in a High risk rating.

14
MCQmedium

An organization is required to maintain audit logs for at least one year for compliance purposes. Which log management practice best ensures the integrity of these logs?

A.Encrypting logs during transmission only
B.Compressing logs to save space
C.Storing logs on a standard file server with restricted permissions
D.Using write-once storage and digitally signing each log entry
AnswerD

This prevents tampering and ensures non-repudiation.

Why this answer

Write-once storage (e.g., WORM media or append-only filesystems) prevents any modification or deletion of log entries after they are written. Digitally signing each log entry ensures that any tampering can be detected by verifying the signature against the log data. Together, these provide non-repudiation and integrity, meeting compliance requirements for immutable audit logs.

Exam trap

The trap here is that candidates often choose restricted permissions (Option C) thinking access control is sufficient, but the SSCP exam emphasizes that integrity requires cryptographic proof and immutability, not just authorization.

How to eliminate wrong answers

Option A is wrong because encrypting logs only during transmission protects confidentiality in transit but does nothing to prevent alteration or deletion once the logs are stored. Option B is wrong because compressing logs reduces storage space but provides no integrity protection; compressed logs can still be modified or deleted. Option C is wrong because storing logs on a standard file server with restricted permissions relies on access controls, which can be bypassed by compromised accounts or insider threats, and does not guarantee immutability or detect tampering.

15
MCQhard

An organization experiences a ransomware attack that encrypts file servers. The annualized loss expectancy (ALE) for this risk is calculated as $150,000. The single loss expectancy (SLE) is $30,000. What is the annualized rate of occurrence (ARO)?

A.0.2
B.4.5
C.0.5
D.5
AnswerD

ARO = ALE / SLE = 150,000 / 30,000 = 5.

Why this answer

The annualized rate of occurrence (ARO) is calculated by dividing the annualized loss expectancy (ALE) by the single loss expectancy (SLE): ARO = ALE / SLE = $150,000 / $30,000 = 5. This means the ransomware attack is expected to occur five times per year, which is a key metric in quantitative risk analysis for prioritizing security controls.

Exam trap

The trap here is that candidates often confuse the formula and divide SLE by ALE instead of ALE by SLE, leading to the incorrect fractional answer (0.2) rather than the correct integer (5).

How to eliminate wrong answers

Option A (0.2) is wrong because it incorrectly inverts the formula, dividing SLE by ALE (30,000 / 150,000 = 0.2), which would imply the event occurs once every five years, not five times per year. Option B (4.5) is wrong because it likely results from a miscalculation, such as subtracting or misplacing a decimal, and does not correspond to any correct risk formula. Option C (0.5) is wrong because it represents half an occurrence per year, which would require an ALE of $15,000 (SLE × 0.5), not the given $150,000.

16
MCQmedium

A security analyst is reviewing logs and notices multiple failed login attempts for a user account, followed by a successful login from an unfamiliar IP address at 3:00 AM. Which type of risk is most directly indicated by this scenario?

A.Environmental risk
B.Human intentional risk
C.Human accidental risk
D.Technical risk
AnswerB

Failed logins followed by after-hours access indicate intentional malicious behavior.

Why this answer

The scenario describes a successful login after multiple failed attempts from an unfamiliar IP address at an unusual time (3:00 AM). This pattern strongly indicates a deliberate brute-force or credential-stuffing attack, where an attacker intentionally attempts to gain unauthorized access. Therefore, the risk is human intentional, as it involves a malicious actor's purposeful actions.

Exam trap

Cisco often tests the distinction between 'human intentional' and 'human accidental' by presenting a pattern of failed logins that could be mistaken for a user forgetting their password, but the successful login from an unfamiliar IP at an odd hour confirms malicious intent, not a mistake.

How to eliminate wrong answers

Option A is wrong because environmental risk refers to threats like natural disasters, power outages, or hardware failures, not to authentication anomalies. Option C is wrong because human accidental risk involves unintentional errors (e.g., mistyping a password or misconfiguring a firewall), not a pattern of repeated failed logins followed by a successful breach. Option D is wrong because technical risk relates to system vulnerabilities, software bugs, or protocol weaknesses (e.g., unpatched SSH flaws), not to the deliberate exploitation of credentials.

17
MCQeasy

A security analyst is reviewing logs and notices that an application log shows an error message indicating 'unhandled exception' followed by a stack trace. This log is most likely categorized as which type?

A.System log
B.Security log
C.Audit log
D.Application log
AnswerD

Correct: Application logs capture events from specific software.

Why this answer

Application logs are generated by software applications and record application-specific events, including errors like 'unhandled exception' and stack traces. Since the log entry originates from an application and contains a stack trace (a developer-oriented diagnostic), it is categorized as an application log, not a system, security, or audit log.

Exam trap

The trap here is that candidates confuse 'unhandled exception' with a security event (like a crash due to an exploit) and incorrectly select Security log, but the question explicitly states the log contains a stack trace, which is a hallmark of application-level debugging output, not a security or system event.

How to eliminate wrong answers

Option A is wrong because system logs (e.g., /var/log/syslog or Windows System event log) record OS-level events such as driver failures, kernel panics, or service start/stop, not application-specific unhandled exceptions with stack traces. Option B is wrong because security logs (e.g., Windows Security log or /var/log/auth.log) track authentication attempts, privilege use, and policy violations, not application runtime errors. Option C is wrong because audit logs (e.g., Windows Audit log or Linux auditd logs) record compliance-relevant events like file access or user actions per predefined audit policies, not unhandled exceptions from application code.

18
Multi-Selectmedium

During a risk assessment, a bank identifies the following threats: flood, phishing attack, hardware failure, and power outage. Which TWO of these are considered environmental threat sources?

Select 2 answers
A.Hardware failure
B.Software bug
C.Flood
D.Power outage
E.Phishing attack
AnswersC, D

Flood is a natural environmental threat.

Why this answer

Flood (C) is an environmental threat source because it originates from natural or physical conditions outside the organization's control, such as weather or geographic location. Power outage (D) is also an environmental threat source as it stems from utility infrastructure failures or natural events, not from human or system actions. Both are classified under environmental threats in risk assessment frameworks like NIST SP 800-30.

Exam trap

Cisco often tests the distinction between environmental and operational/technical threat sources, trapping candidates who classify hardware failure or power outage as environmental due to their physical nature, when only natural or utility-origin events qualify.

19
MCQmedium

An organization decides to outsource its data center operations to a cloud provider. The cloud provider is responsible for physical security and hardware maintenance. This is an example of which risk response strategy?

A.Risk acceptance
B.Risk transfer
C.Risk avoidance
D.Risk mitigation
AnswerB

Outsourcing transfers the risk to the provider.

Why this answer

Transferring risk to a third party (cloud provider) is risk transfer.

20
MCQmedium

During a vulnerability scan, a security analyst discovers that several workstations are missing critical security patches. The organization decides to implement a compensating control by restricting network access to these workstations until patches are applied. Which risk response strategy is being used?

A.Avoidance
B.Mitigation
C.Transfer
D.Acceptance
AnswerB

Restricting access reduces the risk until patches are applied.

Why this answer

Restricting network access to vulnerable workstations reduces the likelihood of exploitation by limiting their exposure to potential threats. This is a classic mitigation strategy because it does not eliminate the vulnerability (missing patches) but instead implements a compensating control to reduce the risk to an acceptable level until the patches can be applied. Mitigation focuses on reducing the impact or probability of a risk event, which is exactly what network access restrictions achieve.

Exam trap

The trap here is that candidates often confuse 'mitigation' with 'avoidance' because both involve taking action, but mitigation reduces risk without eliminating the root cause, while avoidance removes the risk entirely by eliminating the activity or asset.

How to eliminate wrong answers

Option A is wrong because avoidance would require eliminating the vulnerability entirely (e.g., removing the workstations from the network permanently or replacing them), not just restricting access temporarily. Option C is wrong because transfer would involve shifting the risk to a third party (e.g., purchasing cyber insurance or outsourcing patch management), which is not happening here. Option D is wrong because acceptance would mean acknowledging the risk and taking no action, whereas the organization is actively implementing a compensating control to reduce risk.

21
MCQmedium

A company wants to implement a security baseline for its Windows servers. Which of the following frameworks is most commonly used for this purpose?

A.CIS Benchmarks
B.ISO 27001
C.ITIL
D.COBIT
AnswerA

CIS Benchmarks are specific, actionable configuration guides for securing operating systems and applications.

Why this answer

CIS Benchmarks are widely adopted security configuration guidelines for various systems, including Windows servers. They provide Level 1 (basic) and Level 2 (defense-in-depth) recommendations.

22
MCQeasy

Which of the following is a technical threat source that could lead to a security breach?

A.Software bug
B.Disgruntled employee
C.Configuration weakness
D.Flood
AnswerA

Software bugs are technical threat sources.

Why this answer

A software bug is a technical threat source because it is an unintentional flaw in code that can be exploited to cause a security breach. For example, a buffer overflow bug in a network service can allow an attacker to execute arbitrary code, bypassing access controls. This directly aligns with the definition of a technical threat as an inherent weakness in hardware or software.

Exam trap

The trap here is confusing vulnerabilities (like configuration weaknesses) with threat sources, but the SSCP exam specifically tests the distinction that a threat source is the cause (e.g., a bug), while a vulnerability is the exploitable condition (e.g., a misconfiguration).

