- A security administrator is asked to enforce a policy that no single employee can both create a vendor record and approve payments to that vendor. Which security principle does this enforce?
- Mandatory vacation
- Least privilege
- Defense in depth
- Separation of duties
Correct answer: Separation of duties
Separation of duties splits a sensitive process across multiple people so no one individual can complete it alone, reducing fraud risk.
- During onboarding, a new analyst is granted only the access required to perform their job tasks and nothing more. This is an application of which principle?
- Least privilege
- Implicit deny
- Dual control
- Need to know
Correct answer: Least privilege
Least privilege grants users the minimum permissions necessary to perform their duties, limiting the impact of compromised accounts.
- An organization rotates an employee out of a sensitive accounting role for two consecutive weeks each year, during which another employee performs the duties. What control objective does this primarily support?
- Improving cryptographic strength
- Increasing availability
- Reducing licensing costs
- Detecting fraud or irregularities
Correct answer: Detecting fraud or irregularities
Mandatory vacation forces another person to perform the duties, increasing the chance that hidden fraud or errors are detected.
- A practitioner needs to document approved configuration settings that all production web servers must meet. Which artifact best captures this?
- An incident runbook
- A risk register
- A memorandum of understanding
- A configuration baseline
Correct answer: A configuration baseline
A configuration baseline defines the approved, secure standard settings for a class of systems and serves as the reference for compliance and change control.
- Which document type provides mandatory, step-by-step instructions that personnel must follow to accomplish a specific task?
- Policy
- Standard
- Guideline
- Procedure
Correct answer: Procedure
A procedure gives detailed, mandatory step-by-step instructions; policies set high-level intent, standards set mandatory requirements, and guidelines are recommendations.
- A high-level management statement that defines the organization's overall security intent and direction is best described as a:
- Baseline
- Policy
- Guideline
- Procedure
Correct answer: Policy
A policy is a high-level, mandatory management directive establishing the organization's security goals and intent.
- An asset inventory classifies a database containing patient health records as 'Confidential.' What is the primary purpose of data classification?
- To eliminate the need for access controls
- To apply appropriate protection levels based on sensitivity
- To increase storage efficiency
- To reduce the number of backups required
Correct answer: To apply appropriate protection levels based on sensitivity
Data classification assigns sensitivity levels so that appropriate, proportionate controls can be applied to protect each category of data.
- Before a change is implemented in production, it must be reviewed and approved by a board. Which process does this describe?
- Incident management
- Vulnerability scanning
- Patch deployment
- Change management
Correct answer: Change management
Change management requires that proposed changes be documented, reviewed, approved, and tracked to prevent unauthorized or destabilizing modifications.
- A practitioner discovers that several systems are running software past its end-of-life date with no vendor patches available. What is the most appropriate first action?
- Ignore it because no patches exist
- Document the risk and recommend mitigation or replacement
- Immediately disconnect all affected systems without notice
- Reinstall the same software
Correct answer: Document the risk and recommend mitigation or replacement
Unsupported software is a risk that should be documented and escalated with mitigation options such as compensating controls or replacement, balancing operational needs.
- Which of the following best describes the purpose of a data retention policy?
- To grant universal read access
- To encrypt data at rest
- To define how long data is kept and when it is securely destroyed
- To keep all data forever for safety
Correct answer: To define how long data is kept and when it is securely destroyed
A retention policy specifies how long different data types are stored and mandates secure disposal afterward, supporting compliance and reducing exposure.
- An employee leaves the company. To prevent lingering access, which action is most important during offboarding?
- Reset the office Wi-Fi password
- Disable or remove all of the employee's accounts and access
- Archive the employee's email signature
- Update the company org chart
Correct answer: Disable or remove all of the employee's accounts and access
Timely deprovisioning of all accounts and access rights prevents former employees from retaining unauthorized access.
- A vendor will process sensitive customer data on behalf of an organization. Which document should define the security responsibilities and obligations of the vendor?
- Acceptable use policy
- Network diagram
- Service level agreement or contract with security clauses
- Software bill of materials
Correct answer: Service level agreement or contract with security clauses
Contractual agreements such as SLAs and data processing agreements define the vendor's security obligations and accountability for protecting the data.
- What is the primary goal of security awareness training for general staff?
- To certify employees as security professionals
- To teach staff to write secure code
- To change user behavior and reduce human-related security risks
- To replace technical controls
Correct answer: To change user behavior and reduce human-related security risks
Awareness training aims to influence user behavior so employees recognize and avoid threats like phishing, reducing human-factor risk.
- A media sanitization standard requires that magnetic hard drives leaving the facility be unrecoverable. Which method provides the highest assurance of data destruction?
- Single-pass file deletion
- Moving files to recycle bin
- Physical destruction (shredding/degaussing)
- Quick format
Correct answer: Physical destruction (shredding/degaussing)
Physical destruction such as shredding or degaussing renders data unrecoverable, providing the strongest assurance compared to logical deletion or formatting.
- Which concept ensures that two or more authorized individuals must act together to perform a critical action, such as accessing a vault key?
- Implicit deny
- Job rotation
- Least privilege
- Dual control
Correct answer: Dual control
Dual control (also called two-person integrity) requires multiple authorized persons to jointly perform a highly sensitive action.
- A practitioner is creating a document that records identified risks, their owners, and treatment status. What is this called?
- Asset inventory
- Audit trail
- Risk register
- Change log
Correct answer: Risk register
A risk register is the central record of identified risks, their assessed levels, owners, and treatment decisions.
- Which of the following is the BEST example of a technical (logical) control?
- Security guard at the entrance
- Access control list on a file share
- Acceptable use policy
- Security awareness poster
Correct answer: Access control list on a file share
An access control list is enforced by technology, making it a technical/logical control, whereas guards are physical and policies are administrative.
- What does the principle of 'need to know' restrict?
- The number of passwords a user can have
- The physical size of data centers
- The hours an employee can work
- Access to specific information required for a task, even within an authorized clearance level
Correct answer: Access to specific information required for a task, even within an authorized clearance level
Need to know limits access to only the specific information necessary for a person's task, even if their clearance would otherwise permit broader access.
