CCNA Security Ops Admin Questions

75 of 79 questions · Page 1/2 · Security Ops Admin topic · Answers revealed

1
MCQmedium

An analyst runs the netstat command on a web server. Based on the output, which connection is the MOST suspicious?

A.The connection from 203.0.113.5:8080
B.The connection from 192.168.1.10:54321
C.The connection from 10.0.2.50:44350
D.The listening on 0.0.0.0:80
AnswerA

203.0.113.5 is a TEST-NET address (RFC 5737) rarely used in production, and source port 8080 is atypical for a client.

Why this answer

Option B is correct because the external IP 203.0.113.5 from the documentation range is connecting on an unusual source port (8080), which is often used for proxies or tunneling. Option A is wrong because 192.168.1.10 is a private IP with a high ephemeral port, typical. Option C is wrong because 10.0.2.50 is internal.

Option D is wrong because the listening port is expected.

2
MCQmedium

Refer to the exhibit. An administrator implements this firewall rule. What is the intended effect?

A.It blocks all inbound and outbound traffic on port 445.
B.It prevents inbound SMB connections from other domain computers.
C.It prevents this computer from initiating SMB connections to other computers.
D.It applies to all network profiles (Domain, Private, Public).
AnswerC

Outbound block on port 445 stops this machine from connecting to others via SMB.

Why this answer

The firewall rule shown is an outbound rule that blocks TCP port 445, which is used by SMB (Server Message Block). By blocking outbound traffic on this port, the computer is prevented from initiating SMB connections to other computers, while still allowing inbound SMB connections. This is a common security measure to prevent a compromised machine from spreading malware or accessing file shares on other systems.

Exam trap

The trap here is that candidates often confuse outbound and inbound rules, assuming a rule blocking port 445 affects all traffic on that port, when in fact it only blocks traffic in one direction.

How to eliminate wrong answers

Option A is wrong because the rule only blocks outbound traffic on port 445, not inbound traffic; inbound SMB connections are still permitted. Option B is wrong because the rule does not affect inbound SMB connections; it only blocks outbound SMB traffic, so other domain computers can still initiate SMB connections to this computer. Option D is wrong because the rule is explicitly scoped to the Domain profile only, as indicated by the 'Domain' profile selection in the rule; it does not apply to Private or Public profiles.

3
MCQhard

A security administrator is implementing change management for a critical financial system. Which of the following is the MOST important control to prevent unauthorized changes?

A.Implement a staging environment to test all changes
B.Enforce a formal approval process via a change advisory board
C.Notify all users before the change window
D.Require a documented backout plan for every change
AnswerB

A CAB provides review and approval, preventing unauthorized changes.

Why this answer

Option D is correct because a formal approval process ensures that changes are reviewed and authorized before implementation. Option A is wrong because testing in a staging environment, while important, does not prevent unauthorized changes. Option B is wrong because backout plans are for recovery, not prevention.

Option C is wrong because notification to users is a communication step, not a preventive control.

4
Multi-Selecteasy

Which TWO of the following are key components of a data classification policy? (Select the two best answers.)

Select 2 answers
A.Encryption algorithm selection
B.Firewall rules
C.Classification labels
D.Data custodian responsibilities
E.Backup schedules
AnswersC, D

Labels define the sensitivity levels.

5
MCQeasy

A security administrator needs to set file permissions on a shared folder so that only members of the 'Finance' group can read and write to it. All existing permissions should be removed. Which command should the administrator use?

A.cacls shared_folder /E /P Finance:RW
B.icacls shared_folder /grant Finance:(F) /inheritance:r
C.icacls shared_folder /grant Finance:(M) /inheritance:r
D.icacls shared_folder /grant Finance:(RW)
AnswerC

Modify includes read and write, and /inheritance:r removes inherited permissions.

Why this answer

Option A is correct because 'icacls shared_folder /grant Finance:(M) /inheritance:r' grants Modify (read+write) and removes inheritance. Option B is wrong because 'cacls' is deprecated and the syntax is incorrect. Option C is wrong because Full Control (F) grants more than read/write.

Option D is wrong because (RW) is not a valid icacls permission mask.

6
Multi-Selecteasy

A security operations team is developing an incident response plan. Which TWO steps are part of the 'containment, eradication, and recovery' phase? (Choose two.)

Select 2 answers
A.Conducting a lessons learned meeting
B.Restoring systems from known good backups
C.Identifying the root cause of the incident
D.Preserving forensic evidence
E.Isolating affected systems from the network
AnswersB, E

This is part of recovery after eradication.

Why this answer

Options A and B are correct because isolation is containment and restoration is recovery. Option C is post-incident. Option D is part of identification/analysis.

Option E is part of preparation and identification.

7
MCQhard

During a security assessment, a penetration tester discovers that a web application allows users to upload files without proper validation. The tester successfully uploads a PHP web shell. Which control would have MOST effectively prevented this exploitation?

A.Disable PHP execution in the upload directory.
B.Implement a WAF rule to block common webshell patterns.
C.Enable audit logging for file uploads.
D.Validate file extension and content type on the server side.
AnswerD

Proper validation blocks malicious files at upload.

Why this answer

Option D is correct because server-side validation of both file extension and content type (e.g., MIME type magic bytes) is the most effective control to prevent uploading executable files like a PHP web shell. Without this validation, an attacker can bypass client-side checks and upload a malicious script that the server will execute. Disabling PHP execution in the upload directory (Option A) is a compensating control but does not prevent the upload itself, and a WAF rule (Option B) can be evaded with obfuscation or encoding.

Exam trap

The trap here is that candidates often choose Option A (disabling PHP execution) because it seems like a direct fix, but the SSCP exam tests the principle that preventing the upload of malicious files (input validation) is more fundamental than mitigating execution after the fact.

How to eliminate wrong answers

Option A is wrong because disabling PHP execution in the upload directory only prevents the uploaded shell from running, but the file is still stored on the server and could be exploited via other means (e.g., include attacks or bypassing execution restrictions). Option B is wrong because a WAF rule that blocks common webshell patterns relies on signature-based detection, which can be evaded with obfuscation, encoding, or polymorphic code, and does not address the root cause of missing input validation. Option C is wrong because audit logging only records the upload event after it occurs; it does not prevent the exploitation and is a detective, not a preventive, control.

8
MCQhard

Refer to the exhibit. A security analyst reviews these iptables rules and expects SSH access to be blocked, but it is still allowed. What is the MOST likely reason?

A.The DROP rule does not apply to SSH.
B.The DROP rule is misconfigured with wrong source.
C.The ACCEPT rule matches before the DROP rule.
D.The default policy allows traffic, overriding the DROP rule.
AnswerC

iptables processes rules in order; the first match wins.

Why this answer

C is correct because iptables processes rules in sequential order, and the first matching rule determines the packet's fate. In this scenario, the ACCEPT rule for SSH (typically matching on port 22) appears before the DROP rule in the chain, so incoming SSH packets match the ACCEPT rule first and are permitted, never reaching the subsequent DROP rule. This is a classic ordering issue where a more specific allow rule precedes a general deny rule.

Exam trap

The trap here is that candidates often assume iptables evaluates all rules and applies the most restrictive one, but in reality, iptables uses first-match logic, so rule order is critical.

How to eliminate wrong answers

Option A is wrong because the DROP rule likely does apply to SSH if it matches on the SSH port (22) or protocol (TCP), but the rule order prevents it from being evaluated. Option B is wrong because the DROP rule's source address is irrelevant if the rule is never reached due to a preceding ACCEPT rule; a misconfigured source would cause a different behavior (e.g., blocking wrong traffic), not allow SSH when it should be blocked. Option D is wrong because the default policy (typically ACCEPT or DROP) only applies to packets that do not match any explicit rule; here, an explicit ACCEPT rule matches SSH, so the default policy is never consulted.

9
Multi-Selecthard

A security administrator is tasked with managing user access. Which THREE of the following are principles of least privilege? (Choose three.)

Select 3 answers
A.Implement mandatory access control.
B.Require manager approval for privilege escalation.
C.Grant users the minimum rights needed to perform their job.
D.Use separate accounts for administrative tasks.
E.Remove access when no longer required.
AnswersC, D, E

This is the core of least privilege.

Why this answer

Option C is correct because the principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. This minimizes the attack surface and limits potential damage from accidental or malicious actions. It is a foundational access control concept enforced through role-based access control (RBAC) or attribute-based access control (ABAC) policies.

Exam trap

The trap here is that candidates confuse security principles (like least privilege) with security mechanisms (like MAC) or administrative processes (like approval workflows), leading them to select options that are related but not direct statements of the principle itself.

10
MCQhard

You are the security administrator for a mid-sized financial company that processes credit card transactions. The company has a mix of on-premises servers and cloud-based services. Recently, the company experienced a data breach where an attacker exfiltrated customer data from a database server. The investigation reveals that the attacker used compromised credentials of a database administrator (DBA) account. The DBA account had been used by multiple administrators without proper auditing. The company wants to implement a solution to prevent such incidents in the future. The solution must: 1) ensure that each administrator has a unique account for database access, 2) require approval for privileged actions, 3) provide a full audit trail of all privileged activities, and 4) be cost-effective. Which of the following is the best course of action?

A.Enforce the use of a shared DBA account with a complex password that is changed monthly.
B.Implement a privileged access management (PAM) solution that provides just-in-time access and session recording.
C.Require multi-factor authentication for all database access without any additional controls.
D.Install a database activity monitoring (DAM) solution that logs all SQL queries.
AnswerB

PAM addresses all requirements: unique accounts (via vault), approval workflows, and full audit trails.

Why this answer

A privileged access management (PAM) solution provides just-in-time access, approval workflows, and session recording, meeting all requirements. Shared accounts violate uniqueness; MFA alone doesn't provide approval or audit; database auditing software logs activities but does not enforce approval.