How to eliminate wrong answers

Option B is wrong because a disgruntled employee is a human or personnel threat source, not a technical one; it involves intentional malicious actions by an insider. Option C is wrong because a configuration weakness is a vulnerability (a weakness in a system's setup), not a threat source; threats are the potential causes of harm, while configuration issues are exploitable conditions. Option D is wrong because a flood is a natural or environmental threat source, not a technical one; it falls under physical or environmental threats, not software or hardware flaws.

23
Multi-Selectmedium

A security analyst is configuring a SIEM to detect potential insider threats. Which TWO of the following data sources would be most relevant for detecting an employee exfiltrating sensitive data via email?

Select 2 answers
A.Physical access logs
B.Email gateway logs
C.Firewall logs
D.Data Loss Prevention (DLP) logs
E.DNS logs
AnswersB, D

Email logs capture details of outgoing emails.

Why this answer

Email gateway logs capture metadata and content of outbound emails, including sender, recipient, subject, and attachments, enabling detection of anomalous data transfers. Data Loss Prevention (DLP) logs provide detailed policy violation alerts when sensitive data patterns (e.g., credit card numbers, classified text) are matched in email content, directly identifying exfiltration attempts.

Exam trap

Cisco often tests the distinction between logs that show network-level activity (firewall, DNS) versus logs that inspect content or policy violations (email gateway, DLP), leading candidates to mistakenly choose firewall logs because they see 'outbound traffic' without considering content inspection.

24
MCQmedium

Which of the following is a key advantage of using a behavior-based detection approach in a User and Entity Behavior Analytics (UEBA) system?

A.Ability to detect previously unknown threats based on anomalous behavior
B.Requires less data processing than signature-based detection
C.Easier to configure and maintain
D.Lower false positive rates compared to signature-based detection
AnswerA

UEBA excels at detecting unknown threats by identifying deviations.

Why this answer

Behavior-based detection in UEBA establishes a baseline of normal user and entity activity using machine learning and statistical models. It then identifies deviations from this baseline, enabling the detection of novel or previously unknown threats, such as zero-day exploits or insider threats, without relying on pre-defined signatures.

Exam trap

The trap here is that candidates often assume behavior-based detection is easier or produces fewer false positives, but the exam emphasizes that its key advantage is detecting unknown threats, not operational simplicity or accuracy.

How to eliminate wrong answers

Option B is wrong because behavior-based detection typically requires more data processing and computational resources than signature-based detection, which simply matches patterns against a static database. Option C is wrong because behavior-based systems are more complex to configure and maintain, requiring tuning of baselines and thresholds, whereas signature-based systems are simpler to update with new signatures. Option D is wrong because behavior-based detection often produces higher false positive rates due to legitimate but unusual activities being flagged as anomalous, while signature-based detection has lower false positives for known threats but misses unknown ones.

25
MCQhard

An organization calculates the SLE for a server as $5,000 and the ARO as 0.2. What is the ALE?

A.$5,000
B.$10,000
C.$25,000
D.$1,000
AnswerD

Correct calculation: 5000 * 0.2 = 1000.

Why this answer

The Annualized Loss Expectancy (ALE) is calculated by multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO). Given SLE = $5,000 and ARO = 0.2, the ALE is $5,000 × 0.2 = $1,000. This is the expected annual financial loss from the server risk.

Exam trap

The trap here is that candidates often multiply SLE by the reciprocal of ARO (e.g., 5 instead of 0.2) or confuse ARO with a percentage, leading to an inflated ALE like $25,000.

How to eliminate wrong answers

Option A is wrong because $5,000 is the SLE, not the ALE; it ignores the ARO multiplier. Option B is wrong because $10,000 would result from multiplying SLE by 2, which is not the correct ARO of 0.2. Option C is wrong because $25,000 would result from dividing SLE by 0.2 (or multiplying by 5), which is a common arithmetic reversal error.

26
MCQmedium

A security engineer is reviewing system logs and notices that the log file size has not changed for several days, despite high system activity. Which log management concern does this indicate?

A.Incorrect time synchronization
B.Normal log rotation
C.Insufficient storage capacity
D.Log tampering or disabled logging
AnswerD

Logs not updating during high activity may indicate intentional stopping or tampering.

Why this answer

The log file size remaining static despite high system activity strongly indicates that logging has been disabled or the log files have been tampered with (e.g., truncated or replaced with empty files). Under normal operation, a busy system generates continuous log entries, causing the log file size to increase. A complete lack of size change over several days is a classic red flag for log integrity compromise, not a benign administrative action.

Exam trap

Cisco often tests the misconception that a static log file size is due to log rotation, but rotation actually creates a new active log file with new entries, not a file that remains unchanged for days.

How to eliminate wrong answers

Option A is wrong because incorrect time synchronization would cause timestamps to be wrong, but it would not prevent log entries from being written; the log file size would still increase. Option B is wrong because normal log rotation typically renames or compresses the current log file and starts a new one, which would result in a new file with a non-zero size, not a static file size for days. Option C is wrong because insufficient storage capacity would cause the system to stop writing logs, but the log file would still show a final size from when writes ceased; the question states the size has not changed for several days, implying no writes occurred, which is more consistent with disabled logging or tampering than a full disk (which would still show the last written size).

27
MCQmedium

After implementing security controls, a risk assessment shows that a residual risk of data exfiltration remains. Which document should formally record this residual risk and the decision to accept it?

A.Incident response plan
B.Risk register
C.Business continuity plan
D.Security baseline
AnswerB

The risk register tracks all identified risks and their treatment.

Why this answer

The risk register is the formal document used to track identified risks, their assessed likelihood and impact, and the chosen risk response. When a residual risk remains after controls are implemented, the risk register records that residual risk level and formally documents management's decision to accept it, including the rationale and approval. This ensures auditability and accountability for the accepted risk.

Exam trap

The trap here is that candidates confuse the risk register with the incident response plan, thinking that any risk-related documentation belongs in the incident response plan, but the risk register is specifically designed for tracking and formally accepting residual risks before any incident occurs.

How to eliminate wrong answers

Option A is wrong because the incident response plan documents procedures for detecting, responding to, and recovering from security incidents, not for recording residual risks or acceptance decisions. Option C is wrong because the business continuity plan focuses on maintaining critical business functions during and after a disruption, not on tracking residual risks from data exfiltration. Option D is wrong because a security baseline defines the minimum security configuration standards for systems, not a repository for risk acceptance decisions.

28
Multi-Selectmedium

An organization is developing a risk register. Which TWO elements are essential for each risk entry?

Select 2 answers
A.Risk owner
B.Risk description
C.Residual risk level
D.Likelihood and impact rating
E.Mitigation cost
AnswersB, D

Correct: A clear description of the risk is fundamental.

Why this answer

A risk description is essential because it provides a clear, unambiguous statement of the risk event, its cause, and its potential impact, enabling consistent understanding and analysis. The likelihood and impact rating is essential because it quantifies the risk's probability and consequence, forming the basis for prioritization and response planning. Without these two elements, a risk entry lacks the fundamental context and measurable criteria needed for effective risk management.

Exam trap

Cisco often tests the distinction between essential initial elements (description and rating) versus downstream elements (owner, residual risk, cost) to see if candidates confuse the risk register's foundational data with later risk treatment outputs.

29
MCQeasy

Which of the following is a vulnerability source explicitly based on publicly known flaws?

A.Configuration weaknesses
B.Hardware failure
C.CVEs
D.Design flaws
AnswerC

CVE is a dictionary of publicly disclosed vulnerabilities.

Why this answer

C is correct because Common Vulnerabilities and Exposures (CVEs) are a standardized, publicly maintained list of known security flaws. Each CVE entry explicitly documents a specific vulnerability that has been discovered, verified, and published, making it a direct source of publicly known flaws used for vulnerability identification and remediation.

Exam trap

The trap here is that candidates may confuse 'vulnerability source' with 'vulnerability cause'—configuration weaknesses and design flaws are causes of vulnerabilities, but only CVEs represent a formal, publicly known source of flaw documentation.

How to eliminate wrong answers

Option A is wrong because configuration weaknesses are typically the result of improper system setup or misapplied security controls, not a source of publicly known flaws; they are often organization-specific and not cataloged in a public database. Option B is wrong because hardware failure is a physical reliability issue, not a security vulnerability, and is not tracked as a publicly known flaw in vulnerability databases like CVE. Option D is wrong because design flaws are inherent architectural weaknesses that may not be publicly documented or assigned a CVE identifier; they are often discovered during security reviews or penetration testing rather than being listed as known flaws.

30
MCQeasy

Which of the following is a primary purpose of implementing a security baseline such as the CIS Benchmarks?

A.To automate incident response procedures
B.To establish a minimum level of security for system configurations
C.To detect real-time threats
D.To comply with regulatory requirements for log retention
AnswerB

Baselines define the minimum security settings.

Why this answer

The primary purpose of implementing a security baseline such as the CIS Benchmarks is to establish a minimum level of security for system configurations. These benchmarks provide prescriptive, consensus-based configuration guidelines (e.g., disabling unnecessary services, setting file permissions, enforcing password policies) that reduce the attack surface and ensure a consistent, hardened starting point across all systems in an organization.

Exam trap

Cisco often tests the distinction between a preventive control (security baseline) and detective/reactive controls (IDS, SIEM, SOAR), so candidates mistakenly choose options that describe monitoring or response functions instead of the foundational hardening purpose of a baseline.