- An organization adopts a framework to manage security controls and demonstrate compliance to auditors. Which of the following is an example of such a control framework?
- NIST SP 800-53
- HTTP
- DHCP
- TCP/IP
Correct answer: NIST SP 800-53
NIST SP 800-53 is a catalog of security and privacy controls used as a framework for selecting and assessing controls.
- A practitioner must ensure that a third party's documented security practices are sufficient before integration. What activity best supports this?
- Increasing the company's ad budget
- Penetration testing the practitioner's own network
- Encrypting the company website
- Vendor security assessment / due diligence review
Correct answer: Vendor security assessment / due diligence review
Vendor due diligence assesses the third party's security posture and controls before granting access or integrating systems.
- Which statement best characterizes the relationship between policies, standards, and procedures?
- Procedures define intent, policies give steps
- They are interchangeable terms
- Standards are optional suggestions
- Policies set intent, standards set mandatory requirements, procedures give detailed steps
Correct answer: Policies set intent, standards set mandatory requirements, procedures give detailed steps
Policies establish high-level intent, standards specify mandatory requirements supporting the policy, and procedures provide the detailed how-to steps.
- A company wants employees to acknowledge acceptable behavior when using corporate systems. Which document should they sign?
- Network baseline
- Disaster recovery plan
- Business impact analysis
- Acceptable use policy
Correct answer: Acceptable use policy
An Acceptable Use Policy defines permitted and prohibited uses of company systems and is typically acknowledged by users.
- During a security review, a practitioner finds that audit logs are stored on the same server that generates them and can be edited by local admins. What is the primary concern?
- Loss of log integrity and non-repudiation
- Improved availability
- Reduced storage costs
- Faster log searches
Correct answer: Loss of log integrity and non-repudiation
Logs editable by the monitored system's admins can be tampered with; centralizing and protecting logs preserves integrity and accountability.
- What is the main purpose of a code of ethics for security practitioners?
- To set professional conduct expectations and protect the public trust
- To define network protocols
- To replace security policies
- To establish encryption standards
Correct answer: To set professional conduct expectations and protect the public trust
A professional code of ethics guides conduct, prioritizing protection of society and acting honorably, which underpins trust in the profession.
- In an access control model where the data owner decides who may access a resource, which model is in use?
- Discretionary Access Control (DAC)
- Rule-Based Access Control
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
Correct answer: Discretionary Access Control (DAC)
In DAC the resource owner has discretion to grant or revoke access to others, typically via permissions or ACLs.
- A government system assigns clearance levels to users and classification labels to data; access is granted only when the user's clearance dominates the label. Which model is this?
Correct answer: MAC
Mandatory Access Control enforces access based on security labels and clearances set by a central authority, not the data owner.
- Users are assigned permissions based on their job function such as 'Accountant' or 'HR Manager.' Which access control model is being used?
- MAC
- RBAC
- DAC
- Attribute-based by time
Correct answer: RBAC
Role-Based Access Control assigns permissions to roles, and users inherit permissions through their assigned role, simplifying administration.
- An access decision is made by evaluating attributes such as user department, device location, and time of day. Which model is this?
Correct answer: ABAC
Attribute-Based Access Control evaluates multiple attributes of the subject, object, and environment to make dynamic access decisions.
- Which of the following best describes the difference between authentication and authorization?
- Authorization happens before authentication
- Authentication grants permissions; authorization verifies identity
- Authentication verifies identity; authorization determines permitted actions
- They are identical processes
Correct answer: Authentication verifies identity; authorization determines permitted actions
Authentication proves who a subject is, while authorization determines what an authenticated subject is allowed to do.
- A login system requires a password and a one-time code from a hardware token. This is an example of:
- Multifactor authentication using two factors
- Single-factor authentication
- Federated identity
- Single sign-on
Correct answer: Multifactor authentication using two factors
Combining something you know (password) with something you have (token) constitutes multifactor authentication.
- Which of the following is an example of the 'something you are' authentication factor?
- A fingerprint scan
- A security question
- A PIN
- A smart card
Correct answer: A fingerprint scan
Biometric traits like fingerprints represent 'something you are,' an inherence factor.
- A user authenticates once and gains access to multiple applications without re-entering credentials. What is this called?
- Single sign-on (SSO)
- Mandatory access control
- Privilege escalation
- Multifactor authentication
Correct answer: Single sign-on (SSO)
Single sign-on lets a user authenticate once and access multiple connected systems without repeated logins.
- In a Kerberos environment, what does the Ticket Granting Ticket (TGT) primarily allow a user to do?
- Reset other users' passwords
- Decrypt all network traffic
- Bypass authorization checks
- Request service tickets without re-entering the password
Correct answer: Request service tickets without re-entering the password
The TGT, issued after initial authentication, lets the user request service tickets from the TGS without resubmitting credentials.
- Which protocol is commonly used to provide centralized authentication, authorization, and accounting (AAA) for network device administration and supports command-level authorization?
Correct answer: TACACS+
TACACS+ provides AAA and separates authentication, authorization, and accounting, allowing granular command authorization for network devices.
- RADIUS encrypts which part of the authentication exchange by default?
- Nothing is encrypted
- Only the password (user-password) field
- The entire packet
- Only the username
Correct answer: Only the password (user-password) field
Standard RADIUS encrypts only the user password attribute, leaving other attributes in cleartext, unlike TACACS+ which encrypts the whole payload.
- A federated identity system uses SAML. What is the primary purpose of SAML?
- Exchanging authentication and authorization assertions between identity and service providers
- Scanning for vulnerabilities
- Encrypting disk volumes
- Routing packets between subnets
Correct answer: Exchanging authentication and authorization assertions between identity and service providers
SAML is an XML-based standard for exchanging authentication and authorization assertions between an identity provider and service providers, enabling federation.
- What is the main security benefit of implementing account lockout after several failed login attempts?
- Mitigating online password-guessing and brute-force attacks
- Improving network bandwidth
- Eliminating the need for passwords
- Faster logins
Correct answer: Mitigating online password-guessing and brute-force attacks
Account lockout limits the number of guesses an attacker can make, frustrating online brute-force and password-guessing attacks.