11
MCQmedium

An organization's help desk receives multiple reports of employees unable to access a critical internal application. The IT team confirms the application server is running. What is the FIRST step in the incident response process?

A.Verify the reports and confirm the scope of the issue
B.Restore the application from the latest backup
C.Remove any malicious software from the server
D.Isolate the affected systems from the network
AnswerA

The incident response process begins with identification and verification.

Why this answer

Option A is correct because the initial step in incident response is to identify and verify the incident. Option B is wrong because containment comes after identification. Option C is wrong because eradication follows containment.

Option D is wrong because recovery is performed after eradication.

12
MCQhard

A financial firm is implementing a new access control system for its critical trading application. The application currently uses local accounts and password authentication. The security team wants to enforce multi-factor authentication (MFA) and centralized user management. The firm has an existing Active Directory (AD) infrastructure and a certificate authority (CA). However, the trading application only supports smart card authentication via PKI and does not support integration with AD directly. The IT team must design a solution that meets security requirements while minimizing changes to the application. Which approach should the team take?

A.Modify the application code to support SAML-based federation
B.Continue using local accounts but require a strong password policy and regular changes
C.Deploy a RADIUS server that forwards authentication to AD and use smart card emulation for the application
D.Set up a separate LDAP directory for the application and sync with AD
AnswerC

RADIUS can translate AD credentials to smart card authentication the app expects, without modifying the app.

Why this answer

Using AD to manage user accounts and deploying a RADIUS server that authenticates against AD and issues smart card credentials to the application provides centralized management and MFA. Option A is not MFA; B would require app changes; D leaves local accounts.

13
MCQhard

What does this log entry most likely indicate?

A.The SSH service is misconfigured
B.A user mistyped their password
C.An attacker is attempting to gain access by guessing usernames
D.The user account 'admin' has been disabled
AnswerC

The presence of an invalid username suggests reconnaissance or brute-force activity.

Why this answer

The log shows a failed SSH authentication for an 'invalid user' (i.e., a username that does not exist on the system). This is typical of a brute-force or reconnaissance attack where the attacker tries common usernames. Option B correctly identifies this as an attacker attempting to guess usernames.

Option A is incorrect because it is not a mistyped password for a valid user. Option C is incorrect as the log does not indicate misconfiguration. Option D is incorrect because the user 'admin' does not exist, not just disabled.

14
MCQhard

During a security audit, it is discovered that several employees have access to shared network drives containing sensitive HR data. The HR manager states that these employees no longer need access. What is the most efficient way to revoke access?

A.Remove the users from the security group that grants access to the drives.
B.Delete the user accounts of the affected employees.
C.Reconfigure the shared drive to deny access to all users except HR.
D.Manually remove each user's permissions on the shared drive.
AnswerA

Group-based management allows efficient revocation by modifying group membership.

Why this answer

The most efficient way to revoke access is to remove the users from the security group that grants access to the drives. In Windows environments, shared drive permissions are typically assigned to Active Directory security groups rather than individual users. By removing the users from the group, their permissions are revoked immediately across all resources that group has access to, without needing to touch each resource individually.

Exam trap

The trap here is that candidates may think manually removing permissions (Option D) is more precise, but they overlook that group-based management is the most efficient and scalable method in enterprise environments, and that deleting accounts (Option B) is a disproportionate response that violates operational continuity.

How to eliminate wrong answers

Option B is wrong because deleting user accounts is an extreme and irreversible action that disrupts all other services and access the employees may need, and it is not a targeted revocation of drive access. Option C is wrong because reconfiguring the shared drive to deny all users except HR would affect all other employees who might legitimately need access, and it does not address the specific users who should lose access without impacting others. Option D is wrong because manually removing each user's permissions on the shared drive is inefficient and error-prone, especially in large environments, and does not leverage group-based access control which is the standard for scalable permission management.

15
MCQhard

A security awareness program is being developed. Which topic is MOST critical for all employees to understand to reduce the risk of social engineering?

A.The risks of posting on social media
B.The proper use of mobile devices
C.How to recognize and report phishing attempts and other suspicious communications
D.How to create strong passwords
AnswerC

Social engineering often uses phishing or pretexting; reporting is vital.

Why this answer

Social engineering attacks, such as phishing, vishing, and smishing, exploit human psychology rather than technical vulnerabilities. The most critical defense for all employees is the ability to recognize indicators of these attacks (e.g., spoofed sender addresses, urgent language, mismatched URLs) and follow the proper reporting procedure to enable rapid incident response. Without this skill, even the strongest technical controls can be bypassed by a single successful click.

Exam trap

ISC2 often tests the distinction between general security best practices (like strong passwords) and the specific, human-focused defense against social engineering, where recognition and reporting are paramount.

How to eliminate wrong answers

Option A is wrong because while social media risks are relevant, they are a subset of social engineering vectors and not the most immediate, universal threat; the primary attack vector is email-based phishing. Option B is wrong because mobile device usage policies (e.g., MDM, encryption) address device security but do not directly train employees to identify deceptive communications. Option D is wrong because strong passwords mitigate credential-guessing attacks, but social engineering bypasses passwords entirely by tricking users into revealing them or executing actions without authentication.

16
Multi-Selectmedium

Which TWO of the following are essential components of a disaster recovery plan (DRP)?

Select 2 answers
A.Recovery Time Objective (RTO)
B.Recovery Point Objective (RPO)
C.Business Continuity Plan (BCP)
D.A RACI matrix for incident response
E.Results of a penetration test
AnswersA, B

RTO is a key metric in DRP.

Why this answer

Options A and D are correct. Recovery Time Objective (RTO) defines the maximum acceptable downtime, and Recovery Point Objective (RPO) defines the maximum acceptable data loss. Option B is wrong while a business continuity plan (BCP) is related, it is broader and not specific to DRP.

Option C is wrong the RACI matrix is for responsibility assignment, not a core DRP component. Option E is wrong a penetration test is a security assessment, not a DRP component.

17
MCQmedium

A government contractor is required to comply with the Federal Information Security Management Act (FISMA). The security officer must implement a continuous monitoring program for all information systems. The contractor uses a mix of on-premises servers and cloud services. The contractor has a SIEM tool that collects logs from all systems. However, the SIEM generates a high number of alerts, many of which are false positives, overwhelming the security team. The team wants to improve the effectiveness of the monitoring program without increasing staff. Which of the following actions would MOST effectively address the issue?

A.Disable alerts for low-severity events
B.Hire additional security analysts to review all alerts
C.Increase the frequency of log collection to every minute
D.Tune the SIEM correlation rules and create custom filters to reduce false positive alerts
AnswerD

This directly reduces alert fatigue and improves efficiency.

Why this answer

Tuning the SIEM correlation rules to reduce false positives will make alerts more actionable and allow the team to focus on real incidents. Option B increases noise; C is expensive and time-consuming; D reduces visibility.

18
Multi-Selectmedium

A security administrator is implementing a change management process. Which TWO of the following are essential components of a change management policy? (Choose two.)

Select 2 answers
A.Vulnerability scanning results
B.A rollback plan
C.Emergency change procedures
D.Automated patch deployment schedule
E.Approval from the change advisory board (CAB)
AnswersB, E

A rollback plan ensures changes can be reversed if needed.

Why this answer

Options C and D are correct because CAB approval ensures proper review and a rollback plan provides a safety net. Option A is not essential for all changes; emergency procedures are a subset. Option B is a specific implementation, not a policy component.

Option E is part of vulnerability management, not change management.

19
MCQmedium

Based on the exhibit, which type of attack is most likely occurring?

A.Brute force attack
B.Man-in-the-middle attack
C.Denial of service attack
D.Social engineering attack
AnswerA

Repeated failed password attempts from same IP is classic brute force.

Why this answer

A brute force attack is most likely occurring because the exhibit shows repeated login attempts with different passwords for the same username, which is the hallmark of an automated password guessing attack. The rapid succession of failed authentication events indicates a systematic trial of credentials, not a single intercepted session or resource exhaustion.

Exam trap

The trap here is that candidates may confuse a brute force attack with a denial of service attack because both can generate high volumes of traffic, but the key differentiator is the repeated authentication failure pattern versus resource exhaustion.

How to eliminate wrong answers

Option B is wrong because a man-in-the-middle attack involves intercepting and potentially altering communications between two parties, which would show evidence of ARP spoofing, SSL stripping, or session hijacking, not repeated login attempts. Option C is wrong because a denial of service attack aims to overwhelm a system with traffic or requests to cause resource exhaustion, not to guess passwords through multiple authentication failures. Option D is wrong because social engineering attacks rely on manipulating human behavior through deception or impersonation, not on automated password guessing against a system.

20
MCQeasy

A system administrator needs to securely transfer log files from a Linux server to a central log collector. Which protocol should be used to ensure confidentiality and integrity?

A.SSH
C.NFS
D.FTP
AnswerA

SSH provides secure encrypted file transfer via SCP or SFTP.

Why this answer

SSH (Secure Shell) provides encrypted tunnels for data transfer, ensuring both confidentiality and integrity of log files in transit. It uses strong cryptographic algorithms (e.g., AES, ChaCha20) and HMAC-based integrity checks, making it the correct choice for secure file transfer over untrusted networks.

Exam trap

The trap here is that candidates often choose FTP or NFS because they are familiar file transfer protocols, overlooking that neither provides native encryption or integrity, while SSH is the only option that guarantees both through its secure channel.

How to eliminate wrong answers

Option B (SMTP) is wrong because SMTP is a mail transfer protocol that does not natively encrypt payloads or provide integrity verification; it relies on optional STARTTLS extensions for confidentiality, which are not always enforced. Option C (NFS) is wrong because NFS is a network file system protocol designed for shared access, not secure transfer; it lacks built-in encryption and integrity guarantees (unless using NFSv4 with Kerberos, which is not the default). Option D (FTP) is wrong because FTP transmits data and credentials in cleartext, offering no confidentiality or integrity; even FTPS (FTP over SSL/TLS) is not the standard FTP protocol referenced here.

