Sample questions
Systems Security Certified Practitioner SSCP practice questions
A company has implemented a new vulnerability scanner and the first scan reports 200 vulnerabilities. The security team needs to prioritize remediation. Which approach should they use first?
Trap 1: Remediate only vulnerabilities that are exploitable from the…
While important, this approach may miss high-severity internal vulnerabilities.
Trap 2: Wait for the next scan to confirm the results before action
Delaying remediation increases risk; findings should be triaged promptly.
Trap 3: Remediate all vulnerabilities in alphabetical order by CVE ID
Alphabetical order ignores severity and risk.
- A
Remediate only vulnerabilities that are exploitable from the internet
Why wrong: While important, this approach may miss high-severity internal vulnerabilities.
- B
Wait for the next scan to confirm the results before action
Why wrong: Delaying remediation increases risk; findings should be triaged promptly.
- C
Prioritize based on CVSS score, starting with critical and high severity
CVSS scores provide a standardized severity rating; focusing on critical/high vulnerabilities aligns with risk management.
- D
Remediate all vulnerabilities in alphabetical order by CVE ID
Why wrong: Alphabetical order ignores severity and risk.
A security analyst is reviewing logs and notices multiple failed login attempts from a single IP address against an administrative account. The SIEM has not generated an alert. Which configuration change would best detect this scenario?
Trap 1: Enable signature-based detection on the IDS
Signature-based IDS detects known attack patterns, but failed logins may not be a signature-based detection scenario unless combined with other indicators.
Trap 2: Implement a host-based IDS on the server
A HIDS monitors system calls and file integrity; it is not the most efficient direct solution for alerting on failed logins across the network.
Trap 3: Increase log retention to 1 year
Log retention helps with forensics but does not proactively alert on failed login attempts.
- A
Enable signature-based detection on the IDS
Why wrong: Signature-based IDS detects known attack patterns, but failed logins may not be a signature-based detection scenario unless combined with other indicators.
- B
Implement a host-based IDS on the server
Why wrong: A HIDS monitors system calls and file integrity; it is not the most efficient direct solution for alerting on failed logins across the network.
- C
Create a SIEM correlation rule to alert on multiple failed logins from the same source
A SIEM correlation rule can aggregate failed login events and trigger an alert when a threshold is met, which directly addresses the scenario.
- D
Increase log retention to 1 year
Why wrong: Log retention helps with forensics but does not proactively alert on failed login attempts.
A security manager is evaluating log sources for a SIEM implementation. Which THREE of the following are considered log types that should be included?
Trap 1: Network logs
Network logs are also important but not listed as a separate type in the stem; however, they are often included.
Trap 2: Physical access logs
Physical access logs are not typically part of standard log management for SIEM unless specifically needed.
- A
Security logs
Log security events like logins.
- B
System logs
Log OS events.
- C
Network logs
Why wrong: Network logs are also important but not listed as a separate type in the stem; however, they are often included.
- D
Physical access logs
Why wrong: Physical access logs are not typically part of standard log management for SIEM unless specifically needed.
- E
Application logs
Log application-specific events.
A vulnerability scanner reports a medium-severity finding on a server. After investigation, the security team determines that the vulnerability is not exploitable due to existing compensating controls. How should this finding be classified in the vulnerability management process?
Trap 1: True positive
True positive means the vulnerability is real and exploitable.
Trap 2: Risk acceptance
Risk acceptance is a decision, not a classification of a finding.
Trap 3: False negative
False negative means a real vulnerability was missed.
- A
True positive
Why wrong: True positive means the vulnerability is real and exploitable.
- B
Risk acceptance
Why wrong: Risk acceptance is a decision, not a classification of a finding.
- C
False positive
False positive indicates the scanner incorrectly identified a vulnerability.
- D
False negative
Why wrong: False negative means a real vulnerability was missed.
During a qualitative risk analysis, an organization rates the likelihood of a flood as 'Low' and the impact as 'High'. Using a standard 3x3 risk matrix, what is the overall risk rating?
Trap 1: High
High risk requires high likelihood or severe impact combinations, not low likelihood.