- Which biometric error rate refers to the system incorrectly accepting an unauthorized user?
- Crossover Error Rate (CER)
- False Rejection Rate (FRR)
- False Acceptance Rate (FAR)
- Failure to Enroll Rate
Correct answer: False Acceptance Rate (FAR)
The False Acceptance Rate measures how often an impostor is wrongly accepted, a critical security metric for biometric systems.
- The point at which a biometric system's false acceptance rate equals its false rejection rate is called the:
- Maximum tolerable downtime
- Recovery point objective
- Mean time to repair
- Crossover Error Rate (CER)
Correct answer: Crossover Error Rate (CER)
The Crossover Error Rate, where FAR equals FRR, is used to compare overall biometric accuracy; lower is better.
- An administrator implements a rule that any access not explicitly granted is denied. This default posture is known as:
- Implicit deny
- Implicit allow
- Mandatory vacation
- Open access
Correct answer: Implicit deny
Implicit deny means anything not expressly permitted is blocked, a secure default for access control configurations.
- Which of the following best describes privilege creep?
- Encrypting privileged accounts
- Privileges automatically expiring over time
- Accumulation of access rights as users change roles without removing old permissions
- Disabling unused accounts
Correct answer: Accumulation of access rights as users change roles without removing old permissions
Privilege creep occurs when users retain access from prior roles, accumulating excessive permissions over time; periodic access reviews mitigate it.
- What control helps detect privilege creep and inappropriate access?
- Increasing password length
- Disabling logging
- Adding more firewalls
- Periodic access (user entitlement) reviews
Correct answer: Periodic access (user entitlement) reviews
Regular access recertification or entitlement reviews verify that users only retain access they currently need, catching privilege creep.
- A directory service that uses a hierarchical structure and is commonly queried over port 389 is:
Correct answer: LDAP
LDAP (Lightweight Directory Access Protocol) provides hierarchical directory services and typically listens on TCP 389 (or 636 for LDAPS).
- Which authentication approach is most resistant to phishing because it cryptographically binds the credential to the legitimate site?
- Static passwords
- SMS one-time passwords
- FIDO2/WebAuthn hardware authenticators
- Security questions
Correct answer: FIDO2/WebAuthn hardware authenticators
FIDO2/WebAuthn uses origin-bound public key cryptography, so credentials cannot be phished or replayed to a fraudulent site.
- In an identity lifecycle, what does 'deprovisioning' refer to?
- Creating new accounts
- Encrypting credentials at rest
- Granting elevated privileges
- Removing or disabling access when no longer needed
Correct answer: Removing or disabling access when no longer needed
Deprovisioning is the timely removal or disabling of access rights when a user changes roles or leaves, preventing orphaned access.
- A system allows access only from corporate-managed devices that meet a security posture check. This is an example of:
- Disabling MFA
- Public access
- Device-based conditional access
- Trust-by-default
Correct answer: Device-based conditional access
Conditional access evaluates device posture and other conditions before granting access, a common ABAC/zero-trust technique.
- A practitioner calculates the expected yearly financial loss from a threat by multiplying the single loss expectancy by the annualized rate of occurrence. What is this value called?
- Asset value
- Annualized Loss Expectancy (ALE)
- Exposure factor
- Residual risk
Correct answer: Annualized Loss Expectancy (ALE)
ALE = SLE x ARO, representing the expected annual monetary loss from a given risk and supporting cost-benefit decisions.
- An asset is valued at $200,000 and a fire would destroy 25% of it. What is the Single Loss Expectancy?
- $5,000
- $50,000
- $200,000
- $25,000
Correct answer: $50,000
SLE = Asset Value x Exposure Factor = $200,000 x 0.25 = $50,000.
- In quantitative risk analysis, the percentage of an asset's value lost from a single realized threat is called the:
- Residual risk
- Recovery time objective
- Exposure factor
- Annualized rate of occurrence
Correct answer: Exposure factor
The exposure factor expresses the proportion of asset value lost in a single incident and is used to compute SLE.
- After applying controls, the risk that remains is known as:
- Inherent risk
- Total risk
- Residual risk
- Transferred risk
Correct answer: Residual risk
Residual risk is the risk that persists after controls have been implemented; it must be accepted, transferred, or further mitigated.
- An organization purchases cyber insurance to handle financial impact of a breach. Which risk treatment is this?
- Risk mitigation
- Risk acceptance
- Risk transfer
- Risk avoidance
Correct answer: Risk transfer
Buying insurance shifts the financial impact of the risk to a third party, which is risk transfer.
- A company decides not to launch a new service because the associated security risk is too high. Which risk response is this?
- Risk mitigation
- Risk acceptance
- Risk avoidance
- Risk transfer
Correct answer: Risk avoidance
Choosing not to engage in the risky activity altogether is risk avoidance.
- Which of the following best describes a qualitative risk assessment?
- Assigns precise dollar values to all risks
- Requires no input from subject matter experts
- Only applies to physical assets
- Uses descriptive ratings such as high, medium, and low
Correct answer: Uses descriptive ratings such as high, medium, and low
Qualitative assessment ranks risks using descriptive scales (e.g., high/medium/low) rather than precise monetary figures.
- A vulnerability is best defined as:
- A potential cause of an unwanted incident
- The likelihood of an attack
- The financial value of an asset
- A weakness that a threat can exploit
Correct answer: A weakness that a threat can exploit
A vulnerability is a weakness in a system or process that a threat could exploit to cause harm.
- In risk terminology, a threat is best described as:
- Any potential event or actor that could cause harm
- The cost of remediation
- The remaining risk after controls
- A weakness in a control
Correct answer: Any potential event or actor that could cause harm
A threat is any circumstance or actor with the potential to exploit a vulnerability and cause harm to an asset.
- What is the primary purpose of a vulnerability scan?
- To replace patch management
- To encrypt sensitive data
- To identify and report known weaknesses in systems
- To exploit weaknesses and gain access
Correct answer: To identify and report known weaknesses in systems
Vulnerability scanning identifies and reports known weaknesses so they can be prioritized and remediated; it does not exploit them.
- What distinguishes a penetration test from a vulnerability scan?