21
MCQmedium

An IT auditor reports that firewall logs are not being reviewed regularly. Which control should be implemented to address this finding?

A.Archive logs to a read-only medium
B.Disable logging for low-priority events
C.Increase the log retention period to 12 months
D.Deploy a Security Information and Event Management (SIEM) system
AnswerD

SIEM automates log monitoring and alerting.

Why this answer

Option B is correct because automated log analysis tools can alert on suspicious activity, reducing reliance on manual review. Option A is wrong because simply increasing log retention does not ensure review. Option C is wrong while archiving logs is good practice, it does not enforce review.

Option D is wrong because disabling log generation is counterproductive.

22
MCQeasy

An employee reports that they cannot access a shared folder on the network. The security administrator checks the permission and finds that the user is in the correct group, but the 'Deny' entry for a different group is blocking access. What is the MOST likely cause?

A.The folder is encrypted with EFS.
B.A Deny ACE is explicitly applied to the user's group.
C.The folder has inherited permissions from the parent.
D.The user is not a member of the correct group.
AnswerB

Deny takes precedence over Allow in NTFS permissions.

Why this answer

In Windows NTFS permissions, a Deny Access Control Entry (ACE) explicitly overrides any Allow ACE, regardless of group membership order. Since the user is in the correct group but a Deny entry on a different group blocks access, the most likely cause is that a Deny ACE is explicitly applied to the user's group (or a group the user belongs to), which takes precedence over Allow permissions. This is a core principle of the Windows discretionary access control model.

Exam trap

ISC2 often tests the misconception that group membership order or inheritance determines permission precedence, when in fact an explicit Deny ACE always overrides any Allow ACE, regardless of the group hierarchy.

How to eliminate wrong answers

Option A is wrong because EFS encryption affects file content access at the file system level, not network share permissions; it does not cause a Deny ACE to block access. Option C is wrong because inherited permissions from the parent folder would not introduce a Deny ACE that overrides the user's explicit Allow unless the Deny is also inherited, but the scenario states the Deny is for a different group, not a conflict of inheritance. Option D is wrong because the user is already confirmed to be in the correct group; the issue is a conflicting Deny ACE, not group membership.

23
MCQeasy

A security administrator is tasked with ensuring that only authorized software can run on company workstations. Which security control should be implemented?

A.Antivirus software
B.Patch management
C.Host-based firewall
D.Application whitelisting
AnswerD

Whitelisting ensures only approved software can run, directly meeting the requirement.

Why this answer

Application whitelisting is the correct control because it explicitly defines a list of approved software that is allowed to execute on workstations. This prevents unauthorized or malicious software from running, even if it bypasses other defenses, by enforcing a default-deny policy at the operating system level (e.g., via Windows AppLocker or Software Restriction Policies). Unlike antivirus, which relies on signatures to detect known threats, whitelisting blocks unknown or unapproved executables by default.

Exam trap

The trap here is that candidates often confuse 'preventing unauthorized software' with 'detecting malware,' leading them to choose antivirus software, but the question specifically asks for a control that ensures only authorized software can run, which requires a default-deny approach like application whitelisting rather than a detection-based tool.

How to eliminate wrong answers

Option A is wrong because antivirus software uses signature-based or heuristic detection to identify known malware, but it cannot prevent execution of unauthorized or custom-coded software that is not yet in its database. Option B is wrong because patch management ensures software is up-to-date with security fixes, but it does not control which applications are allowed to run; it only addresses vulnerabilities in already-installed software. Option C is wrong because a host-based firewall controls network traffic to and from the workstation based on ports and protocols, but it does not restrict which applications can execute locally on the system.

24
MCQhard

A company has a policy requiring segregation of duties (SoD) for financial transactions. Which scenario represents a violation of this principle?

A.The system administrator performs backups, and the security officer reviews audit logs
B.The finance officer approves invoices and also reconciles the bank statements
C.Two managers must each approve any expenditure over $10,000
D.The purchasing manager creates purchase orders, and the accounts payable clerk processes payments
AnswerB

This combines authorization with verification, a SoD violation.

Why this answer

Option C is correct because the same person both approves invoices and reconciles bank statements, combining authorization and review functions. Option A is wrong because separate individuals handle procurement and accounting. Option B is wrong because the separation is maintained.

Option D is wrong because two-level approval still involves separate individuals.

25
MCQeasy

A small business wants to protect its data from ransomware. Which backup strategy provides the BEST protection against an attack where the backup files are also encrypted?

A.Daily backups to a network attached storage (NAS) device
B.Daily cloud backups with versioning
C.Weekly backups to an external hard drive connected via USB
D.Weekly backups to tape stored in a fireproof safe offline
AnswerD

Offline tapes are physically disconnected and cannot be encrypted by ransomware.

Why this answer

Option D is correct because an offline (air-gapped) backup is not accessible from the network, preventing ransomware from encrypting it. Option A is wrong because cloud backups are reachable from the network. Option B is wrong because local external drives attached to the system can be encrypted.

Option C is wrong because tape backups often remain online or on-site, but can still be vulnerable if connected.

26
MCQeasy

An organization wants to prevent unauthorized persons from entering a secure server room. Which control is the MOST effective?

A.Install a CCTV camera at the entrance
B.Require biometric authentication (fingerprint or retina scan) to unlock the door
C.Post a security guard at the entrance during business hours
D.Use a keypad with a unique code for each employee
AnswerB

Biometrics provide strong authentication specific to the individual.

Why this answer

Biometric authentication (fingerprint or retina scan) is the most effective control because it verifies the unique physiological characteristics of an individual, making it extremely difficult to bypass, share, or forge. Unlike knowledge-based (keypad code) or possession-based (key card) factors, biometrics provide strong, non-repudiable proof of identity, which is critical for high-security areas like a server room.

Exam trap

The trap here is that candidates often choose a keypad with a unique code (Option D) thinking it is 'unique per employee' and therefore secure, but they overlook that codes can be easily shared or stolen via shoulder surfing, whereas biometrics are inherently tied to the individual and cannot be transferred.

How to eliminate wrong answers

Option A is wrong because a CCTV camera is a detective control that only records events; it does not prevent unauthorized entry, as it cannot stop a person from walking through the door. Option C is wrong because a security guard is a physical control that can be effective but is limited to business hours, leaving the server room vulnerable during off-hours, and guards can be distracted or bypassed. Option D is wrong because a keypad with a unique code relies on a knowledge factor that can be shared, observed (shoulder surfing), or guessed, and codes can be forgotten or written down, compromising security.

27
MCQhard

An analyst reviews a Windows security log. Given the event, what is the MOST likely cause of the lockout?

A.The user's password was changed and they are using the old password
B.The user's cached credentials are expired
C.A remote attacker is attempting to brute-force the user's password via RDP
D.The user entered the wrong password at the physical console
AnswerC

Logon Type 10 (RemoteInteractive) is RDP, and a lockout indicates multiple failed attempts.

Why this answer

Option C is correct because Logon Type 10 (RemoteInteractive) indicates a Remote Desktop (RDP) session, and multiple failed attempts from the same source often cause lockouts due to brute-force attempts. Option A is wrong because bad password on local console would show Logon Type 2. Option B is wrong because credential caching is not directly related.

Option D is wrong while incorrect password is a reason, the logon type points to RDP, so the attack vector is more specific.

28
MCQeasy

An organization wants to ensure that only authorized devices can connect to its internal network. Which of the following should be implemented?

B.Port security on switches
C.Network access control (NAC)
AnswerC

NAC authenticates devices before network access.

Why this answer

Network Access Control (NAC) is the correct choice because it enforces security policy by evaluating the identity, posture, and compliance of devices before granting network access. NAC solutions (e.g., Cisco ISE, Aruba ClearPass) can authenticate devices via 802.1X, check for antivirus updates or patch levels, and quarantine non-compliant endpoints, ensuring only authorized and healthy devices connect to the internal network.

Exam trap

The trap here is that candidates often confuse Port Security (a Layer 2 MAC-based control) with NAC, but Port Security lacks the authentication, posture assessment, and dynamic policy enforcement that NAC provides, making it insufficient for ensuring only authorized devices connect.

How to eliminate wrong answers

Option A is wrong because an Intrusion Detection System (IDS) monitors network traffic for malicious activity but does not control which devices can connect; it only alerts on threats after they appear. Option B is wrong because Port Security on switches limits MAC addresses per port but is a Layer 2 control that can be bypassed by MAC spoofing and does not authenticate device identity or check compliance. Option D is wrong because a Virtual Private Network (VPN) encrypts traffic between remote users and the network but does not restrict which devices can connect to the internal LAN; it assumes the device is already authorized or uses separate authentication.

29
MCQhard

A large e-commerce company has a disaster recovery (DR) plan that requires Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour for its customer database. The database runs on a clustered SQL server with synchronous replication to a standby server in a different data center. During a recent test, the IT team found that failover took 3 hours, but due to a replication lag of 45 minutes, some transactions were lost. The team needs to meet both RTO and RPO. Which of the following changes should the team implement FIRST?

A.Implement asynchronous replication to a third site
B.Increase the bandwidth between data centers
C.Shorten the synchronization interval from 45 minutes to 15 minutes
D.Automate the failover process with orchestration scripts to reduce manual steps
AnswerD

Automation can significantly cut failover time from 3 hours to under 4 hours, meeting RTO.

Why this answer

Reducing failover time is the priority to meet RTO; even if RPO is met, the business needs the system up. Option A addresses replication lag but not RTO; B addresses RTO directly; C may increase complexity; D is for RPO.

30
MCQeasy

A company implements a policy that requires all employees to change their passwords every 60 days. Which of the following is the PRIMARY security benefit of this requirement?