How to eliminate wrong answers

Option A is wrong because automating incident response procedures is the function of a Security Orchestration, Automation, and Response (SOAR) platform or playbook, not a static configuration baseline like CIS Benchmarks. Option C is wrong because detecting real-time threats is performed by intrusion detection systems (IDS), security information and event management (SIEM) correlation rules, or endpoint detection and response (EDR) tools, not by a configuration baseline. Option D is wrong because complying with regulatory requirements for log retention is addressed by specific log retention policies and technical controls (e.g., setting log rotation, archival, and secure storage), whereas CIS Benchmarks focus on secure configuration states, not log retention durations.

31
MCQmedium

A company's security policy requires that all logs be stored in a write-once, read-many (WORM) format. What is the primary security objective of this requirement?

A.To maintain log integrity
B.To ensure log availability
C.To improve log review speed
D.To reduce storage costs
AnswerA

WORM prevents tampering, preserving integrity.

Why this answer

WORM storage ensures that logs cannot be altered after creation, preserving their integrity for forensic purposes.

32
MCQmedium

An organization uses a network-based intrusion detection system (NIDS). An analyst receives an alert for a known exploit signature. Which type of detection is the NIDS using?

A.Anomaly-based detection
B.Behavior-based detection
C.Signature-based detection
D.Heuristic detection
AnswerC

Matching a known exploit signature is signature-based.

Why this answer

The NIDS generated an alert based on a known exploit signature, which means it compared network traffic against a database of predefined patterns or fingerprints of known attacks. This is the defining characteristic of signature-based detection, where the system relies on exact or pattern matches to known malicious activity.

Exam trap

The trap here is that candidates confuse 'signature-based' with 'heuristic' detection, because both involve pattern matching, but heuristic detection uses fuzzy logic or statistical models rather than exact known signatures.

How to eliminate wrong answers

Option A is wrong because anomaly-based detection establishes a baseline of normal network behavior and flags deviations from that baseline, not known exploit signatures. Option B is wrong because behavior-based detection analyzes patterns of activity over time to identify suspicious behavior, such as unusual data exfiltration rates, rather than matching static signatures. Option D is wrong because heuristic detection uses algorithms or rules to infer malicious intent based on generalized characteristics or statistical analysis, not a direct match to a known exploit signature.

33
MCQeasy

In a qualitative risk analysis, a risk is assigned a probability of 'High' and an impact of 'Medium'. According to common probability/impact matrices, what is the overall risk rating?

A.High
B.Critical
C.Medium
D.Low
AnswerA

High probability combined with medium impact yields High risk in most matrices.

Why this answer

In a standard qualitative risk analysis probability/impact matrix, a 'High' probability combined with a 'Medium' impact typically yields an overall risk rating of 'High'. This is because the matrix is designed to prioritize risks where both factors are elevated, and the product or intersection of these two values falls into the 'High' category in most common 3x3 or 5x5 matrices used in frameworks like NIST SP 800-30 or ISO 31000.

Exam trap

The trap here is that candidates often confuse 'High' probability with 'Critical' overall rating, or incorrectly assume that a 'Medium' impact automatically lowers the rating to 'Medium', ignoring that the probability weight dominates in many matrix designs.

How to eliminate wrong answers

Option B is wrong because 'Critical' is not a standard rating in a basic 3x3 probability/impact matrix; it is often used in 5x5 matrices for the highest combination (e.g., High/High) but not for High/Medium. Option C is wrong because 'Medium' would result from a combination like Medium/Medium or Low/High, not from High/Medium where the probability is elevated. Option D is wrong because 'Low' would require both probability and impact to be Low, or one to be Low and the other Very Low, which is not the case here.

34
MCQmedium

A security analyst is reviewing logs from a SIEM and notices multiple failed login attempts for a privileged account from an IP address in a foreign country, followed by a successful login after hours. Which type of security monitoring tool would be most effective at detecting this pattern as anomalous behavior based on user baseline?

A.Signature-based IDS
B.Network-based IPS
C.Host-based IDS
D.User Behavior Analytics (UBA)
AnswerD

UBA uses baseline modeling to detect anomalous user activities.

Why this answer

User Behavior Analytics (UBA) is designed to establish a baseline of normal user activity and detect anomalies such as a privileged account logging in from an unusual geographic location after hours. Unlike signature or rule-based tools, UBA uses statistical modeling and machine learning to identify deviations from the user's historical patterns, making it ideal for detecting this type of credential misuse.

Exam trap

The trap here is that candidates often confuse anomaly detection with signature-based detection, assuming that a failed login followed by a success is a known brute-force pattern that a signature-based IDS would catch, but the question specifically asks for detection based on a user baseline, which is the core function of UBA, not signature matching.

How to eliminate wrong answers

Option A is wrong because a signature-based IDS relies on predefined patterns (e.g., known attack signatures) and cannot detect novel or anomalous behavior like a login from an unusual IP unless a specific signature exists for that scenario. Option B is wrong because a network-based IPS focuses on blocking malicious traffic at the network layer (e.g., exploiting vulnerabilities) and does not analyze user login patterns or establish behavioral baselines. Option C is wrong because a host-based IDS monitors system-level events (e.g., file changes, process execution) on a single host but lacks the cross-session, user-centric analytics needed to compare a login event against historical user behavior.

35
MCQhard

A security manager needs to comply with PCI DSS requirement 11.2, which mandates quarterly vulnerability scans. The company uses an external Qualified Security Assessor (QSA) for the quarterly scans. However, the internal team also performs continuous scanning. Which of the following best describes the required scan frequency?

A.Both internal and external scans must be performed quarterly
B.Scans are required only after significant changes to the network
C.Only the external scans need to be done quarterly; internal scans are optional
D.Continuous internal scanning eliminates the need for quarterly external scans
AnswerA

PCI DSS mandates quarterly internal and external vulnerability scans.

Why this answer

PCI DSS Requirement 11.2 explicitly requires both internal and external vulnerability scans to be performed at least quarterly. Even though the internal team performs continuous scanning, the external scans by a Qualified Security Assessor (QSA) must still occur quarterly to satisfy compliance. Continuous scanning does not replace the mandated quarterly external scans because the standard requires independent validation of external-facing systems.

Exam trap

The trap here is that candidates often assume continuous or frequent internal scanning can replace the mandated quarterly external scans, but PCI DSS explicitly requires both internal and external scans at the defined frequency, with external scans needing an independent assessor.

How to eliminate wrong answers

Option B is wrong because PCI DSS requires quarterly scans regardless of network changes; scans after significant changes are an additional requirement (11.2.b), not a replacement for the quarterly schedule. Option C is wrong because PCI DSS mandates both internal and external scans quarterly; internal scans are not optional. Option D is wrong because continuous internal scanning does not eliminate the need for quarterly external scans; the standard requires external scans to be performed by a qualified party (e.g., QSA) at the defined frequency, and continuous scanning is not a substitute.

36
MCQmedium

A vulnerability management program requires that critical vulnerabilities be remediated within 72 hours. A scanner identifies a critical vulnerability on a server, but after patching, the scanner still reports it as vulnerable. What is the most likely cause?

A.The patch was not applied correctly
B.The vulnerability is a false positive
C.The remediation SLA was not met
D.The server was not rebooted after patching
AnswerB

A false positive means the scanner incorrectly reports vulnerability.

Why this answer

False positives are common; the scanner may incorrectly flag the vulnerability even after patching.

37
MCQmedium

During a risk assessment, a company identifies that a legacy system cannot be patched due to vendor end-of-life. The system is critical to operations. Which risk response strategy is most appropriate initially?

A.Avoid the risk by decommissioning the system immediately
B.Transfer the risk by purchasing cyber insurance
C.Accept the risk without any further action
D.Mitigate the risk by implementing compensating controls
AnswerD

Compensating controls such as network segmentation and strict access controls can reduce the risk even if the system cannot be patched.

Why this answer

Option D is correct because when a legacy system cannot be patched due to vendor end-of-life, the most appropriate initial risk response is to implement compensating controls. Compensating controls, such as network segmentation, strict access controls, or an intrusion detection system, reduce the likelihood or impact of exploitation without requiring a patch. This approach balances operational necessity with security, as immediate decommissioning (avoidance) may be infeasible for a critical system.

Exam trap

The trap here is that candidates often confuse risk acceptance with passive inaction, but the SSCP exam expects that acceptance must be a deliberate decision with documented justification and often paired with compensating controls, not simply ignoring the risk.

How to eliminate wrong answers

Option A is wrong because decommissioning a critical system immediately would disrupt operations, and risk avoidance is not appropriate when the system is essential to business functions; the goal is to manage risk, not eliminate it at the cost of operations. Option B is wrong because transferring risk via cyber insurance does not reduce the technical vulnerability; it only provides financial compensation after a breach, which does not address the immediate security gap. Option C is wrong because accepting the risk without any further action is negligent; while acceptance is a valid strategy, it requires documented understanding and often compensating controls, not passive inaction.

38
MCQmedium

A company has implemented a new vulnerability scanner and the first scan reports 200 vulnerabilities. The security team needs to prioritize remediation. Which approach should they use first?

A.Remediate only vulnerabilities that are exploitable from the internet
B.Wait for the next scan to confirm the results before action
C.Prioritize based on CVSS score, starting with critical and high severity
D.Remediate all vulnerabilities in alphabetical order by CVE ID
AnswerC

CVSS scores provide a standardized severity rating; focusing on critical/high vulnerabilities aligns with risk management.