- A vulnerability scan exploits systems
- They are identical
- A penetration test actively attempts to exploit weaknesses to demonstrate impact
- A penetration test only lists vulnerabilities
Correct answer: A penetration test actively attempts to exploit weaknesses to demonstrate impact
Penetration testing actively exploits vulnerabilities to demonstrate real impact, whereas scanning only identifies potential weaknesses.
- A scanner reports a vulnerability that does not actually exist on the system. This is a:
- True negative
- False negative
- True positive
- False positive
Correct answer: False positive
A false positive is when a tool reports a vulnerability or alert that is not actually present, requiring validation.
- A monitoring system fails to alert on a genuine intrusion. This missed detection is a:
- True positive
- Baseline deviation
- False positive
- False negative
Correct answer: False negative
A false negative occurs when a real malicious event goes undetected, which is dangerous because the threat is not flagged.
- Which scoring system is widely used to rate the severity of software vulnerabilities on a 0 to 10 scale?
Correct answer: CVSS
The Common Vulnerability Scoring System (CVSS) provides a numeric severity score (0-10) to help prioritize remediation.
- What is a CVE identifier used for?
- Uniquely naming a publicly known vulnerability
- Listing software weaknesses by category
- Scoring vulnerability severity
- Encrypting vulnerability data
Correct answer: Uniquely naming a publicly known vulnerability
A CVE (Common Vulnerabilities and Exposures) ID is a unique reference for a specific publicly disclosed vulnerability.
- A practitioner aggregates and correlates log data from many sources to detect security events. Which tool is designed for this?
- Print server
- Load balancer
- SIEM
- DHCP server
Correct answer: SIEM
A Security Information and Event Management (SIEM) system collects, normalizes, and correlates logs to detect and alert on security events.
- Why is accurate and synchronized time (e.g., via NTP) important for security monitoring?
- It improves CPU performance
- It encrypts log files
- It enables correct correlation and ordering of events across systems
- It reduces storage usage
Correct answer: It enables correct correlation and ordering of events across systems
Synchronized clocks let analysts correlate and order events accurately across devices during investigations and incident response.
- An IDS that triggers based on known attack patterns is using which detection method?
- Heuristic guessing
- Signature-based detection
- Anomaly-based detection
- Random sampling
Correct answer: Signature-based detection
Signature-based detection matches traffic or activity against known attack patterns; it is effective against known threats but can miss novel ones.
- An IDS that learns normal behavior and flags deviations is using:
- Signature-based detection
- Stateful packet filtering
- Anomaly-based detection
- Port mirroring
Correct answer: Anomaly-based detection
Anomaly-based detection establishes a baseline of normal behavior and alerts on deviations, enabling detection of unknown attacks but with more false positives.
- What is the purpose of establishing a behavioral baseline for a network?
- To eliminate logging
- To encrypt all packets
- To define normal activity so anomalies can be detected
- To slow down traffic
Correct answer: To define normal activity so anomalies can be detected
A baseline of normal activity provides a reference point so unusual or malicious deviations can be identified.
- A risk assessment shows the cost of a control exceeds the expected loss it prevents. The organization chooses to accept the risk. This decision is:
- A form of risk transfer
- A reasonable cost-benefit-based risk acceptance
- A compliance violation by default
- Always incorrect
Correct answer: A reasonable cost-benefit-based risk acceptance
When mitigation costs more than the potential loss, accepting the risk can be a justified, documented business decision.
- Which activity best supports continuous monitoring of an organization's security posture?
- Ongoing collection and analysis of security metrics and alerts
- Annual one-time review only
- Disabling alerts to reduce noise
- Removing log retention
Correct answer: Ongoing collection and analysis of security metrics and alerts
Continuous monitoring involves ongoing data collection and analysis to maintain real-time awareness of security posture and detect issues quickly.
- Which phase typically comes FIRST in an incident response lifecycle?
- Preparation
- Recovery
- Lessons learned
- Eradication
Correct answer: Preparation
Preparation comes first, establishing the policies, tools, and team capabilities needed before an incident occurs.
- In the incident response process, which step immediately follows detection and analysis?
- Asset disposal
- Lessons learned
- Containment
- Preparation
Correct answer: Containment
After an incident is detected and analyzed, containment limits its spread and impact before eradication and recovery.
- What is the primary goal of the containment phase of incident response?
- To limit the spread and damage of the incident
- To permanently remove the threat
- To restore from backups
- To document lessons learned
Correct answer: To limit the spread and damage of the incident
Containment aims to stop the incident from spreading and causing further damage while preserving evidence and planning eradication.
- During an active malware outbreak, isolating an infected host from the network is an example of:
- Short-term containment
- Lessons learned
- Recovery
- Eradication
Correct answer: Short-term containment
Quickly isolating an infected system is short-term containment to prevent further spread while the response continues.
- Removing the malware and the attacker's persistence mechanisms from affected systems is part of which phase?
- Preparation
- Eradication
- Containment
- Detection
Correct answer: Eradication
Eradication removes the root cause, malware, backdoors, and persistence so the threat no longer exists in the environment.
- Restoring affected systems to normal operation and confirming they function correctly is the goal of which phase?
- Detection
- Preparation
- Containment
- Recovery
Correct answer: Recovery
Recovery returns systems to normal operation and validates that they are clean and functioning before full production use.
- After an incident is resolved, the team meets to identify what went well and what to improve. This is the:
- Containment phase
- Lessons learned / post-incident review
- Eradication phase
- Detection phase
Correct answer: Lessons learned / post-incident review
The lessons learned phase reviews the incident and response to improve future preparedness and update procedures.
- What is the primary purpose of maintaining a chain of custody for collected evidence?
- To speed up the investigation
- To delete the evidence after analysis
- To document who handled evidence and when, preserving its admissibility
- To encrypt the evidence
Correct answer: To document who handled evidence and when, preserving its admissibility
Chain of custody documents every transfer and handling of evidence to prove integrity and maintain legal admissibility.
- When collecting volatile data during forensics, which source should generally be collected FIRST based on order of volatility?
- Printed reports
- Archived backups
- CPU registers and cache / RAM
- Optical media
Correct answer: CPU registers and cache / RAM
The order of volatility dictates collecting the most ephemeral data first, such as CPU registers, cache, and RAM, before disk and backups.