Trap 2: Critical
Critical is not a standard rating in a 3x3 matrix; typically ratings are Low, Medium, High.
Trap 3: Low
Low risk would require both low likelihood and low impact.
- A
High
Why wrong: High risk requires high likelihood or severe impact combinations, not low likelihood.
- B
Critical
Why wrong: Critical is not a standard rating in a 3x3 matrix; typically ratings are Low, Medium, High.
- C
Medium
Low likelihood and High impact map to Medium risk in most qualitative matrices.
- D
Low
Why wrong: Low risk would require both low likelihood and low impact.
A security analyst is tuning a SIEM to reduce false positives. Which of the following actions is most likely to reduce false positives while maintaining detection of real threats?
Trap 1: Increase the severity of all alerts to high
This would not reduce false positives; it would desensitize analysts.
Trap 2: Disable all anomaly-based detection rules
This would eliminate anomaly detection, potentially missing novel threats.
Trap 3: Create a whitelist for known benign IP addresses
Whitelisting reduces noise but may miss threats from whitelisted IPs if compromised.
- A
Increase the severity of all alerts to high
Why wrong: This would not reduce false positives; it would desensitize analysts.
- B
Modify correlation rules to require multiple events before alerting
Requiring multiple events reduces single-event false positives and improves signal-to-noise ratio.
- C
Disable all anomaly-based detection rules
Why wrong: This would eliminate anomaly detection, potentially missing novel threats.
- D
Create a whitelist for known benign IP addresses
Why wrong: Whitelisting reduces noise but may miss threats from whitelisted IPs if compromised.
Which of the following is a technical threat source that could lead to a security breach?
Trap 1: Disgruntled employee
Disgruntled employee is a human threat source (intentional).
Trap 2: Configuration weakness
Configuration weakness is a vulnerability source, not a threat source.
Trap 3: Flood
Flood is an environmental threat source, not technical.
- A
Software bug
Software bugs are technical threat sources.
- B
Disgruntled employee
Why wrong: Disgruntled employee is a human threat source (intentional).
- C
Configuration weakness
Why wrong: Configuration weakness is a vulnerability source, not a threat source.
- D
Flood
Why wrong: Flood is an environmental threat source, not technical.
During a vulnerability scan, a tool reports a critical vulnerability on a web server. The system owner claims it is a false positive because the server is not accessible from the internet. However, the server is accessible from the internal network. What is the best course of action?
Trap 1: Accept the risk and close the finding
Acceptance should be a formal decision after assessing internal risk; simply assuming it's safe because it's not internet-facing is insufficient.
Trap 2: Ignore the finding as the vulnerability scanner is known for false…
Ignoring without verification is poor practice; even known scanners produce true positives.
Trap 3: Remove the server from the network to eliminate the risk
An overly drastic response; the server may be needed for business operations.
- A
Accept the risk and close the finding
Why wrong: Acceptance should be a formal decision after assessing internal risk; simply assuming it's safe because it's not internet-facing is insufficient.
- B
Ignore the finding as the vulnerability scanner is known for false positives
Why wrong: Ignoring without verification is poor practice; even known scanners produce true positives.
- C
Remove the server from the network to eliminate the risk
Why wrong: An overly drastic response; the server may be needed for business operations.
- D
Verify the vulnerability manually and if confirmed, remediate according to internal risk
Manual verification confirms whether it's a true positive; if so, remediation should be prioritized based on internal risk.
Which type of IDS monitors network traffic at a specific network segment and analyzes packets for malicious patterns?
Trap 1: HIDS
Host-based IDS monitors activity on a single host.
Trap 2: UBA
User Behavior Analytics focuses on user activity, not network packets.
Trap 3: SIEM
SIEM aggregates logs from multiple sources, but is not primarily an IDS.
- A
NIDS
Network-based IDS monitors network traffic for malicious patterns.
- B
HIDS
Why wrong: Host-based IDS monitors activity on a single host.
- C
UBA
Why wrong: User Behavior Analytics focuses on user activity, not network packets.
- D
SIEM
Why wrong: SIEM aggregates logs from multiple sources, but is not primarily an IDS.