Why this answer

Option C is correct because the Common Vulnerability Scoring System (CVSS) provides a standardized, industry-accepted method for rating vulnerability severity based on exploitability, impact, and other metrics. Prioritizing critical and high CVSS scores (e.g., 9.0-10.0 and 7.0-8.9) ensures the team addresses vulnerabilities with the highest potential for damage and exploitation first, which is a fundamental risk-based remediation strategy. This approach aligns with the NIST SP 800-40 guidance on prioritizing vulnerabilities by risk, not by arbitrary ordering or waiting for confirmation.

Exam trap

The trap here is that candidates may think waiting for a second scan (Option B) is prudent to avoid false positives, but the SSCP exam emphasizes proactive risk management and immediate prioritization based on severity, not delaying action.

How to eliminate wrong answers

Option A is wrong because focusing solely on internet-exploitable vulnerabilities ignores internal threats, such as lateral movement by an attacker who has already breached the perimeter, or vulnerabilities in critical internal systems that could be exploited by insiders or via phishing. Option B is wrong because waiting for a second scan delays remediation unnecessarily; vulnerability scanners can produce false positives, but the correct first step is to validate and prioritize based on severity, not to defer action entirely. Option D is wrong because remediating in alphabetical order by CVE ID is arbitrary and ignores the actual risk level, potentially leaving critical vulnerabilities unpatched while wasting resources on low-severity issues.

39
Multi-Selecthard

A security team is implementing a vulnerability management program. According to industry best practices, which THREE of the following are essential components of a mature vulnerability management process?

Select 3 answers
A.Manual patch management
B.Quarterly vulnerability scans
C.False positive management process
D.Remediation SLAs based on severity
E.Continuous scanning capability
AnswersC, D, E

Managing false positives prevents wasted effort.

Why this answer

Option C is correct because a false positive management process is essential for a mature vulnerability management program. Without it, security teams waste resources chasing non-existent vulnerabilities, leading to alert fatigue and missed genuine threats. A formal process to validate, document, and reduce false positives ensures scan results are actionable and trust in the program is maintained.

Exam trap

Cisco often tests the misconception that quarterly scans are sufficient for compliance, but a mature program requires continuous or frequent scanning to address the rapid pace of vulnerability disclosures and changes in the attack surface.

40
MCQhard

During a risk assessment, a company identifies that a legacy system has a known CVE with a CVSS score of 9.8. The system is critical but cannot be patched immediately. The management decides to implement strict network segmentation and monitor the system continuously. This risk response is best described as:

A.Risk acceptance
B.Risk avoidance
C.Risk transfer
D.Risk mitigation
AnswerD

Correct: Mitigation reduces risk through controls like segmentation and monitoring.

Why this answer

The correct answer is D, risk mitigation, because the company is implementing strict network segmentation and continuous monitoring to reduce the likelihood and impact of the vulnerability being exploited. This reduces the risk without eliminating it entirely, which is the essence of mitigation. The CVSS score of 9.8 indicates critical severity, and the controls (e.g., ACLs, VLANs, IDS/IPS) directly address the attack surface.

Exam trap

The trap here is that candidates confuse 'risk mitigation' with 'risk acceptance' because the system remains vulnerable, but the key distinction is that active controls are applied to reduce risk, not merely acknowledged.

How to eliminate wrong answers

Option A is wrong because risk acceptance would involve acknowledging the risk without taking any active controls, but here the company actively deploys segmentation and monitoring. Option B is wrong because risk avoidance would require removing the system or ceasing its operation entirely, which is not done since the system remains in use. Option C is wrong because risk transfer would involve shifting the financial burden or liability to a third party (e.g., insurance or outsourcing), not implementing technical controls.

41
MCQmedium

During a risk assessment, a team identifies that a legacy application cannot be patched due to vendor end-of-life. The business decides to continue using the application but implement compensating controls such as network segmentation and strict access controls. This risk response strategy is best classified as:

A.Risk mitigation
B.Risk transfer
C.Risk acceptance
D.Risk avoidance
AnswerC

The business accepts the residual risk after applying compensating controls.

Why this answer

Risk acceptance means acknowledging the risk and taking no further action beyond existing controls. Compensating controls do not eliminate the risk; they reduce it to an acceptable level, which is still acceptance.

42
MCQmedium

During a qualitative risk analysis, an organization assigns a risk rating of 'High' for a specific threat. Which combination of factors most directly leads to this rating?

A.High probability and high impact
B.Low probability and low impact
C.High probability and low impact
D.Low probability and high impact
AnswerA

Both high probability and high impact result in a high risk rating.

Why this answer

In qualitative risk analysis, risk rating is determined by the product of probability and impact. A 'High' rating directly results from both high probability and high impact, as this combination represents the greatest potential for loss. This aligns with the risk matrix approach where the highest risk scores occupy the top-right quadrant.

Exam trap

Cisco often tests the misconception that high impact alone is sufficient for a 'High' risk rating, ignoring that probability must also be high to reach the top risk level.

How to eliminate wrong answers

Option B is wrong because low probability and low impact produce a 'Low' risk rating, not 'High'. Option C is wrong because high probability combined with low impact typically yields a 'Medium' or 'Moderate' rating, as the low impact reduces overall risk severity. Option D is wrong because low probability with high impact often results in a 'Medium' risk rating, as the low likelihood mitigates the overall risk despite the high potential damage.

43
MCQeasy

Which of the following is a primary purpose of a security baseline, such as the CIS Benchmarks?

A.To provide a secure configuration standard for systems
B.To calculate annualized loss expectancy
C.To replace the need for vulnerability scanning
D.To detect intrusions in real-time
AnswerA

Baselines define secure configurations.

Why this answer

A security baseline like the CIS Benchmarks establishes a hardened, consistent configuration standard for operating systems, applications, and network devices. This reduces the attack surface by disabling unnecessary services, enforcing least privilege, and applying specific registry or file permission settings. It is a foundational step in secure system deployment and ongoing compliance.

Exam trap

Cisco often tests the distinction between a proactive security control (baseline) and reactive or ongoing controls (vulnerability scanning, intrusion detection), leading candidates to confuse configuration standards with operational security tools.

How to eliminate wrong answers

Option B is wrong because annualized loss expectancy (ALE) is a quantitative risk analysis formula (SLE × ARO) used in risk management, not a function of a security baseline. Option C is wrong because a security baseline does not replace vulnerability scanning; baselines define secure configurations, while scanning actively identifies missing patches or misconfigurations. Option D is wrong because intrusion detection in real-time is performed by IDS/IPS systems (e.g., Snort, Suricata) that analyze network traffic or host logs, not by a static configuration baseline.

44
MCQeasy

Which type of IDS uses a baseline of normal behavior to detect anomalies?

A.Host-based IDS (HIDS)
B.Anomaly-based IDS
C.Network-based IDS (NIDS)
D.Signature-based IDS
AnswerB

Anomaly detection relies on behavioral baselines.

Why this answer

Anomaly-based IDS (B) is correct because it establishes a baseline of normal network or system behavior through statistical modeling or machine learning, then flags deviations from that baseline as potential intrusions. This contrasts with signature-based systems that rely on predefined patterns of known attacks. The core mechanism involves profiling metrics such as CPU usage, network traffic volume, or protocol deviations over time to identify anomalies.

Exam trap

Cisco often tests the distinction between detection methodology (anomaly vs. signature) and deployment type (host-based vs. network-based), leading candidates to mistakenly choose HIDS or NIDS because they associate them with behavioral monitoring, when the question specifically asks about the detection method that uses a baseline.

How to eliminate wrong answers

Option A is wrong because Host-based IDS (HIDS) monitors activity on a single host (e.g., system logs, file integrity) but does not inherently use a baseline of normal behavior; it can be signature-based or anomaly-based depending on implementation. Option C is wrong because Network-based IDS (NIDS) analyzes network traffic at the packet level but, like HIDS, is a deployment type, not a detection methodology; it can use signatures or anomalies. Option D is wrong because Signature-based IDS relies on a database of known attack signatures (e.g., Snort rules) and cannot detect novel or zero-day attacks without an existing pattern, whereas anomaly-based detection uses behavioral baselines.

45
MCQmedium

A company's vulnerability scanner reports a critical vulnerability in a third-party library. The remediation SLA for critical vulnerabilities is 48 hours. However, the patch is not yet available from the vendor. Which of the following is the most appropriate immediate action?

A.Remove the vulnerable software immediately
B.Extend the SLA to 30 days
C.Accept the risk because the vendor has not released a patch
D.Implement compensating controls to mitigate the vulnerability
AnswerD

Compensating controls reduce risk until a patch is available.

Why this answer

Option D is correct because when a patch is unavailable, implementing compensating controls (e.g., network segmentation, WAF rules, disabling unused features) is the immediate action to reduce risk exposure while awaiting an official fix. This aligns with the NIST SP 800-40 risk mitigation framework, which prioritizes compensating controls when patching is not feasible. Simply removing the software (A) may break business operations, extending the SLA (B) violates policy, and accepting risk (C) ignores the need for active mitigation.

Exam trap

The trap here is that candidates assume 'no patch available' means 'no action required' (Option C), but the SSCP exam expects proactive risk mitigation through compensating controls even when patching is delayed.

How to eliminate wrong answers

Option A is wrong because removing the vulnerable software immediately could cause significant operational disruption and is not required if compensating controls can reduce risk to an acceptable level. Option B is wrong because extending the SLA to 30 days violates the established 48-hour remediation policy and does not address the immediate threat; SLAs are not arbitrarily extended without formal risk acceptance. Option C is wrong because accepting risk without implementing any controls is negligent; the absence of a vendor patch does not justify inaction—compensating controls must be applied to reduce the likelihood of exploitation.