- Which technique helps verify that a forensic disk image is an exact, unaltered copy of the original?
- Compressing the image
- Encrypting the original
- Comparing cryptographic hashes of the source and image
- Renaming the file
Correct answer: Comparing cryptographic hashes of the source and image
Computing and comparing hash values (e.g., SHA-256) of the source and the image proves the copy is identical and unaltered.
- The maximum acceptable amount of data loss measured in time is known as the:
- Recovery Time Objective (RTO)
- Mean Time to Repair (MTTR)
- Maximum Tolerable Downtime (MTD)
- Recovery Point Objective (RPO)
Correct answer: Recovery Point Objective (RPO)
The Recovery Point Objective defines how much data, expressed as a time window, an organization can afford to lose, guiding backup frequency.
- The maximum acceptable length of time to restore a system after a disruption is the:
- Recovery Point Objective (RPO)
- Exposure factor
- Recovery Time Objective (RTO)
- Annualized Loss Expectancy
Correct answer: Recovery Time Objective (RTO)
The Recovery Time Objective specifies the target time within which a system or service must be restored after an outage.
- A business impact analysis (BIA) primarily helps an organization to:
- Encrypt all data
- Configure firewalls
- Identify critical processes and the impact of their disruption
- Write malware signatures
Correct answer: Identify critical processes and the impact of their disruption
A BIA identifies critical business functions, their dependencies, and the impact of disruption to prioritize recovery efforts.
- Which backup type copies only the data changed since the last full backup and does not clear the archive bit?
- Full backup
- Differential backup
- Snapshot only
- Incremental backup
Correct answer: Differential backup
A differential backup captures all changes since the last full backup and does not reset the archive bit, so each differential grows until the next full backup.
- Which backup type copies only data changed since the last backup of any type and resets the archive bit?
- Full backup
- Differential backup
- Incremental backup
- Mirror backup
Correct answer: Incremental backup
An incremental backup captures only changes since the last backup of any type and clears the archive bit, minimizing backup size but requiring multiple sets to restore.
- A recovery site that is fully equipped and can take over operations within minutes to hours is a:
- Mobile site
- Warm site
- Cold site
- Hot site
Correct answer: Hot site
A hot site is fully provisioned with equipment and current data, enabling near-immediate failover at higher cost.
- A recovery site that has space, power, and network connectivity but no installed servers or current data is a:
- Cloud site
- Hot site
- Cold site
- Warm site
Correct answer: Cold site
A cold site provides basic infrastructure but requires installation of equipment and data, making recovery slower and cheaper.
- During an investigation, a practitioner must avoid altering the original evidence. Which practice supports this?
- Editing files to remove malware
- Working on a forensic copy and using write blockers
- Deleting logs to save space
- Working directly on the original drive
Correct answer: Working on a forensic copy and using write blockers
Forensic analysis is performed on verified copies, and write blockers prevent any modification to the original media.
- What is the FIRST priority during any incident response activity involving an active life-safety hazard?
- Notify the press
- Preserve forensic evidence
- Restore the affected service
- Protect human safety
Correct answer: Protect human safety
Human safety always takes precedence over data, systems, or evidence preservation during incident response.
- Which document defines roles, responsibilities, and steps the organization follows when a security incident occurs?
- Network baseline
- Incident response plan
- Acceptable use policy
- Software license
Correct answer: Incident response plan
The incident response plan documents the procedures, roles, and communications used to handle incidents consistently.
- A predefined, detailed set of steps for responding to a specific incident type, such as ransomware, is best called a:
- Data flow diagram
- Playbook (runbook)
- Service level agreement
- Risk register
Correct answer: Playbook (runbook)
A playbook or runbook provides step-by-step response actions for a particular incident scenario to ensure consistent, fast handling.
- Which encryption approach uses the same key to encrypt and decrypt data?
- Digital signing
- Asymmetric encryption
- Hashing
- Symmetric encryption
Correct answer: Symmetric encryption
Symmetric encryption uses a single shared secret key for both encryption and decryption, offering speed but requiring secure key exchange.
- Which of the following is a symmetric block cipher widely adopted as a U.S. encryption standard?
- AES
- SHA-256
- Diffie-Hellman
- RSA
Correct answer: AES
AES (Advanced Encryption Standard) is a symmetric block cipher adopted as the U.S. standard, supporting 128/192/256-bit keys.
- In asymmetric cryptography, a message encrypted with a recipient's public key can be decrypted with:
- The sender's private key
- The recipient's private key
- The same public key
- A shared symmetric key
Correct answer: The recipient's private key
Data encrypted with a public key can only be decrypted by the corresponding private key, ensuring confidentiality to the key owner.
- To provide a digital signature, a sender encrypts a message hash with their:
- Public key
- Private key
- Recipient's public key
- Symmetric session key
Correct answer: Private key
Signing uses the sender's private key on the message hash; anyone can verify with the sender's public key, providing authenticity and integrity.
- Which property does a cryptographic hash function primarily provide?
- Key exchange
- Non-repudiation by itself
- Confidentiality
- Integrity verification
Correct answer: Integrity verification
Hash functions produce a fixed-length digest used to verify data integrity; any change in input changes the output.
- Which of the following is considered a cryptographically broken hash that should not be used for security?
Correct answer: MD5
MD5 is vulnerable to practical collision attacks and is not suitable for security purposes; SHA-2 and SHA-3 families are recommended.
- What is the main purpose of a digital certificate?
- To encrypt entire disks
- To compress data
- To bind a public key to an identity and vouch for it
- To store passwords
Correct answer: To bind a public key to an identity and vouch for it
A digital certificate binds a public key to an identity and is signed by a trusted certificate authority to vouch for that binding.
- In a Public Key Infrastructure, who issues and signs digital certificates?
- The end user
- The web browser
- The DNS server
- A Certificate Authority (CA)
Correct answer: A Certificate Authority (CA)
A Certificate Authority issues, signs, and manages digital certificates, serving as the trusted third party in a PKI.
- What does a Certificate Revocation List (CRL) provide?