During a risk assessment, a company identifies that a legacy system cannot be patched due to vendor end-of-life. The system is critical to operations. Which risk response strategy is most appropriate initially?
Trap 1: Avoid the risk by decommissioning the system immediately
Decommissioning may eliminate the risk but could disrupt critical business operations.
Trap 2: Transfer the risk by purchasing cyber insurance
Transfer is an option but typically not the first step; mitigation should be attempted first.
Trap 3: Accept the risk without any further action
Acceptance should be considered after mitigation attempts; doing nothing is not a default risk response.
- A
Avoid the risk by decommissioning the system immediately
Why wrong: Decommissioning may eliminate the risk but could disrupt critical business operations.
- B
Transfer the risk by purchasing cyber insurance
Why wrong: Transfer is an option but typically not the first step; mitigation should be attempted first.
- C
Accept the risk without any further action
Why wrong: Acceptance should be considered after mitigation attempts; doing nothing is not a default risk response.
- D
Mitigate the risk by implementing compensating controls
Compensating controls such as network segmentation and strict access controls can reduce the risk even if the system cannot be patched.
Which TWO of the following are examples of vulnerability sources? (Choose TWO.)
Trap 1: Environmental disaster
Environmental disasters are threat sources, not vulnerabilities.
Trap 2: Intentional human attack
Intentional human attack is a threat source.
Trap 3: Hardware failure
Hardware failure is a threat source, not a vulnerability source.
- A
Environmental disaster
Why wrong: Environmental disasters are threat sources, not vulnerabilities.
- B
CVE entries
CVE entries are standardized identifiers for known vulnerabilities.
- C
Intentional human attack
Why wrong: Intentional human attack is a threat source.
- D
Hardware failure
Why wrong: Hardware failure is a threat source, not a vulnerability source.
- E
Configuration weaknesses
Misconfigurations are common vulnerability sources.
A security analyst is reviewing logs from a SIEM and notices multiple failed login attempts for a privileged account from an IP address in a foreign country, followed by a successful login after hours. Which type of security monitoring tool would be most effective at detecting this pattern as anomalous behavior based on user baseline?
Trap 1: Signature-based IDS
Signature-based IDS detects known attack patterns, not anomalies in user behavior.
Trap 2: Network-based IPS
NIPS focuses on network traffic and blocking threats, not user behavior.
Trap 3: Host-based IDS
HIDS monitors host-level events but does not typically analyze user behavior baselines.
- A
Signature-based IDS
Why wrong: Signature-based IDS detects known attack patterns, not anomalies in user behavior.
- B
Network-based IPS
Why wrong: NIPS focuses on network traffic and blocking threats, not user behavior.
- C
Host-based IDS
Why wrong: HIDS monitors host-level events but does not typically analyze user behavior baselines.
- D
User Behavior Analytics (UBA)
UBA uses baseline modeling to detect anomalous user activities.
A security team identifies a vulnerability in a web application that allows SQL injection. Which risk response strategy involves implementing input validation and parameterized queries to reduce the risk to an acceptable level?
Trap 1: Risk transfer
Transfer would involve, for example, purchasing cyber insurance.
Trap 2: Risk acceptance
Acceptance means acknowledging the risk without additional controls.
Trap 3: Risk avoidance
Avoidance would mean not using the application at all.
- A
Risk transfer
Why wrong: Transfer would involve, for example, purchasing cyber insurance.
- B
Risk mitigation
Mitigation applies controls to reduce risk.
- C
Risk acceptance
Why wrong: Acceptance means acknowledging the risk without additional controls.
- D
Risk avoidance
Why wrong: Avoidance would mean not using the application at all.
A security analyst is tuning a SIEM and needs to reduce false positives from a rule that alerts on failed logins. The rule currently triggers on any single failed login. Which modification would best reduce false positives while still detecting brute-force attacks?
Trap 1: Disable the rule entirely
This would miss brute-force attacks.
Trap 2: Increase the severity level of the alert
Severity does not reduce false positives.
Trap 3: Ignore failed logins from known users
Known users can also have compromised accounts.