A.Ensuring compliance with data privacy laws.
B.Reducing the risk of password reuse across multiple sites.
C.Limiting the window of opportunity for a compromised password.
D.Simplifying the account lockout process.
AnswerC

The shorter the validity, the less time an attacker has.

Why this answer

Password expiration policies limit the exposure window for compromised credentials. If an attacker obtains a password, the 60-day rotation ensures that the stolen credential becomes invalid after that period, reducing the time an attacker can maintain unauthorized access. This is a fundamental security control to mitigate the risk of undetected credential theft.

Exam trap

ISC2 often tests the distinction between a primary security benefit and a secondary compliance or administrative convenience; the trap here is that candidates see 'compliance' (Option A) and assume it is the main goal, but the actual security rationale is limiting the window of opportunity for a compromised password.

How to eliminate wrong answers

Option A is wrong because while password policies may help meet certain regulatory requirements (e.g., PCI DSS, HIPAA), the primary security benefit is not compliance itself—compliance is a secondary outcome, not the core security goal. Option B is wrong because password expiration does not directly prevent password reuse across different sites; that is addressed by password managers, unique password requirements, or blocklists, not rotation frequency. Option D is wrong because password expiration has no direct relationship with the account lockout process; lockout is triggered by failed login attempts, not password age.

31
Multi-Selectmedium

Which TWO of the following are key components of an organization's security policy framework? (Choose two.)

Select 2 answers
A.Standard operating procedures
C.Access control lists
D.Security awareness training
E.Firewall rules
AnswersA, D

Standard operating procedures define how policies are implemented.

Why this answer

Standard operating procedures (SOPs) are a key component of an organization's security policy framework because they provide detailed, step-by-step instructions for implementing security controls and responding to incidents. SOPs operationalize high-level policies into actionable tasks, ensuring consistency and compliance across the organization. They are formal documents that define the 'how' of security operations, such as patch management or user account provisioning.

Exam trap

ISC2 often tests the distinction between policy framework documents (e.g., SOPs, policies) and technical controls (e.g., IDS, ACLs, firewall rules), leading candidates to confuse operational tools with governance components.

32
MCQhard

Refer to the exhibit. A security analyst reviews the log and determines that the system was under a brute force attack. However, the analyst notices that the attack stopped after 5 minutes, and the IP address was not blocked. Which of the following is the MOST likely reason the attack stopped?

A.The SSH server's MaxAuthTries limit was exceeded.
B.The system's account lockout policy prevented further attempts.
C.The attacker achieved successful login.
D.The system's firewall dropped the traffic.
AnswerA

MaxAuthTries causes the connection to close after a set number of failures.

Why this answer

The SSH server's MaxAuthTries limit (default 6 in OpenSSH) causes the server to terminate the connection after a threshold of failed authentication attempts. This stops the attack on that specific TCP session, but does not block the IP address, which explains why the attack ceased after 5 minutes without any persistent block.

Exam trap

The trap here is confusing session-level authentication limits (MaxAuthTries) with persistent account lockout policies or firewall blocks, leading candidates to incorrectly choose account lockout or firewall options.

How to eliminate wrong answers

Option B is wrong because account lockout policies are typically enforced at the OS or PAM level, not by the SSH server itself, and would require a persistent block on the user account, not just a session termination. Option C is wrong because a successful login would show a successful authentication event in the log, not a cessation of attempts without any success record. Option D is wrong because if the firewall dropped the traffic, the IP address would be blocked and no further attempts would appear in the log, but the analyst noted the IP was not blocked.

33
MCQhard

Based on the exhibit, which of the following best describes the firewall configuration?

A.The firewall allows only loopback traffic.
B.The firewall allows all traffic from the internal subnet.
C.The firewall allows SSH, HTTP, and HTTPS from the internal subnet and drops all other traffic.
D.The firewall allows all traffic from external sources.
AnswerC

The rules show ACCEPT for ports 22, 80, 443 from 10.0.0.0/24, and a final DROP all.

Why this answer

The exhibit shows an access control list (ACL) that explicitly permits TCP traffic on ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) from the internal subnet (e.g., 192.168.1.0/24) to any destination, followed by an implicit deny all rule. This configuration allows only SSH, HTTP, and HTTPS from the internal subnet and drops all other traffic, matching option C.

Exam trap

The trap here is that candidates often overlook the implicit deny at the end of an ACL, assuming that only the listed permits exist and that all other traffic is allowed by default, rather than understanding that any traffic not explicitly permitted is dropped.

How to eliminate wrong answers

Option A is wrong because loopback traffic (127.0.0.0/8) is not explicitly permitted or denied in the ACL; the ACL focuses on the internal subnet, not loopback. Option B is wrong because the ACL does not allow all traffic from the internal subnet; it specifically permits only SSH, HTTP, and HTTPS, and denies everything else via the implicit deny. Option D is wrong because the ACL does not allow any traffic from external sources; it only permits traffic from the internal subnet, and external traffic would be subject to the implicit deny unless explicitly permitted.

34
MCQhard

A security analyst is investigating a potential data exfiltration incident. The logs show a large number of outbound DNS queries to a domain that resolves to an IP address in a foreign country. The queries contain encoded strings in the subdomain. Which type of attack is MOST likely occurring?

A.DNS poisoning
B.DNS amplification attack
C.DNS rebinding
D.DNS tunneling
AnswerD

DNS tunneling encodes data in DNS queries and responses for covert exfiltration.

Why this answer

DNS tunneling encodes data within DNS queries and responses to bypass network security controls. The large volume of outbound queries to a foreign IP, combined with encoded subdomain strings, is the classic signature of data exfiltration via DNS tunneling, as the protocol is often allowed through firewalls.

Exam trap

The trap here is that candidates confuse DNS tunneling with DNS amplification because both involve high query volumes, but amplification focuses on response size and reflection, not on encoding data in subdomains for exfiltration.

How to eliminate wrong answers

Option A is wrong because DNS poisoning corrupts the cache of a resolver to redirect traffic to malicious sites, not to exfiltrate data via encoded queries. Option B is wrong because a DNS amplification attack uses open resolvers to flood a victim with large responses, not to send outbound queries with encoded payloads. Option C is wrong because DNS rebinding manipulates DNS responses to bypass same-origin policy for browser-based attacks, not to exfiltrate data through subdomain strings.

35
MCQeasy

An organization implements a new security policy requiring all portable storage devices to be encrypted. Which of the following is the MOST effective control to enforce this policy?

A.Distribute a memo to all employees about the policy.
B.Configure Group Policy to require BitLocker encryption on removable drives.
C.Enable auditing for removable drive usage.
D.Enable BitLocker on all laptops.
AnswerB

Group Policy can enforce encryption for removable drives when supported.

Why this answer

Configuring Group Policy to require BitLocker encryption on removable drives is the most effective control because it enforces the encryption policy automatically and centrally across all domain-joined systems, preventing users from bypassing the requirement. Unlike a memo or auditing, Group Policy provides a technical enforcement mechanism that blocks unencrypted removable media from being used, ensuring compliance without relying on user discretion.

Exam trap

The trap here is that candidates often confuse 'encrypting the system drive' (Option D) with 'encrypting removable drives,' or they assume auditing (Option C) is a preventive control rather than a detective one.

How to eliminate wrong answers

Option A is wrong because distributing a memo is an administrative control that relies on user compliance and provides no technical enforcement, making it ineffective against intentional or accidental policy violations. Option C is wrong because enabling auditing for removable drive usage only logs events for review after the fact, it does not prevent unencrypted drives from being used or enforce encryption. Option D is wrong because enabling BitLocker on all laptops encrypts the system drives, not removable storage devices, and does not address the policy requirement for portable storage devices.

36
MCQmedium

An organization's security policy requires that all data at rest be encrypted. A database administrator objects, stating that encryption will degrade performance. What is the best response?

A.Remove the encryption requirement for databases.
B.Encrypt only the backup files, not the live database.
C.Use column-level encryption on sensitive columns only.
D.Implement transparent data encryption (TDE) to minimize performance impact.
AnswerD

TDE encrypts the entire database transparently with low overhead.

Why this answer

Transparent Data Encryption (TDE) encrypts data at rest at the storage layer, automatically encrypting data before it is written to disk and decrypting it when read into memory. This minimizes performance impact because encryption/decryption occurs outside the application logic and does not require schema changes, making it the best response to the DBA's concern while still meeting the policy requirement.

Exam trap

The trap here is that candidates may choose column-level encryption (Option C) thinking it is more targeted and thus less impactful, but they overlook that TDE is designed specifically to minimize performance impact by operating at the storage layer without requiring application changes.

How to eliminate wrong answers

Option A is wrong because removing the encryption requirement violates the security policy and leaves data at rest unprotected, which is not an acceptable response. Option B is wrong because encrypting only backup files leaves the live database unencrypted, failing to meet the policy's requirement that all data at rest be encrypted, and does not address the DBA's performance concern for the live database. Option C is wrong because column-level encryption can still cause significant performance overhead due to per-row encryption/decryption operations and requires application or schema changes, whereas TDE provides a more efficient, system-level solution.

37
MCQeasy

Refer to the exhibit. A security administrator notices repeated events with the same failure reason for the Administrator account. What is the MOST likely type of attack?

A.Spear phishing
B.Password spraying
C.Brute force
D.Denial of service
AnswerC

Multiple failed attempts for one account is characteristic of brute force.

Why this answer

Option A is correct because repeated failed logins for a single account indicate a brute force attack. Option B is wrong; password spraying uses many accounts with common passwords. Option C is wrong; phishing involves tricking users, not repeated login attempts.

Option D is wrong; DoS aims to disrupt service, not gain access.

38
MCQeasy

A system administrator needs to grant a temporary contractor access to a specific shared folder for two weeks. Which access control approach is most appropriate?