- A list of certificates that are no longer trusted before expiry
- A list of valid certificates
- A list of available ciphers
- A backup of private keys
Correct answer: A list of certificates that are no longer trusted before expiry
A CRL lists certificates revoked before their expiration so relying parties can reject them.
- Which protocol provides real-time checking of a single certificate's revocation status?
Correct answer: OCSP
The Online Certificate Status Protocol (OCSP) allows clients to query the revocation status of an individual certificate in real time.
- The Diffie-Hellman algorithm is primarily used for:
- Hashing passwords
- Compressing files
- Digitally signing documents
- Securely exchanging a shared secret key over an insecure channel
Correct answer: Securely exchanging a shared secret key over an insecure channel
Diffie-Hellman enables two parties to derive a shared secret over an insecure channel without transmitting the key itself.
- Adding a unique random value to a password before hashing to defend against precomputed (rainbow) tables is called:
- Peppering only
- Truncating
- Encoding
- Salting
Correct answer: Salting
A salt is a unique random value added per password before hashing, ensuring identical passwords produce different hashes and defeating rainbow tables.
- Which protocol secures web traffic by providing encryption and authentication between a browser and a server?
Correct answer: TLS
Transport Layer Security (TLS) provides confidentiality, integrity, and authentication for web traffic, succeeding SSL.
- What is the primary risk of using the ECB (Electronic Codebook) mode for block cipher encryption?
- Identical plaintext blocks produce identical ciphertext, revealing patterns
- It is too slow
- It requires asymmetric keys
- It cannot be decrypted
Correct answer: Identical plaintext blocks produce identical ciphertext, revealing patterns
ECB encrypts each block independently, so identical plaintext blocks yield identical ciphertext, leaking structure; modes like CBC or GCM avoid this.
- At which layer of the OSI model does a router primarily operate?
- Layer 3 (Network)
- Layer 4 (Transport)
- Layer 7 (Application)
- Layer 2 (Data Link)
Correct answer: Layer 3 (Network)
Routers operate at Layer 3, making forwarding decisions based on IP addresses.
- A network switch primarily makes forwarding decisions based on:
- MAC addresses
- IP addresses
- Domain names
- Port numbers
Correct answer: MAC addresses
A traditional switch operates at Layer 2 and forwards frames based on destination MAC addresses.
- Which device segments broadcast domains and connects different IP networks?
- Router
- Layer 2 switch
- Hub
- Repeater
Correct answer: Router
A router connects different networks and, by default, separates broadcast domains, unlike a Layer 2 switch.
- A firewall that tracks the state of active connections and allows return traffic for established sessions is a:
- Packet filter (stateless)
- Proxy cache only
- Hub
- Stateful inspection firewall
Correct answer: Stateful inspection firewall
A stateful inspection firewall maintains a connection state table and permits return traffic that matches established sessions.
- What is the primary security purpose of network segmentation using VLANs?
- To assign public IP addresses
- To increase cable length
- To eliminate the need for firewalls
- To logically separate traffic and limit lateral movement
Correct answer: To logically separate traffic and limit lateral movement
VLANs logically segment a network so that compromise in one segment is contained and lateral movement is limited.
- A DMZ (demilitarized zone) in network design is used to:
- Encrypt internal traffic
- Host internet-facing services while isolating them from the internal network
- Store all internal databases
- Replace the firewall
Correct answer: Host internet-facing services while isolating them from the internal network
A DMZ is a buffer network hosting public-facing services, isolating them from the trusted internal network to reduce exposure.
- Which port and protocol does HTTPS use by default?
- TCP 443
- TCP 80
- UDP 53
- TCP 23
Correct answer: TCP 443
HTTPS uses TCP port 443 to provide TLS-encrypted web traffic.
- Which protocol and port is used for secure remote command-line administration of a server?
- Telnet on TCP 23
- FTP on TCP 21
- SNMP on UDP 161
- SSH on TCP 22
Correct answer: SSH on TCP 22
SSH on TCP 22 provides encrypted remote shell access, replacing insecure cleartext Telnet.
- An attacker floods a target with traffic from many compromised hosts to exhaust resources. This is a:
- SQL injection
- Distributed Denial of Service (DDoS)
- Phishing
- Privilege escalation
Correct answer: Distributed Denial of Service (DDoS)
A DDoS attack uses many distributed sources to overwhelm a target's resources, degrading or denying availability.
- Which attack involves sending forged ARP messages to associate the attacker's MAC with another host's IP to intercept traffic?
- Smurf attack
- ARP spoofing/poisoning
- SYN flood
- DNS poisoning
Correct answer: ARP spoofing/poisoning
ARP spoofing sends falsified ARP replies so traffic intended for another host is sent to the attacker, enabling man-in-the-middle attacks.
- What is the purpose of Network Address Translation (NAT)?
- To resolve domain names
- To encrypt all packets
- To assign MAC addresses
- To map private internal addresses to public addresses, conserving and hiding them
Correct answer: To map private internal addresses to public addresses, conserving and hiding them
NAT translates private internal IP addresses to one or more public addresses, conserving IPv4 space and hiding internal topology.
- Which wireless security protocol is the most secure and recommended for modern Wi-Fi networks?
Correct answer: WPA3
WPA3 is the current strongest Wi-Fi security standard, improving on WPA2 with stronger encryption and protection against offline guessing.
- Why should WEP not be used to secure wireless networks?
- Its weak RC4 implementation and IV reuse make it easily cracked
- It only works on wired networks
- It is too fast
- It requires certificates
Correct answer: Its weak RC4 implementation and IV reuse make it easily cracked
WEP's flawed use of RC4 and initialization vector reuse allows the key to be recovered quickly, making it insecure.
- A VPN using IPsec in tunnel mode primarily provides:
- Wireless access points
- DNS resolution
- Faster unencrypted browsing
- Encrypted, authenticated communication between networks over an untrusted network
Correct answer: Encrypted, authenticated communication between networks over an untrusted network
IPsec tunnel mode encrypts and authenticates entire IP packets between gateways, securing traffic across untrusted networks like the internet.
- Which IPsec protocol provides both encryption (confidentiality) and integrity/authentication of the payload?