46
MCQeasy

Which term describes the risk that remains after implementing risk mitigation controls?

A.Accepted risk
B.Residual risk
C.Inherent risk
D.Control risk
AnswerB

Residual risk remains after mitigation.

Why this answer

Residual risk is the risk that remains after all risk mitigation controls have been applied. It represents the portion of the original risk that cannot be eliminated or reduced further, and it must be accepted by management if it falls within the organization's risk appetite.

Exam trap

The trap here is that candidates confuse 'residual risk' with 'accepted risk,' but accepted risk is the subset of residual risk that management formally approves to tolerate, not the risk that remains after controls.

How to eliminate wrong answers

Option A is wrong because accepted risk is a decision to formally acknowledge and tolerate a specific risk, often after evaluating residual risk, not the risk that remains after controls. Option C is wrong because inherent risk is the level of risk before any controls are implemented, not after. Option D is wrong because control risk is the risk that a control may fail or be ineffective, not the leftover risk after controls are applied.

47
MCQhard

A company is preparing for a PCI DSS assessment. According to PCI DSS requirements, how frequently must internal vulnerability scans be performed?

A.Annually
B.Monthly
C.Weekly
D.Quarterly
AnswerD

PCI DSS mandates quarterly scans.

Why this answer

PCI DSS Requirement 11.2.1 mandates that internal vulnerability scans must be performed at least quarterly and after any significant change in the network. This frequency ensures that new vulnerabilities introduced since the last scan are identified and remediated before they can be exploited. Quarterly scans are a minimum; more frequent scanning is recommended for high-risk environments.

Exam trap

The trap here is that candidates often confuse the quarterly internal scan requirement with the weekly external scan requirement (for internet-facing systems), leading them to incorrectly select 'Weekly' as the answer.

How to eliminate wrong answers

Option A is wrong because annual scans are far too infrequent to meet PCI DSS requirements, which demand a minimum of quarterly scans to keep pace with emerging vulnerabilities. Option B is wrong because monthly scans, while more frequent than required, are not the mandated minimum; PCI DSS specifically requires quarterly scans, not monthly. Option C is wrong because weekly scans are not required by PCI DSS for internal scans; the standard explicitly states quarterly as the baseline frequency, though weekly scans may be used for external scans or as a best practice.

48
MCQhard

A vulnerability scanner reports a medium-severity finding on a server. After investigation, the security team determines that the vulnerability is not exploitable due to existing compensating controls. How should this finding be classified in the vulnerability management process?

A.True positive
B.Risk acceptance
C.False positive
D.False negative
AnswerC

False positive indicates the scanner incorrectly identified a vulnerability.

Why this answer

A false positive occurs when a vulnerability scanner reports a finding that, upon investigation, is determined not to be a real security risk. In this case, the vulnerability is not exploitable due to compensating controls, meaning the scanner's alert was incorrect in the context of the actual environment. Therefore, the finding should be classified as a false positive, not a true vulnerability.

Exam trap

The trap here is that candidates confuse a non-exploitable vulnerability with a true positive, failing to recognize that the classification depends on actual exploitability in the current environment, not just the presence of a potential weakness.

How to eliminate wrong answers

Option A is wrong because a true positive would mean the vulnerability is actually exploitable and poses a real risk, which contradicts the investigation finding that it is not exploitable. Option B is wrong because risk acceptance is a management decision to accept the risk of a real vulnerability, not a classification for a finding that is not actually exploitable. Option D is wrong because a false negative would mean the scanner failed to report a real vulnerability, which is the opposite of this scenario where a reported finding is determined to be non-exploitable.

49
MCQhard

A security analyst is tuning a SIEM and needs to reduce false positives from a rule that alerts on failed logins. The rule currently triggers on any single failed login. Which modification would best reduce false positives while still detecting brute-force attacks?

A.Add a threshold of 5 failed logins within 5 minutes
B.Disable the rule entirely
C.Increase the severity level of the alert
D.Ignore failed logins from known users
AnswerA

This reduces noise and still catches brute force.

Why this answer

Option A is correct because adding a threshold of 5 failed logins within 5 minutes reduces false positives from isolated accidental lockouts while still detecting the sustained pattern of failed attempts characteristic of brute-force attacks. This aligns with SIEM tuning best practices where aggregation over a time window filters out noise without losing signal.

Exam trap

Cisco often tests the misconception that increasing severity or ignoring specific users reduces false positives, when in fact only time-based thresholding or contextual filtering (e.g., source IP reputation) properly addresses the root cause of noise from isolated events.

How to eliminate wrong answers

Option B is wrong because disabling the rule entirely would remove detection of brute-force attacks, creating a security gap. Option C is wrong because increasing the severity level does not reduce false positives; it only changes the alert's priority, leaving the same number of noisy alerts. Option D is wrong because ignoring failed logins from known users would miss attacks where a legitimate user's account is compromised and used for brute-force attempts, and it assumes user identity is reliably verified at the authentication layer.

50
MCQeasy

Which of the following is a common vulnerability source that would be documented in a risk register?

A.Password policies
B.Intrusion alerts
C.Firewall logs
D.CVE entries
AnswerD

CVEs are specific known vulnerabilities.

Why this answer

D is correct because CVE (Common Vulnerabilities and Exposures) entries are standardized identifiers for known security vulnerabilities, making them a direct source of vulnerability information that should be documented in a risk register. A risk register captures identified risks, including specific vulnerabilities, and CVE entries provide the precise technical details needed to assess and track those risks.

Exam trap

Cisco often tests the distinction between vulnerability sources (like CVE entries) and security controls or monitoring outputs (like password policies, intrusion alerts, or firewall logs), trapping candidates who confuse operational data with vulnerability documentation.

How to eliminate wrong answers

Option A is wrong because password policies are security controls or guidelines, not vulnerability sources; they define rules for password creation and management, whereas a risk register documents actual or potential vulnerabilities, not policy documents. Option B is wrong because intrusion alerts are outputs from an intrusion detection system (IDS) indicating potential security incidents, not vulnerability sources; they represent events that may exploit vulnerabilities, but the alerts themselves are not the vulnerabilities. Option C is wrong because firewall logs are records of network traffic and firewall rule actions, used for monitoring and forensics, not a source of vulnerability information; they can help identify attacks but do not list or describe vulnerabilities like CVE entries do.

51
MCQmedium

A security analyst is tuning a SIEM to reduce false positives. Which of the following actions is most likely to reduce false positives while maintaining detection of real threats?

A.Increase the severity of all alerts to high
B.Modify correlation rules to require multiple events before alerting
C.Disable all anomaly-based detection rules
D.Create a whitelist for known benign IP addresses
AnswerB

Requiring multiple events reduces single-event false positives and improves signal-to-noise ratio.

Why this answer

Modifying correlation rules to require multiple events before alerting reduces false positives by ensuring that a single benign event does not trigger an alert. This technique, often called 'thresholding' or 'event correlation,' filters out noise while still detecting multi-step attack patterns, such as a brute-force login attempt that requires multiple failed logins within a time window.

Exam trap

The trap here is that candidates often confuse 'reducing false positives' with 'eliminating all alerts,' leading them to choose disabling detection rules (Option C) or whitelisting (Option D), rather than understanding that correlation tuning preserves detection capability while filtering noise.

How to eliminate wrong answers

Option A is wrong because increasing the severity of all alerts to high does not reduce false positives; it merely reclassifies them, potentially causing alert fatigue and desensitizing analysts to critical incidents. Option C is wrong because disabling all anomaly-based detection rules would eliminate the ability to detect unknown or zero-day threats, which rely on behavioral baselines rather than static signatures. Option D is wrong because creating a whitelist for known benign IP addresses reduces false positives only for those specific IPs, but does not address false positives from other sources or from legitimate traffic that does not match the whitelist; it also risks missing real threats if an attacker spoofs a whitelisted IP.

52
MCQmedium

A company stores log files on a dedicated log server. To ensure log integrity, they implement a solution where logs are written to a WORM (Write Once, Read Many) device. Which property does this primarily protect?

A.Integrity
B.Non-repudiation
C.Availability
D.Confidentiality
AnswerA

WORM ensures logs cannot be altered, preserving integrity.

Why this answer

WORM (Write Once, Read Many) technology ensures that once data is written, it cannot be altered, deleted, or overwritten. This directly protects the integrity of the log files by preventing any unauthorized or accidental modification, which is critical for maintaining a reliable audit trail.

Exam trap

The trap here is that candidates often confuse integrity with non-repudiation, thinking that preventing modification also proves who wrote the data, but WORM alone does not provide cryptographic proof of origin.

How to eliminate wrong answers

Option B is wrong because non-repudiation is primarily about proving the origin of data (e.g., through digital signatures or PKI), not about preventing modification after writing. Option C is wrong because availability concerns ensuring data is accessible when needed, which WORM does not directly address (it may even hinder availability if the device fails). Option D is wrong because confidentiality involves preventing unauthorized access or disclosure, whereas WORM focuses on write protection, not read access controls.

53
MCQhard

An organization uses User Behavior Analytics (UBA) to detect insider threats. Which of the following activities would most likely trigger an alert for a compromised account?

A.User receives a large number of emails
B.User logs in from a recognized corporate device
C.User attempts to access a database at 2:00 AM, which is outside their normal pattern
D.User accesses the same files as usual during business hours
AnswerC

Deviations from baseline (time, location) are strong indicators.