- A
Add a threshold of 5 failed logins within 5 minutes
This reduces noise and still catches brute force.
- B
Disable the rule entirely
Why wrong: This would miss brute-force attacks.
- C
Increase the severity level of the alert
Why wrong: Severity does not reduce false positives.
- D
Ignore failed logins from known users
Why wrong: Known users can also have compromised accounts.
After implementing security controls, a risk assessment shows that a residual risk of data exfiltration remains. Which document should formally record this residual risk and the decision to accept it?
Trap 1: Incident response plan
The IR plan guides actions during incidents.
Trap 2: Business continuity plan
BCP focuses on maintaining operations during disruptions.
Trap 3: Security baseline
Baselines define security configuration standards.
- A
Incident response plan
Why wrong: The IR plan guides actions during incidents.
- B
Risk register
The risk register tracks all identified risks and their treatment.
- C
Business continuity plan
Why wrong: BCP focuses on maintaining operations during disruptions.
- D
Security baseline
Why wrong: Baselines define security configuration standards.
A security engineer is reviewing system logs and notices that the log file size has not changed for several days, despite high system activity. Which log management concern does this indicate?
Trap 1: Incorrect time synchronization
Time sync would not cause log size to remain static.
Trap 2: Normal log rotation
Rotation typically keeps total size stable but timestamps change.
Trap 3: Insufficient storage capacity
Insufficient storage might cause log rotation, but the size not changing at all is suspicious.
- A
Incorrect time synchronization
Why wrong: Time sync would not cause log size to remain static.
- B
Normal log rotation
Why wrong: Rotation typically keeps total size stable but timestamps change.
- C
Insufficient storage capacity
Why wrong: Insufficient storage might cause log rotation, but the size not changing at all is suspicious.
- D
Log tampering or disabled logging
Logs not updating during high activity may indicate intentional stopping or tampering.
Which type of IDS uses a database of known attack patterns to identify malicious activity?
Trap 1: Behavior-based IDS
Behavior-based is similar to anomaly.
Trap 2: Network-based IDS
NIDS is a deployment type, not detection method.
Trap 3: Anomaly-based IDS
Anomaly-based uses baselines of normal behavior.
- A
Behavior-based IDS
Why wrong: Behavior-based is similar to anomaly.
- B
Network-based IDS
Why wrong: NIDS is a deployment type, not detection method.
- C
Anomaly-based IDS
Why wrong: Anomaly-based uses baselines of normal behavior.
- D
Signature-based IDS
Signature-based matches known attack signatures.
After implementing a new IDS, the security team receives numerous alerts about legitimate traffic being flagged as malicious. This phenomenon is known as:
Trap 1: Noise
Incorrect: Noise generally refers to irrelevant data, but false positives are a specific type.
Trap 2: False negatives
Incorrect: False negatives are when malicious activity is not detected.
Trap 3: True positives
Incorrect: True positives are correctly identified malicious activity.
- A
False positives
Correct: Legitimate traffic flagged as malicious are false positives.
- B
Noise
Why wrong: Incorrect: Noise generally refers to irrelevant data, but false positives are a specific type.
- C
False negatives
Why wrong: Incorrect: False negatives are when malicious activity is not detected.
- D
True positives
Why wrong: Incorrect: True positives are correctly identified malicious activity.
A company's vulnerability scanner reports a critical vulnerability in a third-party library. The remediation SLA for critical vulnerabilities is 48 hours. However, the patch is not yet available from the vendor. Which of the following is the most appropriate immediate action?
Trap 1: Remove the vulnerable software immediately
Removing the software may disrupt operations and is not always feasible.
Trap 2: Extend the SLA to 30 days
Extending SLA without action increases risk exposure.
Trap 3: Accept the risk because the vendor has not released a patch
Acceptance should be a formal decision, not default; compensating controls are preferred.
- A
Remove the vulnerable software immediately
Why wrong: Removing the software may disrupt operations and is not always feasible.
- B
Extend the SLA to 30 days
Why wrong: Extending SLA without action increases risk exposure.
- C
Accept the risk because the vendor has not released a patch
Why wrong: Acceptance should be a formal decision, not default; compensating controls are preferred.