A.Create a new role with access to the folder and assign the contractor to that role
B.Create a temporary user account with an expiration date and grant NTFS permissions
C.Use mandatory access control (MAC) to enforce a security label for the contractor
D.Configure the folder with discretionary access control (DAC) and let the contractor request access
AnswerB

This provides time-limited access with minimal overhead.

Why this answer

Option B is correct because creating a temporary user account with an expiration date directly addresses the need for time-limited access. Granting NTFS permissions on the specific shared folder provides granular, least-privilege access control. This approach ensures the account is automatically disabled after two weeks, reducing administrative overhead and security risk.

Exam trap

The trap here is that candidates often choose role-based access control (RBAC) as a best practice, but fail to recognize that creating a new role for a single temporary user is an anti-pattern that violates role-based design principles and does not inherently enforce time limits.

How to eliminate wrong answers

Option A is wrong because creating a new role for a single temporary contractor violates the principle of role engineering—roles should be based on job functions, not individuals, and this approach adds unnecessary complexity without addressing the time limit. Option C is wrong because mandatory access control (MAC) uses system-wide security labels enforced by the operating system, which is overly rigid for a simple temporary access need and requires significant configuration overhead. Option D is wrong because discretionary access control (DAC) allows the resource owner to grant permissions, but relying on the contractor to request access introduces delays and lacks automatic expiration, leaving the folder exposed after the two-week period.

39
Multi-Selecteasy

Which TWO of the following are examples of administrative controls in a security program? (Choose two.)

Select 2 answers
A.Security policies
B.Firewall rules
C.Locks on server room doors
D.Employee background checks
E.Intrusion detection software
AnswersA, D

Policies are administrative directives.

Why this answer

Security policies (A) are administrative controls because they define the rules, responsibilities, and expected behaviors for users and administrators, forming the foundation of a security program. Employee background checks (D) are also administrative controls, as they are personnel vetting procedures that reduce insider risk and enforce trust before granting access. Both are non-technical, process-based measures that guide human actions rather than directly blocking or detecting threats.

Exam trap

ISC2 often tests the distinction between administrative, technical, and physical controls, and the trap here is that candidates confuse firewall rules or intrusion detection software (both technical controls) with administrative controls because they are part of a security program, but they are not process-based or policy-driven.

40
Multi-Selectmedium

Which TWO of the following are valid reasons for implementing a separation of duties policy? (Choose two.)

Select 2 answers
A.To reduce the workload on individual employees.
B.To detect errors through independent verification.
C.To simplify training requirements.
D.To comply with regulatory requirements.
E.To prevent fraud by requiring collusion.
AnswersB, E

Having different people perform related tasks allows for error detection.

Why this answer

Separation of duties (SoD) is a security control that divides critical tasks among multiple individuals to prevent any single person from having excessive control. Option B is correct because independent verification is a core benefit: when one person performs a task and another reviews it, errors are more likely to be caught before they cause damage. This is especially important in financial transactions or system configuration changes where a single mistake could have significant consequences.

Exam trap

ISC2 often tests the distinction between compliance as a requirement versus a fundamental security reason; candidates mistakenly choose 'compliance' as a core reason when the question asks for the underlying security benefit.

41
Drag & Dropmedium

Drag and drop the steps for establishing a VPN using IPsec in tunnel mode into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec tunnel setup: IKE phase 1 (management SA), IKE phase 2 (IPsec SA), then apply to traffic.

42
Multi-Selecteasy

Which TWO of the following are examples of administrative controls? (Choose two.)

Select 2 answers
A.Firewall rules
B.Access control policies
C.Security awareness training
D.Security guards
E.Encryption of data at rest
AnswersB, C

Policies are administrative controls.

Why this answer

Access control policies (B) are administrative controls because they define the rules, procedures, and responsibilities for managing access to resources, forming the governance framework that guides technical and physical implementations. Security awareness training (C) is also an administrative control as it educates users on security policies and procedures, reducing human error and reinforcing organizational security culture.

Exam trap

The trap here is that candidates often confuse administrative controls with technical or physical controls, mistakenly selecting firewall rules or encryption because they are common security measures, but the SSCP exam specifically tests the distinction between administrative (policy/training), technical (software/hardware), and physical (guards/locks) control categories.

43
MCQeasy

A company wants to ensure that employees use strong passwords. Which policy is most effective?

A.Prohibit password reuse for the last 10 passwords.
B.Require password changes every 30 days.
C.Require a minimum password length of 12 characters.
D.Require a mix of uppercase, lowercase, numbers, and symbols.
AnswerC

Length is the most important factor for password strength.

Why this answer

Option C is correct because password length is the single most important factor in resistance to brute-force and rainbow table attacks. NIST SP 800-63B and industry best practices now recommend a minimum of 12–16 characters, as each additional character exponentially increases the keyspace. While complexity adds some entropy, a long passphrase is far more effective against modern GPU-based cracking than a short, complex password.

Exam trap

The trap here is that many candidates overvalue complexity (uppercase, numbers, symbols) because of legacy policies, but Cisco tests the modern NIST guidance that password length trumps complexity and periodic changes.

How to eliminate wrong answers

Option A is wrong because prohibiting reuse of the last 10 passwords does not prevent weak passwords from being chosen; it only prevents immediate repetition, and attackers can still crack a weak password if it is not in the history. Option B is wrong because forcing changes every 30 days often leads users to create predictable patterns (e.g., Password1!, Password2!) or write passwords down, reducing overall security; NIST now advises against arbitrary periodic expiration. Option D is wrong because requiring a mix of character types without a sufficient length is ineffective—a 6-character password with all four types has only ~2^36 possibilities, which can be brute-forced in minutes, whereas a 12-character lowercase-only password has ~2^56 possibilities, making length far more impactful than complexity alone.

44
MCQhard

During a security audit, it is discovered that a system administrator shared their personal credentials with a colleague to troubleshoot an issue after hours. This violates the company's policy regarding password sharing. Which control would BEST prevent this type of incident in the future?

A.Implement a two-person rule for administrative actions.
B.Enforce a stricter password complexity policy.
C.Require multifactor authentication for all systems.
D.Deploy a privileged access management (PAM) solution.
AnswerD

PAM allows temporary access without sharing credentials.

Why this answer

Option D is correct because a Privileged Access Management (PAM) solution provides temporary, audited access without sharing permanent credentials. Option A is wrong because a two-person rule is for dual control, not sharing prevention. Option B is wrong while MFA adds a layer, it does not prevent sharing of the first factor.

Option C is wrong because password complexity does not deter sharing. Option E is wrong because training is important but less effective than a technical control.

45
Matchingmedium

Match each network security device to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters traffic based on rules

Monitors and alerts on suspicious activity

Blocks malicious traffic in real-time

Manages encrypted tunnels

Why these pairings

These devices are commonly used in network security.

46
MCQeasy

Refer to the exhibit. What does this event indicate?

A.A successful logon for the Administrator account.
B.An interactive logon failure for the Administrator account.
C.The Administrator account is locked out.
D.A failed logon attempt for the Administrator account from the network.
AnswerD

The event shows a failed logon for Administrator via network (logon type 3).

Why this answer

The event shows a logon failure with a status code indicating the account is disabled or locked, but the exhibit specifically references a network logon (logon type 3) for the Administrator account. Option D is correct because the failure is from the network, not interactive or locked out, and the event ID 4625 with logon type 3 indicates a failed network logon attempt.

Exam trap

The trap here is that candidates confuse a failed logon with an account lockout, or misinterpret logon type 3 as interactive, because they focus on the 'Administrator' account name rather than the logon type and status code details.

How to eliminate wrong answers

Option A is wrong because the event is a failure (event ID 4625), not a success (event ID 4624). Option B is wrong because logon type 3 indicates a network logon, not an interactive logon (logon type 2 or 10). Option C is wrong because a locked-out account would show a specific status code like 0xC0000234, not the generic failure code in the exhibit; the event does not indicate lockout.

47
MCQeasy

Which of the following is the primary purpose of a security awareness program?

A.To teach employees about security best practices and reduce human error.
B.To evaluate the effectiveness of security technologies.
C.To enforce security policies through penalties.
D.To train employees on advanced technical security skills.
AnswerA

This is the core purpose of awareness programs.

Why this answer

The primary purpose of a security awareness program is to educate employees on security best practices and reduce human error, which is the leading cause of security incidents. Unlike technical controls, awareness programs target the human element by teaching users to recognize phishing attempts, handle sensitive data properly, and follow secure behaviors. This aligns with the NIST SP 800-50 framework, which defines awareness as a foundational component of an organizational security posture.

Exam trap

ISC2 often tests the distinction between 'awareness' (general, non-technical education for all users) and 'training' (in-depth, role-specific technical instruction), so candidates mistakenly choose D when they confuse the scope of awareness programs with advanced technical training.

How to eliminate wrong answers

Option B is wrong because evaluating the effectiveness of security technologies is the purpose of security testing and assessment (e.g., vulnerability scanning, penetration testing), not a security awareness program. Option C is wrong because enforcing security policies through penalties is a function of policy enforcement and disciplinary procedures, not the primary goal of awareness, which is education and behavior change. Option D is wrong because training employees on advanced technical security skills is the domain of specialized technical training (e.g., for IT staff), whereas awareness programs target all employees with general, non-technical knowledge.

48
MCQmedium

A security administrator notices that a critical server's event log shows repeated failed login attempts from an internal IP address that normally does not generate any traffic. The administrator immediately blocks the IP at the firewall and resets the account password. However, the incident response team later determines that the attacker had already gained access to the server. What is the MOST likely reason the administrator's actions were insufficient?

A.The administrator did not preserve the log evidence for forensic analysis.
B.The administrator neglected to perform a full system scan for malware.
C.The administrator did not isolate the server from the network.
D.The administrator failed to notify the data owner about the incident.
AnswerC

Isolation prevents further access and contains the threat.