Why this answer

User Behavior Analytics (UBA) establishes a baseline of normal user activity, including typical login times, locations, and access patterns. An attempt to access a database at 2:00 AM, which falls outside the user's established temporal baseline, represents a significant deviation that UBA algorithms flag as anomalous. This behavior is a classic indicator of a compromised account, as attackers often operate during off-hours to avoid detection.

Exam trap

The trap here is that candidates may confuse 'anomalous behavior' with 'malicious behavior,' but UBA specifically flags deviations from a baseline, and off-hours access is a textbook anomaly for a compromised account, whereas the other options represent normal or expected activities.

How to eliminate wrong answers

Option A is wrong because receiving a large number of emails is a common occurrence and does not inherently indicate compromise; UBA focuses on deviations in access and authentication patterns, not email volume. Option B is wrong because logging in from a recognized corporate device is expected behavior and aligns with the user's baseline, thus it would not trigger an alert for a compromised account. Option D is wrong because accessing the same files as usual during business hours is consistent with the user's normal pattern and would be considered low-risk, not indicative of compromise.

54
MCQhard

During a vulnerability scan, a tool reports a critical vulnerability on a web server. The system owner claims it is a false positive because the server is not accessible from the internet. However, the server is accessible from the internal network. What is the best course of action?

A.Accept the risk and close the finding
B.Ignore the finding as the vulnerability scanner is known for false positives
C.Remove the server from the network to eliminate the risk
D.Verify the vulnerability manually and if confirmed, remediate according to internal risk
AnswerD

Manual verification confirms whether it's a true positive; if so, remediation should be prioritized based on internal risk.

Why this answer

Option D is correct because a vulnerability that is exploitable from the internal network still poses a significant risk, as internal threats (e.g., compromised endpoints, malicious insiders) can leverage it. The system owner’s claim that the server is not internet-facing does not negate the need for verification and remediation; internal attack surfaces must be managed according to the organization’s risk appetite. Manual verification ensures the scanner’s report is accurate, and if confirmed, remediation should follow internal risk-based prioritization.

Exam trap

The trap here is that candidates assume a server not accessible from the internet is automatically low-risk, ignoring the reality that internal network threats are a primary attack vector in many breaches, and that risk must be evaluated based on the asset’s exposure and criticality within the internal environment.

How to eliminate wrong answers

Option A is wrong because accepting the risk without verification ignores the fact that internal network access can lead to exploitation, and risk acceptance requires formal approval and justification, not a simple dismissal. Option B is wrong because dismissing a finding solely because the scanner is known for false positives is negligent; each finding must be manually verified, as scanners can produce both false positives and false negatives, and internal threats are real. Option C is wrong because removing the server from the network is an extreme, unnecessary measure that disrupts business operations; the correct approach is to verify and remediate the vulnerability, not isolate the asset without analysis.

55
MCQmedium

A security analyst is reviewing logs and notices multiple failed login attempts from a single IP address against an administrative account. The SIEM has not generated an alert. Which configuration change would best detect this scenario?

A.Enable signature-based detection on the IDS
B.Implement a host-based IDS on the server
C.Create a SIEM correlation rule to alert on multiple failed logins from the same source
D.Increase log retention to 1 year
AnswerC

A SIEM correlation rule can aggregate failed login events and trigger an alert when a threshold is met, which directly addresses the scenario.

Why this answer

Option C is correct because a SIEM correlation rule can specifically detect multiple failed login attempts from the same source IP address by aggregating and analyzing log events in real time. Unlike signature-based or host-based IDS solutions, a SIEM correlation rule can be tuned to match this exact behavioral pattern, triggering an alert when the configured threshold (e.g., 5 failures within 10 minutes) is exceeded. This directly addresses the gap where the SIEM failed to generate an alert due to the absence of such a rule.

Exam trap

The trap here is that candidates often confuse the roles of IDS/IPS and SIEM, mistakenly thinking signature-based or host-based IDS can natively correlate login failures from a single source, when in fact SIEM correlation rules are specifically designed for this multi-event behavioral detection.

How to eliminate wrong answers

Option A is wrong because signature-based detection on an IDS relies on known attack patterns (e.g., SQL injection signatures) and cannot detect behavioral anomalies like multiple failed logins from a single IP unless a specific signature is written for that pattern, which is inefficient and not the standard approach. Option B is wrong because a host-based IDS (HIDS) monitors local system calls and file integrity on the server, but it does not natively correlate login attempts across multiple log sources or aggregate events from a single source IP; it would only see individual login failures without context. Option D is wrong because increasing log retention to 1 year does not enable detection of ongoing attacks; it only preserves historical data for forensic analysis after an incident has occurred, failing to provide real-time alerting.

56
MCQhard

An organization's risk register lists a vulnerability with an annualized loss expectancy (ALE) of $50,000. The cost of implementing a mitigation control is $40,000 with an expected lifespan of 5 years. The control is expected to reduce the ALE by 80%. What is the net present value (NPV) of implementing this control over 5 years, assuming a discount rate of 5%? (Ignore residual risk for simplicity.)

A.$120,000
B.$133,180
C.$200,000
D.$160,000
AnswerB

Correctly calculated NPV.

Why this answer

The correct answer is B because the net present value (NPV) is calculated by subtracting the initial control cost from the present value of the annual savings over 5 years. The control reduces the ALE by 80%, saving $40,000 per year ($50,000 × 0.8). Using a 5% discount rate, the present value of these savings is $40,000 × 4.3295 (PV annuity factor for 5 years at 5%) = $173,180.

Subtracting the $40,000 implementation cost gives an NPV of $133,180.

Exam trap

The trap here is that candidates often forget to discount future savings to present value, leading them to pick the undiscounted total savings ($200,000) or a simple subtraction ($160,000), rather than applying the 5% discount rate correctly.

How to eliminate wrong answers

Option A is wrong because $120,000 represents the total undiscounted savings ($40,000 × 5 = $200,000) minus the control cost ($40,000) but ignores the time value of money (discount rate). Option C is wrong because $200,000 is the total undiscounted savings over 5 years without subtracting the control cost or applying the discount rate. Option D is wrong because $160,000 might come from incorrectly using a 4-year savings calculation or misapplying the discount factor (e.g., $40,000 × 4 = $160,000), failing to account for the 5% discount rate.

57
Multi-Selectmedium

A security analyst is configuring a SIEM to detect potential data exfiltration. Which TWO log sources are most critical for detecting large outbound data transfers?

Select 2 answers
A.Network flow logs (e.g., NetFlow)
B.DNS logs
C.Proxy logs
D.System event logs
E.Application error logs
AnswersA, C

Correct: Network flow logs provide data on traffic volume and destinations.

Why this answer

Network flow logs (e.g., NetFlow) are critical because they provide metadata about all network conversations, including source/destination IPs, ports, protocols, and byte counts. By analyzing flow records, a SIEM can detect anomalous spikes in outbound traffic volume or connections to unusual external hosts, which are strong indicators of data exfiltration. NetFlow does not inspect packet payloads, but its aggregated traffic patterns make it ideal for identifying large-scale transfers.

Exam trap

Cisco often tests the misconception that DNS logs are sufficient for detecting exfiltration (e.g., via DNS tunneling), but the question specifically asks for detecting 'large outbound data transfers,' which require volume-based analysis from NetFlow or proxy logs, not just query patterns.

58
Multi-Selecthard

An organization is implementing a new vulnerability management program. The CISO wants to establish remediation SLAs based on risk severity. Which THREE of the following are commonly recommended SLAs?

Select 3 answers
A.High: 30 days
B.Informational: No SLA
C.Medium: 90 days
D.Critical: 24-72 hours
E.Low: 180 days
AnswersA, C, D

High vulnerabilities typically have 30-day SLA.

Why this answer

Option A is correct because high-severity vulnerabilities typically require remediation within 30 days to balance risk reduction with operational feasibility. This aligns with common industry frameworks like PCI DSS and NIST SP 800-53, which recommend 30-day SLAs for high-risk findings to prevent exploitation while allowing time for patching cycles.

Exam trap

Cisco often tests the misconception that all vulnerability severities must have a formal SLA, but informational findings are excluded because they pose no exploitable risk and are typically documented for awareness only.

59
MCQeasy

Which type of IDS monitors network traffic at a specific network segment and analyzes packets for malicious patterns?

A.NIDS
B.HIDS
C.UBA
D.SIEM
AnswerA

Network-based IDS monitors network traffic for malicious patterns.

Why this answer

A Network Intrusion Detection System (NIDS) is specifically designed to monitor traffic on a network segment, capturing packets in real time and analyzing them for known attack signatures or anomalous patterns. Unlike host-based systems, NIDS operates at the network layer, inspecting headers and payloads to detect malicious activity such as port scans, DoS attacks, or exploit attempts.

Exam trap

Cisco often tests the distinction between network-based and host-based monitoring, and the trap here is that candidates confuse HIDS with NIDS because both involve 'intrusion detection,' but HIDS operates on the host while NIDS operates on the network segment.

How to eliminate wrong answers

Option B (HIDS) is wrong because a Host-based Intrusion Detection System monitors activities on a single host (e.g., system logs, file integrity, process behavior), not network traffic at a segment level. Option C (UBA) is wrong because User Behavior Analytics focuses on identifying deviations in user activity patterns, often using machine learning, rather than analyzing raw network packets for malicious patterns. Option D (SIEM) is wrong because a Security Information and Event Management system aggregates and correlates logs from multiple sources, but does not directly capture or analyze network packets at a segment level.

60
MCQmedium

An organization wants to detect insider threats by identifying abnormal user behavior. Which technology is best suited for this purpose?