- D
Implement compensating controls to mitigate the vulnerability
Compensating controls reduce risk until a patch is available.
A security administrator needs to choose an encryption algorithm for a high-speed network where data is encrypted at the link layer. Which algorithm is most appropriate?
Trap 1: RSA
RSA is asymmetric and slower, not suitable for high-speed link-layer encryption.
Trap 2: Diffie-Hellman
Diffie-Hellman is a key exchange protocol, not an encryption algorithm.
Trap 3: SHA-256
SHA-256 is a hash function, not an encryption algorithm.
- A
RSA
Why wrong: RSA is asymmetric and slower, not suitable for high-speed link-layer encryption.
- B
Diffie-Hellman
Why wrong: Diffie-Hellman is a key exchange protocol, not an encryption algorithm.
- C
AES
AES is symmetric, fast, and suitable for link-layer encryption.
- D
SHA-256
Why wrong: SHA-256 is a hash function, not an encryption algorithm.
Which THREE of the following are common use cases for public key infrastructure (PKI)? (Select exactly three.)
Trap 1: Password hashing
Password hashing uses hash functions, not PKI.
Trap 2: Symmetric key exchange
Symmetric key exchange is often done via algorithms like Diffie-Hellman, not directly PKI.
- A
Password hashing
Why wrong: Password hashing uses hash functions, not PKI.
- B
Symmetric key exchange
Why wrong: Symmetric key exchange is often done via algorithms like Diffie-Hellman, not directly PKI.
- C
Digital signatures
PKI enables digital signatures using certificates.
- D
Email encryption (S/MIME)
S/MIME uses PKI for email encryption and signing.
- E
SSL/TLS certificate authentication
PKI provides the certificates for SSL/TLS authentication.
When implementing a digital signature, which key is used to create the signature?
Trap 1: Receiver's private key
Receiver's private key is used for decryption, not signing.
Trap 2: Sender's public key
The public key is used for verification, not creation.
Trap 3: Receiver's public key
Receiver's keys are irrelevant for signing.
- A
Receiver's private key
Why wrong: Receiver's private key is used for decryption, not signing.
- B
Sender's private key
The private key is used to sign documents.
- C
Sender's public key
Why wrong: The public key is used for verification, not creation.
- D
Receiver's public key
Why wrong: Receiver's keys are irrelevant for signing.
A security administrator is configuring a wireless network for a branch office. The office has legacy devices that only support WPA2-PSK. The administrator wants to provide the highest level of security while maintaining compatibility. Which configuration should be used?
Trap 1: WPA2-Enterprise with RADIUS
Legacy devices may not support 802.1X authentication.
Trap 2: WPA3-SAE only
Legacy devices do not support WPA3.
Trap 3: WPA2-PSK with TKIP
TKIP is deprecated and less secure than AES.
- A
WPA2-Enterprise with RADIUS
Why wrong: Legacy devices may not support 802.1X authentication.
- B
WPA2-PSK with AES (CCMP)
AES is the strongest encryption available for WPA2 and is supported by most devices.
- C
WPA3-SAE only
Why wrong: Legacy devices do not support WPA3.
- D
WPA2-PSK with TKIP
Why wrong: TKIP is deprecated and less secure than AES.
Which TWO of the following are functions of a network firewall?
Trap 1: Resolving domain names to IP addresses
DNS servers perform name resolution.
Trap 2: Encrypting data at rest
Encryption at rest is typically handled by storage systems, not firewalls.
Trap 3: Assigning IP addresses to hosts
DHCP servers assign IP addresses, not firewalls.
- A
Resolving domain names to IP addresses
Why wrong: DNS servers perform name resolution.
- B
Filtering traffic based on IP addresses and ports
Core function of a firewall.
- C
Performing Network Address Translation (NAT)
Many firewalls include NAT functionality.
- D
Encrypting data at rest
Why wrong: Encryption at rest is typically handled by storage systems, not firewalls.
- E
Assigning IP addresses to hosts
Why wrong: DHCP servers assign IP addresses, not firewalls.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.