- ARP
- AH (Authentication Header)
- ICMP
- ESP (Encapsulating Security Payload)
Correct answer: ESP (Encapsulating Security Payload)
ESP provides confidentiality through encryption plus integrity and authentication, whereas AH provides integrity/authentication without encryption.
- An attacker intercepts DNS responses and redirects users to a malicious site. This is known as:
- Session fixation
- SYN flooding
- DNS poisoning/spoofing
- Port scanning
Correct answer: DNS poisoning/spoofing
DNS poisoning corrupts resolver data so users are redirected to attacker-controlled addresses; DNSSEC helps mitigate it.
- What does DNSSEC primarily provide?
- Faster DNS lookups
- NAT translation
- Encryption of DNS queries
- Authentication and integrity of DNS records via digital signatures
Correct answer: Authentication and integrity of DNS records via digital signatures
DNSSEC digitally signs DNS records to ensure authenticity and integrity, preventing spoofed responses, though it does not encrypt queries.
- A device that inspects and can block malicious traffic inline, dropping packets that match attack signatures, is a(n):
- DHCP server
- IPS (inline)
- DNS forwarder
- IDS (passive)
Correct answer: IPS (inline)
An Intrusion Prevention System sits inline and can actively block malicious traffic, unlike a passive IDS that only alerts.
- Which TCP attack exploits the three-way handshake by sending many SYN packets without completing connections?
- SYN flood
- Cross-site scripting
- DNS poisoning
- ARP poisoning
Correct answer: SYN flood
A SYN flood sends numerous half-open connection requests to exhaust the target's connection table, denying service.
- What is the primary security benefit of disabling unused network ports and services on devices?
- Increasing electricity use
- Speeding up DNS
- Reducing the attack surface
- Improving cable management
Correct answer: Reducing the attack surface
Disabling unused ports and services reduces the attack surface, limiting opportunities for attackers to find an entry point.
- A network access control (NAC) solution primarily ensures that:
- Only compliant, authenticated devices can connect to the network
- All traffic is encrypted
- Backups run nightly
- DNS is resolved faster
Correct answer: Only compliant, authenticated devices can connect to the network
NAC enforces policy by allowing only authenticated, posture-compliant devices onto the network and can quarantine noncompliant ones.
- Which protocol should replace Telnet, FTP, and other cleartext protocols to protect credentials in transit?
- SNMPv1
- ICMP
- HTTP
- Encrypted alternatives such as SSH and SFTP
Correct answer: Encrypted alternatives such as SSH and SFTP
Encrypted protocols like SSH and SFTP protect credentials and data in transit, unlike legacy cleartext protocols.
- What is the main purpose of placing a proxy server between internal users and the internet?
- To generate certificates
- To filter, log, and control outbound web requests
- To replace the router
- To assign IP addresses
Correct answer: To filter, log, and control outbound web requests
A forward proxy mediates outbound requests, enabling content filtering, logging, caching, and policy enforcement.
- A practitioner sets up an isolated network with intentionally vulnerable systems to lure and study attackers. This is a:
- DMZ
- Load balancer
- VLAN trunk
- Honeypot
Correct answer: Honeypot
A honeypot is a decoy system designed to attract attackers so their techniques can be observed and used to improve defenses.
- Which input validation flaw allows an attacker to insert malicious SQL into a query, potentially exposing or altering database data?
- Cross-site scripting
- Buffer overflow
- Clickjacking
- SQL injection
Correct answer: SQL injection
SQL injection occurs when untrusted input is incorporated into a SQL query, letting attackers manipulate or extract database data; parameterized queries prevent it.
- Which web vulnerability allows an attacker to inject malicious scripts that execute in other users' browsers?
- Race condition
- Cross-site scripting (XSS)
- SQL injection
- Buffer overflow
Correct answer: Cross-site scripting (XSS)
Cross-site scripting injects scripts into web pages viewed by others; output encoding and input validation mitigate it.
- What is the BEST defense against SQL injection?
- Hiding the database server
- Increasing server RAM
- Using parameterized queries / prepared statements with input validation
- Disabling logging
Correct answer: Using parameterized queries / prepared statements with input validation
Parameterized queries separate code from data so user input cannot alter query structure, effectively preventing SQL injection.
- A program writes more data to a buffer than it can hold, overwriting adjacent memory. This vulnerability is a:
- DNS poisoning
- Cross-site scripting
- Buffer overflow
- Phishing
Correct answer: Buffer overflow
A buffer overflow writes beyond allocated memory, potentially corrupting data or allowing code execution; bounds checking and safe functions mitigate it.
- Which malware type encrypts a victim's files and demands payment for the decryption key?
- Rootkit
- Adware
- Ransomware
- Worm
Correct answer: Ransomware
Ransomware encrypts data and extorts payment for decryption; reliable, tested offline backups are a key defense.
- Malware that self-replicates and spreads across networks without user interaction is a:
- Virus requiring a host file
- Trojan
- Worm
- Logic bomb
Correct answer: Worm
A worm self-propagates across networks without needing a host file or user action, unlike a virus or trojan.
- Software that appears legitimate but contains hidden malicious functionality is a:
- Trojan horse
- Worm
- Macro virus
- Boot sector virus
Correct answer: Trojan horse
A Trojan horse masquerades as benign software while carrying out malicious actions once executed.
- Malware designed to hide its presence and maintain privileged access by subverting the operating system is a:
Correct answer: Rootkit
A rootkit hides its presence and provides stealthy privileged access, often by modifying OS components, making detection difficult.
- What is the primary purpose of application whitelisting (allow-listing)?
- Permit only explicitly approved applications to run
- Block only known-bad files
- Encrypt application data
- Increase CPU speed
Correct answer: Permit only explicitly approved applications to run
Application allow-listing permits only approved executables to run, blocking unknown and unauthorized software by default.
- System hardening primarily aims to:
- Disable all security logging
- Reduce vulnerabilities by removing unnecessary services, accounts, and software
- Open additional ports
- Increase the number of services running
Correct answer: Reduce vulnerabilities by removing unnecessary services, accounts, and software
Hardening reduces the attack surface by disabling or removing unneeded services, default accounts, and software and applying secure configurations.