A.User Behavior Analytics (UBA)
B.Network-based IDS
C.Vulnerability scanner
D.Signature-based antivirus
AnswerA

UBA specifically analyzes user behavior to detect anomalies that may indicate insider threats.

Why this answer

User Behavior Analytics (UBA) is specifically designed to detect insider threats by establishing a baseline of normal user activity and then identifying anomalous deviations, such as unusual login times, abnormal data access patterns, or atypical file transfers. Unlike other security tools that rely on known signatures or network traffic patterns, UBA applies machine learning and statistical modeling to user-centric data (e.g., authentication logs, file system events, and endpoint activity) to uncover subtle, non-signature-based indicators of malicious insider behavior.

Exam trap

The trap here is that candidates often confuse Network-based IDS (which detects network-level attacks) with user behavior analysis, failing to recognize that insider threats typically involve legitimate credentials and non-malicious network traffic that bypass signature-based detection.

How to eliminate wrong answers

Option B is wrong because a Network-based IDS (Intrusion Detection System) monitors network traffic for known attack signatures or protocol anomalies, but it lacks the user-context and behavioral baseline needed to detect insider threats that do not generate malicious network packets (e.g., a user exfiltrating data via legitimate cloud storage). Option C is wrong because a vulnerability scanner identifies known software weaknesses (e.g., missing patches, misconfigurations) by comparing system states against a database of CVEs; it does not analyze user behavior or detect ongoing anomalous actions. Option D is wrong because signature-based antivirus relies on static file signatures and heuristics to detect known malware; it cannot identify abnormal user behavior such as a legitimate user accessing files outside their normal pattern or performing unauthorized privilege escalation.

61
MCQeasy

A security team identifies a vulnerability in a web application that allows SQL injection. Which risk response strategy involves implementing input validation and parameterized queries to reduce the risk to an acceptable level?

A.Risk transfer
B.Risk mitigation
C.Risk acceptance
D.Risk avoidance
AnswerB

Mitigation applies controls to reduce risk.

Why this answer

Option B is correct because risk mitigation involves applying controls to reduce the likelihood or impact of a risk to an acceptable level. Implementing input validation and parameterized queries directly addresses the SQL injection vulnerability by preventing malicious SQL from being executed, thereby reducing the risk without eliminating the application's functionality.

Exam trap

Cisco often tests the distinction between risk mitigation (applying controls to reduce risk) and risk avoidance (eliminating the activity entirely), tricking candidates who think input validation removes the risk completely rather than reducing it to an acceptable level.

How to eliminate wrong answers

Option A is wrong because risk transfer shifts the financial burden of a loss to a third party (e.g., insurance), not the technical control of the vulnerability. Option C is wrong because risk acceptance means acknowledging the risk without taking action, which contradicts the active implementation of security controls. Option D is wrong because risk avoidance would require removing the vulnerable web application entirely or disabling the feature that allows user input, which is not the same as applying input validation and parameterized queries.

62
MCQmedium

A vulnerability scan identifies a critical flaw in a web server. The server is currently in production and cannot be patched immediately due to compatibility issues. The risk response chosen is to implement a web application firewall (WAF) rule to block exploitation attempts. This is an example of which risk response?

A.Risk acceptance
B.Risk avoidance
C.Risk transfer
D.Risk mitigation
AnswerD

Applying a WAF rule reduces the risk without eliminating it entirely.

Why this answer

Implementing a WAF rule to block exploitation attempts reduces the likelihood or impact of the vulnerability without removing the flaw itself. This is a classic risk mitigation technique, as it applies a compensating control to lower residual risk while the server remains unpatched. Risk mitigation involves taking action to reduce risk to an acceptable level, which is exactly what deploying a WAF signature achieves.

Exam trap

Cisco often tests the distinction between risk mitigation and risk avoidance, where candidates mistakenly think that blocking exploitation attempts 'avoids' the risk, but avoidance requires eliminating the vulnerability entirely (e.g., removing the server), not just reducing its exploitability.

How to eliminate wrong answers

Option A is wrong because risk acceptance means acknowledging the risk and taking no action to reduce it, whereas a WAF rule is an active control. Option B is wrong because risk avoidance would require removing the vulnerable server from production or disabling the affected service entirely, not just blocking exploit attempts. Option C is wrong because risk transfer involves shifting the financial impact of a loss to a third party (e.g., insurance or outsourcing), not implementing a technical control like a WAF.

63
Multi-Selecthard

A SIEM correlation rule triggers when an administrative account logs in after hours and subsequently performs a bulk export of a customer database. Which THREE threat types does this scenario most likely indicate?

Select 3 answers
A.Malware infection
B.Denial of service
C.Privilege escalation
D.Data exfiltration
E.Insider threat
AnswersC, D, E

After-hours admin login may indicate escalation or misuse.

Why this answer

Option C is correct because the scenario describes an administrative account performing actions (after-hours login and bulk database export) that exceed its normal privileges or intended use, which is the essence of privilege escalation. The SIEM rule detects this by correlating the account's elevated access with anomalous behavior, indicating the account may have been compromised or misused to gain unauthorized capabilities.

Exam trap

The trap here is that candidates may confuse 'insider threat' (Option E) with 'privilege escalation' (Option C), but the question asks for three threat types, and both are distinct: privilege escalation focuses on the abuse of elevated access, while insider threat is the broader category of malicious or negligent actions by authorized users.

64
MCQhard

A security analyst is configuring a SIEM to detect data exfiltration. Which of the following correlation rules would best identify potential data exfiltration via DNS tunneling?

A.Correlate high outbound DNS query volume with requests to newly registered or suspicious domains
B.Correlate multiple failed logins from a single IP
C.Alert on any single failed login attempt
D.Alert when a user accesses a file share after hours
AnswerA

This pattern matches DNS tunneling behavior.

Why this answer

DNS tunneling encodes data in DNS queries and responses, often generating a high volume of outbound queries to domains that are newly registered or otherwise suspicious. Correlating these two indicators—unusual query volume and suspicious domain characteristics—directly targets the behavior of DNS tunneling, making it the most effective rule for detecting this exfiltration technique.

Exam trap

The trap here is that candidates often confuse general anomaly detection (like failed logins or after-hours access) with the specific network-layer indicators of DNS tunneling, failing to recognize that DNS tunneling is characterized by unusual DNS query patterns to suspicious domains, not by authentication or file access events.

How to eliminate wrong answers

Option B is wrong because multiple failed logins from a single IP indicate a brute-force or credential-stuffing attack, not data exfiltration via DNS tunneling. Option C is wrong because alerting on any single failed login attempt would generate excessive false positives and does not correlate with DNS tunneling behavior. Option D is wrong because after-hours file access may indicate insider threat or policy violation but is unrelated to the network-level anomaly of DNS tunneling.

65
Multi-Selecteasy

Which TWO of the following are examples of vulnerability sources? (Choose TWO.)

Select 2 answers
A.Environmental disaster
B.CVE entries
C.Intentional human attack
D.Hardware failure
E.Configuration weaknesses
AnswersB, E

CVE entries are standardized identifiers for known vulnerabilities.

Why this answer

CVE entries are a structured, publicly accessible catalog of known vulnerabilities, each assigned a unique identifier (CVE-ID) and description. They serve as a primary source for identifying specific software or hardware weaknesses that can be exploited, making them a definitive vulnerability source for risk identification and monitoring.

Exam trap

Cisco often tests the distinction between a vulnerability source (e.g., CVE, configuration weakness) and a threat (e.g., attack, disaster), causing candidates to mistakenly select threat events like environmental disasters or human attacks as vulnerability sources.

66
MCQmedium

An organization decides to implement CIS Benchmarks on all Windows servers. They choose Level 1 settings. What does Level 1 represent?

A.Maximum security with high operational impact
B.Equivalent to DISA STIGs
C.Only applicable to critical systems
D.Basic security hygiene with minimal impact
AnswerD

Level 1 is intended to be broadly applicable with low disruption.

Why this answer

CIS Benchmarks define Level 1 as a set of configuration settings intended to provide basic security hygiene with minimal impact on business operations. These settings are designed to be easily implemented without causing significant performance degradation or service disruption, making them suitable for most systems. Level 1 focuses on essential security controls that address common vulnerabilities while maintaining system usability.

Exam trap

The trap here is that candidates often confuse Level 1 with 'maximum security' or assume it is only for critical systems, when in fact Level 1 is the baseline recommended for all systems to achieve a practical security posture without disrupting operations.

How to eliminate wrong answers

Option A is wrong because Level 1 is not about maximum security; maximum security with high operational impact is characteristic of Level 2 settings, which may disable features or enforce stricter policies that can affect performance. Option B is wrong because CIS Benchmarks and DISA STIGs are separate frameworks; while they may overlap in some controls, STIGs are typically more restrictive and aligned with U.S. Department of Defense requirements, not equivalent to CIS Level 1.

Option C is wrong because Level 1 is explicitly designed for general-purpose systems, not only critical systems; critical systems often require Level 2 or additional custom hardening.

67
MCQeasy

During a qualitative risk analysis, an organization rates the likelihood of a flood as 'Low' and the impact as 'High'. Using a standard 3x3 risk matrix, what is the overall risk rating?

A.High
B.Critical
C.Medium
D.Low
AnswerC

Low likelihood and High impact map to Medium risk in most qualitative matrices.