Why this answer

Option B is correct because isolating the server would have prevented further access by the attacker and preserved evidence. Option A is wrong because preserving logs is important but not the primary reason the actions were insufficient. Option C is wrong because a full system scan is a later step after containment.

Option D is wrong because notifying the data owner is an administrative step that does not directly address the security breach.

49
MCQeasy

A university's IT department manages a network used by students and faculty. The security team notices an unusual increase in outbound traffic from the student dormitory network during late hours. Upon investigation, they discover that several student laptops are infected with malware that is attempting to connect to external command-and-control (C2) servers. The team needs to contain the incident quickly while minimizing impact on legitimate users. Which of the following is the BEST immediate containment measure?

A.Shut down the entire dormitory network
B.Disconnect the infected laptops from the network and take them offline for remediation
C.Block all outbound traffic from the dormitory subnet
D.Update the antivirus definitions on the infected laptops
AnswerB

This isolates the threat specifically, preserving network functionality for others.

Why this answer

Isolating the infected devices from the network stops the C2 communication and prevents further spread, while allowing other users to continue working. Option A may block all students; C is disruptive to everyone; D does not stop communication.

50
MCQmedium

A system administrator notices that a user's account has been locked out multiple times within an hour. The admin reviews the logs and finds repeated failed login attempts from an unusual IP address. What is the BEST immediate action to mitigate further risk?

A.Disable the user account
B.Delete the failed login log entries
C.Implement a firewall rule to block the IP address
D.Reset the user's password
AnswerA

Disabling the account immediately stops further authentication attempts, preventing unauthorized access.

Why this answer

Disabling the account stops any further unauthorized access while the situation is investigated. Option A is a weak password after lockout; B removes logs needed for investigation; D misidentifies the issue as a DoS attack.

51
MCQmedium

A security administrator needs to ensure that only authorized personnel can reset user passwords in Active Directory. Which of the following is the BEST method to delegate this responsibility without granting unnecessary privileges?

A.Place the personnel in the Account Operators group.
B.Add the personnel to the Domain Admins group.
C.Use Delegation of Control wizard to assign the 'Reset user passwords and force password change at next logon' permission.
D.Give the personnel physical access to the domain controller.
AnswerC

This provides exactly the needed permission without extra rights.

Why this answer

The Delegation of Control wizard allows granular assignment of specific Active Directory permissions, such as 'Reset user passwords and force password change at next logon', without granting broader administrative rights. This follows the principle of least privilege by limiting the delegated personnel to only the necessary task. Option C is correct because it directly addresses the requirement with a built-in, secure delegation mechanism.

Exam trap

The trap here is that candidates often assume built-in groups like Account Operators are the simplest delegation method, overlooking that they grant far more permissions than the specific task requires, which is a common violation of the principle of least privilege tested on the SSCP.

How to eliminate wrong answers

Option A is wrong because the Account Operators group can create, delete, and modify most user accounts and groups, which includes the ability to reset passwords but also grants excessive privileges beyond the required task. Option B is wrong because Domain Admins have full administrative control over the entire domain, including all user and computer objects, which is far more privilege than needed and violates least privilege. Option D is wrong because physical access to a domain controller does not inherently grant the ability to reset passwords; it could allow unauthorized actions but is not a controlled delegation method and introduces significant security risks.

52
MCQmedium

A security team is investigating a potential data exfiltration incident. They notice that a large amount of data was transferred to an external IP address during off-hours. What should be the first step?

A.Notify senior management of the incident.
B.Block the external IP address at the firewall.
C.Analyze the data transfer logs to determine the scope.
D.Isolate the affected system from the network.
AnswerD

Isolation stops the exfiltration immediately.

Why this answer

Option D is correct because the immediate priority in a suspected data exfiltration incident is to contain the threat and prevent further data loss. Isolating the affected system from the network stops ongoing communication with the external IP address, preserving the system state for forensic analysis. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.

Exam trap

The trap here is that candidates often choose to block the external IP (Option B) thinking it stops the attack, but Cisco tests the principle that containment must be at the host level to prevent the attacker from pivoting or using alternate C2 channels.

How to eliminate wrong answers

Option A is wrong because notifying senior management is a later step in the incident response process; the first action must be technical containment to stop the exfiltration. Option B is wrong because blocking the external IP address at the firewall does not stop the compromised system from using other IPs or protocols, and it may alert the attacker, destroying forensic evidence. Option C is wrong because analyzing data transfer logs to determine scope is part of the investigation phase, which should occur after containment to avoid further data loss while logs are being reviewed.

53
Multi-Selectmedium

Which TWO of the following are types of intrusion detection systems (IDS) based on the detection method?

Select 2 answers
A.Anomaly-based IDS
B.Host-based IDS
C.Rule-based IDS
D.Signature-based IDS
E.Network-based IDS
AnswersA, D

Detects deviations from baseline behavior.

Why this answer

Options B and D are correct. Signature-based detection matches known patterns, and anomaly-based detection identifies deviations from normal behavior. Option A is wrong because network-based refers to placement, not detection method.

Option C is wrong because host-based is also placement. Option E is wrong because rule-based is a subset of signature-based.

54
MCQmedium

A security administrator is reviewing backup procedures for a database server. The current backup policy mandates a full backup every Sunday and differential backups Tuesday through Friday. On Wednesday, a failure occurs, and the database is lost. The last successful full backup was completed on Sunday, and the last differential backup was completed on Tuesday. How many backup sets are needed to restore the database to its state as of Tuesday?

A.4
B.3
C.2
D.1
AnswerC

Full backup plus the latest differential backup.

Why this answer

To restore the database to its state as of Tuesday, you need the last full backup (Sunday) and the last differential backup (Tuesday). A differential backup contains all changes since the last full backup, so applying the Tuesday differential to the Sunday full backup recovers all data up to Tuesday. The Wednesday failure does not affect the Tuesday state, and no other backups are required.

Exam trap

The trap here is confusing differential backups with incremental backups, leading candidates to think they need all backups from Sunday through Tuesday (3 or 4 sets), when differential backups only require the last full and the most recent differential.

How to eliminate wrong answers

Option A is wrong because 4 backup sets would be needed only if you were using incremental backups (which require all backups since the last full), but the policy uses differential backups. Option B is wrong because 3 backup sets would be needed if you had to restore from Sunday full, Tuesday differential, and Wednesday differential (if it existed), but the Wednesday backup was never completed. Option D is wrong because 1 backup set (only the full backup) would restore the database to Sunday's state, not Tuesday's state, missing the changes captured in the Tuesday differential.

55
MCQmedium

A company's security policy requires that employees must change their passwords every 60 days. However, help desk tickets show that many users are locked out after forgetting their new passwords. Which of the following would BEST balance security and usability?

A.Require users to use a password manager
B.Extend the password change interval to 90 days
C.Disable account lockout after failed attempts
D.Implement single sign-on (SSO) for all applications
AnswerD

SSO reduces password fatigue and thus forgotten passwords.

Why this answer

Single sign-on (SSO) reduces the number of passwords users must remember to one set of credentials, which decreases the likelihood of forgotten passwords and lockouts. By centralizing authentication, SSO allows the organization to enforce a strong password policy (e.g., 60-day rotation) while improving usability, as users only need to manage a single password. This balances security (centralized control, stronger authentication) with usability (fewer password resets).

Exam trap

The trap here is that candidates may choose to extend the password change interval (Option B) thinking it reduces user burden, but the SSCP exam emphasizes that usability improvements must not weaken security controls like password rotation frequency or account lockout policies.

How to eliminate wrong answers

Option A is wrong because requiring a password manager does not reduce the number of passwords users must remember or change; it only stores them, and users may still forget the master password or fail to update stored passwords, leading to continued lockouts. Option B is wrong because extending the password change interval to 90 days reduces security by increasing the window of exposure for compromised credentials, and it does not address the root cause of forgotten passwords (users still have multiple passwords to remember). Option C is wrong because disabling account lockout removes a critical security control that prevents brute-force attacks, violating security policy and increasing risk of unauthorized access.

56
MCQeasy

A network administrator implements the firewall rules above. What is the effect of this rulebase?

A.HTTP and HTTPS traffic from all networks is blocked
B.HTTP and HTTPS traffic from the 10.0.0.0/8 network is allowed
C.All traffic from the 10.0.0.0/8 network is blocked
D.The deny rule is redundant because permit rules exist
AnswerB

The permit rules (1 and 2) are listed before the deny rule, so they match first.

Why this answer

Option A is correct because the permit rules come before the deny rule; traffic from the 10.0.0.0/8 network is explicitly denied by Rule 3, but only after being permitted by Rules 1 and 2? Actually, firewall rules are processed top-down; first match applies. So for a web request from 10.0.1.1 to destination port 80, Rule 1 matches and permits it, so the deny rule is not evaluated. Therefore, traffic from the 10.0.0.0/8 network is allowed for HTTP and HTTPS because the permit rules are first.

Option B is wrong because it ignores rule order. Option C is wrong because the rules are not redundant. Option D is wrong because traffic to other ports is implicitly denied (default deny), but the question asks about effect.

57
Multi-Selecthard

Which THREE of the following are appropriate techniques for securely disposing of magnetic hard disk drives that contain sensitive data? (Choose three.)

Select 3 answers
A.Low-level format
B.Shredding
C.Quick format
D.Overwriting with random patterns
E.Degaussing
AnswersB, D, E

Physical destruction renders the drive unreadable.

Why this answer

Shredding (B) physically destroys the platters, making data recovery impossible regardless of the magnetic state. This is a definitive disposal method for sensitive data on magnetic hard disk drives.

Exam trap

The trap here is that candidates often confuse 'low-level format' or 'quick format' with secure erasure, not realizing these methods leave recoverable data on the platters.