Why this answer

In a standard 3x3 risk matrix, the overall risk rating is derived by combining the likelihood and impact ratings. With likelihood rated as 'Low' and impact as 'High', the intersection in the matrix typically yields a 'Medium' risk rating. This is because the matrix is designed to balance low probability events with high consequences, resulting in a moderate overall risk level.

Exam trap

The trap here is that candidates may incorrectly assume that a 'High' impact automatically results in a 'High' overall risk, ignoring the moderating effect of a 'Low' likelihood in a standard 3x3 matrix.

How to eliminate wrong answers

Option A is wrong because 'High' would require both likelihood and impact to be rated as 'High', or at least one to be 'High' with the other 'Medium' in some matrices, but here likelihood is 'Low'. Option B is wrong because 'Critical' is not a standard rating in a 3x3 risk matrix; such matrices typically use Low, Medium, and High. Option D is wrong because 'Low' would require both likelihood and impact to be 'Low', or likelihood 'Low' with impact 'Low' or 'Medium', but impact is 'High', which elevates the risk above 'Low'.

68
MCQhard

A company's security policy requires that all servers be hardened according to CIS Level 1 benchmarks. During an audit, it is discovered that a server has password complexity settings that exceed Level 1 requirements. Which of the following is the most appropriate action?

A.Report the non-compliance to management for remediation
B.Implement Level 2 benchmarks to be consistent
C.Immediately revert to Level 1 settings to ensure compliance
D.Document the deviation and accept the stronger configuration
AnswerD

Correct: Stronger settings are acceptable but should be documented for audit purposes.

Why this answer

Option D is correct because exceeding CIS Level 1 password complexity requirements represents a stronger security posture, not a violation. CIS benchmarks define Level 1 as a minimum baseline of essential security controls, and deviations that improve security are acceptable as long as they are documented and formally accepted by management. The key principle is that compliance is measured against the minimum baseline, and stronger configurations are permitted with proper risk acceptance.

Exam trap

The trap here is that candidates mistakenly treat any deviation from a baseline as non-compliance, failing to recognize that exceeding the minimum requirements is acceptable and should be documented rather than reverted or escalated.

How to eliminate wrong answers

Option A is wrong because reporting non-compliance implies a violation, but exceeding Level 1 requirements is not a compliance failure—it is a stronger configuration that should be documented, not escalated as a finding. Option B is wrong because implementing Level 2 benchmarks is unnecessary and could introduce operational overhead or compatibility issues; the policy explicitly requires Level 1, and Level 2 is a separate, more restrictive set of controls not mandated here. Option C is wrong because immediately reverting to Level 1 settings would weaken security without justification, violating the principle of least privilege and potentially exposing the system to password-based attacks.

69
Multi-Selectmedium

Which TWO of the following are common techniques used in quantitative risk analysis?

Select 2 answers
A.Exposure Factor (EF)
B.Asset Value (AV)
C.Risk rating (High/Medium/Low)
D.Probability and impact matrix
E.Delphi technique
AnswersA, B

EF is a percentage used in SLE calculation.

Why this answer

Exposure Factor (EF) is a core quantitative metric representing the percentage of asset value lost when a specific threat occurs. It is used in quantitative risk analysis to calculate Single Loss Expectancy (SLE = AV × EF) and Annualized Loss Expectancy (ALE = SLE × ARO), enabling numerical risk prioritization.

Exam trap

Cisco often tests the distinction between qualitative and quantitative methods by listing qualitative tools (like risk ratings, probability-impact matrices, and Delphi) as distractors, expecting candidates to recognize that only metrics like EF, AV, SLE, and ALE are truly quantitative.

70
MCQmedium

After implementing a new IDS, the security team receives numerous alerts about legitimate traffic being flagged as malicious. This phenomenon is known as:

A.False positives
B.Noise
C.False negatives
D.True positives
AnswerA

Correct: Legitimate traffic flagged as malicious are false positives.

Why this answer

A false positive occurs when the IDS incorrectly classifies legitimate traffic as malicious, generating an alert for benign activity. This is a common issue after deploying a new IDS with default or overly sensitive signature sets, leading to alert fatigue. The core reasoning is that the IDS's detection logic (e.g., pattern matching or anomaly thresholds) misidentifies normal behavior as an attack.

Exam trap

The trap here is that candidates confuse 'false positives' with 'noise' (Option B), but noise is a broader category that includes false positives as well as other irrelevant alerts, while the question specifically describes legitimate traffic being flagged as malicious, which is the precise definition of a false positive.

How to eliminate wrong answers

Option B (Noise) is wrong because noise refers to irrelevant or low-value alerts that may be triggered by benign events, but it is not the specific term for legitimate traffic flagged as malicious—noise often includes false positives but also encompasses other non-actionable alerts. Option C (False negatives) is wrong because false negatives occur when the IDS fails to detect actual malicious traffic, not when it flags legitimate traffic. Option D (True positives) is wrong because true positives are alerts that correctly identify actual malicious activity, which is the opposite of the scenario described.

71
Multi-Selecthard

A security team is implementing User Behavior Analytics (UBA) to detect insider threats. Which THREE types of activities would most likely indicate a compromised account?

Select 3 answers
A.Accessing systems not normally used by the user
B.Downloading large volumes of data
C.Logging in during normal business hours from a known workstation
D.Printing a document
E.Accessing sensitive files after hours
AnswersA, B, E

Correct: Lateral movement often involves accessing unusual systems.

Why this answer

Accessing systems not normally used by the user (A) is a strong indicator of a compromised account because User Behavior Analytics (UBA) builds a baseline of each user's typical access patterns, including which servers, applications, or network segments they routinely interact with. A deviation from this baseline—such as authenticating to a system outside the user's job function—triggers an anomaly score, as it suggests an attacker is using stolen credentials to move laterally. This aligns with the MITRE ATT&CK technique T1078 (Valid Accounts) and is a core detection signal in UBA platforms like Splunk UBA or Microsoft Sentinel UEBA.

Exam trap

The trap here is that candidates often assume any 'sensitive file access' is automatically malicious, but UBA requires a deviation from the user's baseline—accessing sensitive files after hours (E) is anomalous only if the user never does so during normal hours, whereas accessing systems not normally used (A) is a clearer deviation from established patterns.

72
MCQmedium

A security analyst notices a large number of failed login attempts from a single IP address targeting multiple user accounts within a short time frame. Which type of detection method in a SIEM would most effectively identify this pattern?

A.Signature-based detection
B.Heuristic detection
C.Anomaly-based detection
D.Rule-based detection
AnswerC

Anomaly-based detection identifies deviations from a baseline, such as unusual login failure rates.

Why this answer

Anomaly-based detection establishes a baseline of normal user behavior and flags deviations, such as a sudden spike in failed logins from a single IP across multiple accounts. This pattern—a brute-force attack—does not match a known signature, so anomaly detection is the most effective SIEM method for identifying it.

Exam trap

Cisco often tests the distinction between anomaly-based and rule-based detection, where candidates mistakenly choose rule-based because it can be configured with a threshold, but the question emphasizes 'most effectively identify this pattern'—anomaly detection adapts to baseline changes without manual rule tuning.

How to eliminate wrong answers

Option A is wrong because signature-based detection relies on predefined patterns (e.g., known malware hashes or attack strings) and cannot identify novel or pattern-based attacks like a brute-force login attempt unless a specific signature for that exact IP and time window exists. Option B is wrong because heuristic detection uses generalized rules or algorithms to infer malicious intent (e.g., scoring behaviors), but it is typically applied to file or process analysis, not to aggregate login patterns across multiple accounts from a single source. Option D is wrong because rule-based detection uses static, manually defined conditions (e.g., 'alert if >5 failures in 1 minute'), which can detect this pattern but lacks the adaptive baseline learning of anomaly detection; it is less effective at reducing false positives in dynamic environments.

73
Multi-Selecteasy

A security manager is evaluating log sources for a SIEM implementation. Which THREE of the following are considered log types that should be included?

Select 3 answers
A.Security logs
B.System logs
C.Network logs
D.Physical access logs
E.Application logs
AnswersA, B, E

Log security events like logins.

Why this answer

Security logs (A) are correct because they record authentication events, privilege use, and policy violations, which are essential for detecting unauthorized access and compliance auditing in a SIEM. These logs typically come from operating systems, firewalls, and IDS/IPS, providing critical data for incident detection and forensic analysis.

Exam trap

The trap here is that candidates may think 'network logs' are a standard log type, but the SSCP exam expects you to recognize that network logs are a subset of security or system logs, not a separate primary log type, and that physical access logs are not part of the core IT log sources for a SIEM.

74
Multi-Selectmedium

A security analyst is reviewing logs for signs of data exfiltration. Which TWO log sources would provide the most relevant evidence? (Choose TWO.)

Select 2 answers
A.Application logs
B.File server audit logs
C.System logs
D.Firewall logs
E.DNS logs
AnswersB, D

File server audit logs track file access, copies, and movements, which are key for detecting exfiltration.

Why this answer

File server audit logs track access to files, including reads, copies, and modifications, which directly indicate data exfiltration attempts. Firewall logs record outbound connections, destination IPs, and data volumes, revealing unauthorized data transfers to external hosts. Together, they provide both the source and destination evidence needed to confirm exfiltration.

Exam trap

Cisco often tests the misconception that DNS logs alone can detect exfiltration, but DNS queries only show domain lookups, not the actual data transfer, and attackers can use DNS tunneling to hide data in queries, making firewall logs essential for spotting anomalous outbound traffic patterns.

Ready to test yourself?

Try a timed practice session using only Risk Identification, Monitoring, and Analysis questions.