58
MCQmedium

A company experiences a security breach where an attacker gained access to the network through a compromised vendor account. Which of the following controls would have BEST prevented this attack?

A.Install a network-based intrusion detection system.
B.Require vendors to sign an NDA.
C.Create a separate VLAN for vendor access.
D.Enable multi-factor authentication for vendor accounts.
AnswerD

MFA makes it harder for attackers to use stolen credentials.

Why this answer

Multi-factor authentication (MFA) for vendor accounts is the best preventive control because it adds an additional layer of security beyond just a password. Even if the attacker compromises the vendor's credentials, MFA requires a second factor (e.g., a one-time code from a token or biometric) to authenticate, effectively blocking unauthorized access. This directly addresses the attack vector of credential theft, which was the root cause of the breach.

Exam trap

The trap here is that candidates often confuse network segmentation (VLANs) with access control, mistakenly believing that isolating vendor traffic on a separate VLAN prevents credential-based attacks, when in fact VLANs do not authenticate users or validate the legitimacy of the account being used.

How to eliminate wrong answers

Option A is wrong because a network-based intrusion detection system (NIDS) is a detective control that monitors traffic for suspicious patterns after the attack has begun, not a preventive control that stops initial access via compromised credentials. Option B is wrong because a non-disclosure agreement (NDA) is a legal contract that addresses confidentiality after access is granted, not a technical control that prevents unauthorized access through a compromised account. Option C is wrong because creating a separate VLAN for vendor access segments network traffic but does not prevent an attacker from using stolen credentials to authenticate into that VLAN; VLANs provide network isolation, not authentication security.

59
MCQmedium

A new employee needs access to the CRM, email, and file servers. The security policy requires that access privileges are granted based on job function. Which process should be used?

A.The employee completes a request form detailing the access they need
B.The IT department grants full access to all systems and later reviews
C.The identity management team assigns the employee to a role that includes the necessary permissions
D.The employee's supervisor decides which access is appropriate and informs IT
AnswerC

Role-based access control aligns with job functions.

Why this answer

Option C is correct because role-based access control (RBAC) assigns permissions based on job functions, not individual requests or ad-hoc approvals. By placing the employee into a predefined role (e.g., 'Sales Rep'), the identity management team ensures that the CRM, email, and file server permissions are granted consistently and in compliance with the security policy. This process enforces the principle of least privilege and simplifies auditing.

Exam trap

The trap here is that candidates often choose the supervisor's approval (Option D) because it seems logical, but the SSCP exam emphasizes automated role-based assignment over manual approval to enforce consistent, policy-driven access control.

How to eliminate wrong answers

Option A is wrong because allowing the employee to self-select access needs violates the principle of least privilege and bypasses the job-function-based policy; it introduces risk of over-provisioning. Option B is wrong because granting full access upfront and reviewing later is a 'trust but verify' model that contradicts the security policy's requirement to grant access based on job function, and it creates a window of excessive privilege. Option D is wrong because while the supervisor may understand the role, the decision should be automated through role assignment rather than relying on a manual, subjective decision that could lead to inconsistent or excessive permissions.

60
MCQmedium

You work for a hospital that has recently transitioned to an electronic health record (EHR) system. The system stores protected health information (PHI) and must comply with HIPAA. The hospital's security policy requires that all access to PHI be logged and that any unauthorized access be detected promptly. The IT department has implemented logging on the EHR system, but the security team is overwhelmed by the volume of logs and cannot review them in a timely manner. Additionally, there have been incidents where employees accessed patient records without a legitimate need, but these were only discovered months later during random audits. The hospital needs to improve its detection capabilities. Which of the following is the most effective solution?

A.Deploy a Security Information and Event Management (SIEM) system with automated alerting.
B.Retain logs for a longer period to allow more thorough audits.
C.Assign additional staff to manually review logs on a daily basis.
D.Increase the verbosity of logging to capture more details.
AnswerA

SIEM aggregates logs, detects anomalies, and alerts in real time, improving detection.

Why this answer

A SIEM system aggregates logs from the EHR system and applies correlation rules to detect patterns indicative of unauthorized access, such as an employee viewing records outside their department or during off-hours. It generates real-time alerts, enabling the security team to respond promptly rather than relying on manual log review. This directly addresses the problem of being overwhelmed by log volume and delayed detection.

Exam trap

The trap here is that candidates may think increasing log verbosity or retention improves detection, but without automated analysis, more data only worsens the signal-to-noise ratio and delays incident discovery.

How to eliminate wrong answers

Option B is wrong because retaining logs for a longer period does not improve detection speed; it only preserves evidence for later audits, which still occur months after the incident. Option C is wrong because assigning additional staff to manually review logs is not scalable and would still be overwhelmed by the high volume of logs, leading to delayed or missed detections. Option D is wrong because increasing log verbosity would generate even more log data, exacerbating the existing problem of log overload without providing automated analysis or alerting.

61
MCQeasy

A security analyst is reviewing the access control policy and notices that some users have been granted 'write' access to a directory that contains sensitive financial reports. Which principle of information security is being violated?

A.Non-repudiation
B.Least privilege
C.Availability
D.Confidentiality
AnswerB

Granting more access than needed violates least privilege.

Why this answer

The principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. Granting 'write' access to a directory containing sensitive financial reports to users who do not require that level of access violates this principle, as it introduces unnecessary risk of unauthorized modification or data leakage.

Exam trap

The trap here is that candidates may confuse the violation of least privilege with a breach of confidentiality, but the question specifically highlights the granting of unnecessary write permissions, which is a direct violation of the least privilege principle, not merely a confidentiality issue.

How to eliminate wrong answers

Option A is wrong because non-repudiation ensures that a party cannot deny having performed an action, typically achieved through digital signatures or audit logs, and is not directly related to the level of access granted. Option C is wrong because availability ensures that systems and data are accessible when needed, often addressed through redundancy and fault tolerance, not by restricting write permissions. Option D is wrong because confidentiality protects data from unauthorized disclosure, which is a concern here, but the specific violation described is the granting of excessive permissions (write access) rather than the exposure of data itself; the core principle being violated is least privilege, not confidentiality.

62
Multi-Selecthard

Which THREE of the following are essential elements of an effective incident response plan? (Choose three.)

Select 3 answers
A.Containment, eradication, and recovery
B.Detection and analysis
C.Public relations and media notification
D.Cyber insurance purchasing
E.Preparation and training
AnswersA, B, E

These steps limit damage, remove threats, and restore operations.

Why this answer

The incident response plan lifecycle, as defined by NIST SP 800-61, includes four core phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. Options A, B, and E directly map to these essential phases, ensuring the organization can detect an incident, contain it to prevent spread, eradicate the root cause, recover normal operations, and continuously improve through training and preparation.

Exam trap

The trap here is that candidates confuse supporting activities (like PR or insurance) with the mandatory operational phases defined in the NIST incident response lifecycle, leading them to select non-essential business functions instead of the core technical steps.

63
MCQmedium

A company's VPN logs show that a user's account authenticated from two different geographic locations within a span of 10 minutes. The distances between locations make physical travel impossible. The security team investigates and finds that the user's password is complex and not shared. What is the MOST likely explanation?

A.The VPN server has a configuration error causing incorrect location logging.
B.The user's session token was stolen and used by an attacker.
C.The user's account is being used by multiple people with permission.
D.The user is using a VPN service to mask their true location.
AnswerB

A stolen session token allows reuse from a different location.

Why this answer

Option D is correct because the session token was likely stolen and reused from a different location. Option A is wrong; if the user used a VPN, their VPN connection would show one IP. Option B is wrong; a configuration error would affect multiple users.

Option C is wrong; multiple people using the account would imply password sharing, which is denied.

64
MCQhard

An organization is migrating from on-premises servers to a cloud IaaS model. The security team must ensure that virtual machine (VM) images are hardened before deployment. Which of the following is the MOST effective control to ensure consistency and compliance with security baselines?

A.Perform vulnerability scans on each VM after deployment
B.Apply the latest OS patches to each VM immediately after deployment
C.Create a golden image that is hardened and approved for use, and deploy VMs from that image
D.Train administrators on hardening procedures and rely on manual configuration
AnswerC

A golden image enforces a consistent secure baseline from the start.

Why this answer

Creating a golden image that is hardened and approved for use ensures that every VM deployed from it inherits a consistent, pre-configured security baseline. This approach eliminates configuration drift and manual errors by baking security controls into the image before deployment, making it the most effective control for consistency and compliance.

Exam trap

The trap here is that candidates often choose vulnerability scanning or patching because they focus on security after deployment, missing the core principle that proactive, immutable infrastructure via golden images is the most reliable way to enforce consistent baselines at scale.

How to eliminate wrong answers

Option A is wrong because performing vulnerability scans after deployment is a detective control, not a preventive one; it identifies issues but does not ensure consistent hardening across all VMs. Option B is wrong because applying patches after deployment is reactive and does not guarantee that other hardening configurations (e.g., registry settings, service disabling, group policies) are consistently applied. Option D is wrong because relying on manual configuration by administrators introduces human error and inconsistency, making it impossible to maintain a uniform security baseline across multiple VMs.

65
MCQmedium

A security analyst notices that an employee's account has been sending large amounts of data to an external IP address during non-business hours. The analyst suspects the employee's credentials have been compromised. What is the FIRST step the analyst should take according to incident response procedures?

A.Block the external IP address at the firewall.
B.Disable the employee's user account.
C.Contact law enforcement.
D.Inform the employee's manager.
AnswerB

This contains the incident by stopping the unauthorized activity.

Why this answer

Option A is correct because disabling the account immediately stops the malicious activity. Option B is wrong; blocking the IP may not stop the attacker if they have other methods. Option C is wrong; informing the manager is important but not the first action.

Option D is wrong; contacting law enforcement is premature.

66
Multi-Selectmedium

Which TWO of the following are essential steps in a security incident response process according to the SSCP common body of knowledge? (Select the two best answers.)

Select 2 answers
A.Vulnerability scanning
B.Penetration testing
C.Eradication
D.Identification
E.Risk assessment
AnswersC, D

Eradication involves removing the incident artifacts and is a key phase.

67
MCQeasy

A small business has 50 employees and uses a cloud-based email service. The IT manager receives a report that several employees have been receiving phishing emails that appear to come from the company's CEO. The emails request that employees purchase gift cards and send the codes urgently. Two employees have already complied, losing $500 total. The manager wants to prevent this from recurring. The company has a limited budget and no dedicated security staff. Which of the following actions should the manager take FIRST?

A.Create a policy prohibiting gift card purchases
B.Enable multi-factor authentication (MFA) on the CEO's email account
C.Conduct security awareness training for all employees
D.Set up email filtering rules to block emails with the CEO's name
AnswerB

MFA significantly reduces the risk of account takeover, which is the source of these phishing emails.

Why this answer

Implementing multi-factor authentication (MFA) on the CEO's account prevents attackers from using stolen credentials to send phishing emails. Option A is training, which is important but does not stop the current vector; B is a long-term policy; D is a technical control but does not prevent the initial account compromise.

68
Multi-Selecthard

Which THREE of the following are key objectives of data classification?

Select 3 answers
A.Identify and protect sensitive information
B.Reduce storage costs by identifying duplicate data
C.Establish a foundation for risk management decisions
D.Determine the encryption algorithm to use
E.Comply with legal and regulatory requirements
AnswersA, C, E

Classification determines sensitivity and required protections.

Why this answer

Data classification is a foundational security control that directly supports the identification and protection of sensitive information. By categorizing data based on its sensitivity and criticality, organizations can apply appropriate security controls, such as access controls and encryption, to safeguard confidential data from unauthorized disclosure or modification.

Exam trap

ISC2 often tests the distinction between the objectives of data classification and the subsequent actions or technologies that classification enables, leading candidates to mistakenly select options like 'determine encryption algorithm' as a direct objective.

69
Multi-Selecthard

Which THREE of the following are valid methods for enforcing separation of duties in an IT environment? (Select the three best answers.)

Select 3 answers
A.Sharing administrative passwords among team members
B.Having the same person approve and implement a change
C.Implementing a two-person rule for critical changes
D.Monitoring and logging all privileged actions
E.Using role-based access control (RBAC) to assign permissions
AnswersC, D, E

The two-person rule requires approval from a second person, enforcing separation.

Why this answer

Option C is correct because the two-person rule requires two authorized individuals to perform a critical change, ensuring that no single person has both the authority and the ability to execute a high-risk action. This directly enforces separation of duties by dividing the task into two distinct roles, such as one person approving and another implementing the change, which prevents fraud or errors from a single compromised account.

Exam trap

The trap here is that candidates may confuse monitoring and logging (Option D) as a direct enforcement method rather than a detective control, or think that RBAC (Option E) alone enforces separation of duties without considering that RBAC must be combined with workflow rules to prevent role conflicts.

70
MCQhard

An organization uses role-based access control (RBAC). After a merger, a user account from the acquired company is migrated into the parent company's domain. The user is assigned to multiple roles, but is unable to access a critical application that requires a specific role. The administrator verified that the user's account is enabled and the application server is reachable. What is the MOST likely cause?

A.The user's group memberships are conflicting with the required role.
B.The user's account was not assigned the required role.
C.There is a firewall rule blocking traffic from the user's IP range.
D.The application's session timeout is set too low.
AnswerB

Without the role, the user lacks the necessary permissions.

Why this answer

In RBAC, access is granted based on the roles explicitly assigned to a user account. Since the administrator confirmed the account is enabled and the application server is reachable, the most likely cause is that the required role was not assigned to the migrated user. Without that role assignment, the user lacks the necessary permissions to access the critical application, regardless of other roles held.

Exam trap

The trap here is that candidates may assume group membership conflicts (Option A) cause access denial in RBAC, but RBAC roles are independent and additive—conflicts do not occur; the real issue is the missing role assignment.

How to eliminate wrong answers

Option A is wrong because RBAC does not have conflicting group memberships; roles are additive and do not conflict with each other—if the required role were assigned, access would be granted. Option C is wrong because the administrator verified the application server is reachable, which implies network connectivity is not blocked; a firewall rule would prevent reachability, not just application access. Option D is wrong because a low session timeout would cause the user to be logged out after inactivity, not prevent initial access to the application.

71
MCQhard

A security engineer is configuring a firewall to block all inbound traffic except for specific services. Which of the following design principles is being applied?

A.Separation of duties
B.Default deny
C.Defense in depth
D.Least privilege
AnswerD

Least privilege ensures entities have only the access needed to perform their functions.

Why this answer

The correct answer is D, Least Privilege, because the security engineer is configuring the firewall to block all inbound traffic except for specific services. This aligns with the principle of least privilege, which dictates that only the minimum necessary access should be granted—in this case, only allowing specific services through while denying everything else by default. The firewall rule set explicitly permits only required ports (e.g., TCP/443 for HTTPS) and implicitly denies all other traffic, ensuring that no unnecessary access is permitted.

Exam trap

The trap here is that candidates confuse the 'default deny' mechanism (a firewall policy stance) with the 'least privilege' design principle, but the question asks for the overarching principle, not the specific implementation method.

How to eliminate wrong answers

Option A is wrong because separation of duties is a control designed to prevent fraud or error by requiring multiple individuals to complete a sensitive task (e.g., one person configures the firewall, another audits the rules), not a principle about traffic filtering. Option B is wrong because default deny is a specific firewall policy stance (deny all traffic unless explicitly allowed), not a design principle; the question asks for the principle being applied, and default deny is a mechanism that implements least privilege. Option C is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewall, IDS, antivirus), not a single firewall configuration that blocks all inbound traffic except specific services.

72
MCQeasy

A company has 200 employees using a Windows Active Directory environment. The security administrator receives multiple alerts that user accounts are being locked out every 15 minutes. The help desk confirms that users who report the issue are able to log in successfully after unlocking their accounts, but they get locked out again shortly after. The administrator checks the domain controller security logs and sees many failed logon attempts with a specific service account name 'svc_backup' from multiple workstations. The svc_backup account is used for a backup application that runs scheduled tasks. What should the administrator do to resolve the issue?

A.Disable the svc_backup account until the backup vendor releases a patch
B.Change the password for svc_backup and update the backup application with the new password
C.Create a new service account with a different name and grant it the same permissions
D.Increase the account lockout threshold to prevent lockouts
AnswerB

This resolves the root cause - the service account's password is likely stale or incorrect, causing repeated authentication failures.

Why this answer

The repeated lockouts are caused by a service account (svc_backup) being used with an incorrect or expired password. The most effective solution is to reset the password for that account and update it in the backup application. Disabling the account or increasing the lockout threshold does not fix the root cause.

Creating a new account without addressing the password mismatch will not stop the current account from being used.

73
MCQhard

Refer to the exhibit. A systems administrator configures this Group Policy setting. What is the direct consequence?

A.Members of Backup Operators cannot connect to the server using Remote Desktop.
B.Members of Backup Operators are prohibited from local console logon.
C.Members of Backup Operators can connect via Remote Desktop.
D.Members of Backup Operators are prevented from using any remote access method.
AnswerA

The deny setting explicitly blocks RDP access for that group.

Why this answer

Option C is correct because the 'Deny log on through Remote Desktop Services' policy explicitly prevents the specified group from using RDP. Option A is wrong because the policy denies, not allows. Option B is wrong because it affects only Remote Desktop, not console.

Option D is wrong because it does not affect other remote access methods like SSH unless specifically configured.

74
MCQhard

A company implements a new policy requiring all privileged access requests to be approved by a manager. However, after deployment, analysts report that they cannot perform emergency changes outside business hours. What is the best solution?

A.Extend manager on-call hours to cover all times.
B.Implement a break-glass procedure for emergency access.
C.Remove the approval requirement for privileged access.
D.Require analysts to call a manager for approval each time.
AnswerB

Break-glass allows temporary privileged access with post-event review, balancing security and availability.

Why this answer

Option B is correct because a break-glass procedure provides a predefined, auditable method for granting emergency privileged access without requiring real-time manager approval. This balances security with operational continuity, allowing analysts to perform critical changes outside business hours while maintaining accountability through post-event review and logging.

Exam trap

The trap here is that candidates may choose option A (extending on-call hours) thinking it solves the availability issue, but they fail to recognize that it does not address the fundamental need for immediate, unattended access during emergencies, which is the core purpose of a break-glass procedure.

How to eliminate wrong answers

Option A is wrong because extending manager on-call hours does not eliminate the approval bottleneck; it only shifts the coverage window, potentially leading to delays or burnout without a guaranteed response. Option C is wrong because removing the approval requirement for privileged access eliminates necessary oversight, violating the principle of least privilege and increasing the risk of unauthorized changes. Option D is wrong because requiring analysts to call a manager for approval each time outside business hours creates a single point of failure and introduces unacceptable delays for emergency changes, undermining operational resilience.

75
Multi-Selectmedium

Which TWO of the following are key components of a security awareness program?

Select 2 answers
A.User training on password policies
B.Regular phishing simulations
C.Incident response drills
D.Quarterly vulnerability scans
E.Annual penetration testing
AnswersA, B

Training users on strong password creation and management is a core awareness component.

Why this answer

A security awareness program focuses on educating users about security policies and threats. Phishing simulations test user vigilance, and password policy training reinforces good practices. Vulnerability scans and penetration tests are technical controls, not awareness components.

Incident response drills involve technical teams, not general user awareness.

Page 1 of 2 · 79 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Ops Admin questions.