- Why is timely patch management important for endpoint security?
- It improves screen resolution
- It increases disk space
- It changes the OS theme
- It remediates known vulnerabilities before they are exploited
Correct answer: It remediates known vulnerabilities before they are exploited
Applying patches promptly closes known vulnerabilities, reducing the window in which attackers can exploit them.
- An endpoint solution that continuously monitors, detects, and responds to threats on hosts is known as:
- NAT
- EDR (Endpoint Detection and Response)
- DHCP
- DNS
Correct answer: EDR (Endpoint Detection and Response)
EDR continuously monitors endpoint activity to detect, investigate, and respond to threats beyond traditional signature antivirus.
- Which practice helps prevent insecure default configurations on newly deployed systems?
- Disabling all updates
- Applying a secure configuration baseline and changing default credentials
- Granting all users admin rights
- Leaving vendor defaults in place
Correct answer: Applying a secure configuration baseline and changing default credentials
Applying a hardened baseline and changing default credentials eliminates well-known weaknesses present in factory defaults.
- In a virtualized environment, what is 'VM escape'?
- Backing up a VM
- An attacker breaking out of a guest VM to access the host or other VMs
- Migrating a VM to another host
- A VM shutting down gracefully
Correct answer: An attacker breaking out of a guest VM to access the host or other VMs
VM escape is when malicious code breaks out of a guest virtual machine to compromise the hypervisor or other guests, undermining isolation.
- Which control best protects data on a lost or stolen laptop?
- A screensaver
- Full disk encryption
- A strong Wi-Fi password
- Disabling the firewall
Correct answer: Full disk encryption
Full disk encryption renders data unreadable without the key, protecting confidentiality if the device is lost or stolen.
- What is the security purpose of sandboxing an application?
- To disable its logging
- To grant it administrator rights
- To increase its network speed
- To isolate it so its actions cannot affect the rest of the system
Correct answer: To isolate it so its actions cannot affect the rest of the system
Sandboxing confines an application within an isolated environment so malicious or buggy behavior cannot harm the broader system.
- Which secure coding practice helps prevent injection and many input-based attacks?
- Disabling error handling
- Validating and sanitizing all input on the server side
- Trusting all client-side validation
- Hardcoding credentials
Correct answer: Validating and sanitizing all input on the server side
Server-side input validation and sanitization ensure untrusted data cannot manipulate application logic or queries.
- A code segment that executes a malicious action when a specific condition or date is met is a:
- Logic bomb
- Worm
- Macro
- Cookie
Correct answer: Logic bomb
A logic bomb lies dormant until a trigger condition is met, then executes its malicious payload.
- Which mobile device management capability is most important for protecting data on a lost corporate phone?
- Increasing screen brightness
- Disabling the camera flash
- Changing the wallpaper
- Remote wipe and enforced encryption
Correct answer: Remote wipe and enforced encryption
Remote wipe combined with enforced device encryption protects corporate data on lost or stolen mobile devices.
- What is the main security benefit of containerization (e.g., separating apps into containers)?
- Eliminating the need for patching
- Removing the need for access control
- Making all apps run as root
- Process and dependency isolation that limits the blast radius of a compromise
Correct answer: Process and dependency isolation that limits the blast radius of a compromise
Containers isolate applications and their dependencies, limiting how far a compromise can spread, though they still require patching and hardening.
- A user receives an email impersonating IT asking them to click a link and enter their password. This social engineering attack is:
- Buffer overflow
- Phishing
- SQL injection
- ARP poisoning
Correct answer: Phishing
Phishing uses deceptive messages to trick users into revealing credentials or clicking malicious links; user training and email filtering help defend against it.
- Which control verifies that downloaded software has not been tampered with before installation?
- Renaming the file
- Verifying a digital signature or cryptographic hash from the vendor
- Running it immediately as admin
- Checking the file's size only
Correct answer: Verifying a digital signature or cryptographic hash from the vendor
Verifying a vendor-provided digital signature or hash confirms the software's integrity and authenticity before installation.
- A defense-in-depth strategy for endpoint security is best described as:
- Granting users local admin to fix issues
- Relying on a single antivirus product
- Layering multiple controls so that if one fails, others still protect the system
- Disabling the OS firewall
Correct answer: Layering multiple controls so that if one fails, others still protect the system
Defense in depth layers multiple, overlapping controls so the failure of any single control does not lead to compromise.
- On the current ISC2 SSCP exam, a candidate must achieve what scaled score in order to pass?
- 75 percent of questions correct
- 700 out of 1000 points
- 800 out of 1000 points
- A raw score of 100 out of 125
Correct answer: 700 out of 1000 points
The SSCP passing score is a scaled 700 out of 1000 points. ISC2 converts raw performance into a standardized scaled score, so a candidate cannot simply count correct answers to know if they passed. A flat percentage such as 75 percent or a raw 100 of 125 does not describe the ISC2 scaled-scoring model, and the threshold is 700 rather than 800.
- How many scored and unscored items combined can appear on the current ISC2 SSCP examination, and how long is the testing window?
- Exactly 250 questions in a 4-hour window
- Up to 125 questions in a 2-hour window
- Exactly 100 questions in a 1-hour window
- Up to 175 questions in a 3-hour window
Correct answer: Up to 125 questions in a 2-hour window
The current SSCP exam is a computerized adaptive test containing up to 125 items and allows 2 hours to complete. ISC2 moved the SSCP to CAT format on October 1, 2025, with a variable 100-125 question range replacing the older 125-question linear structure. The other figures misstate either the item count or the time limit.
- The SSCP exam organizes its content into how many domains, and which two domains carry the highest weight at 16 percent each?
- Five domains, with Cryptography and Access Controls tied at 16 percent
- Eight domains, with Incident Response and Risk Analysis tied at 16 percent
- Seven domains, with Security Concepts and Practices and Network and Communications Security tied at 16 percent
- Six domains, with Systems Security and Cryptography tied at 16 percent
Correct answer: Seven domains, with Security Concepts and Practices and Network and Communications Security tied at 16 percent
The SSCP spans seven domains, and Security Concepts and Practices (Domain 1) and Network and Communications Security (Domain 6) are tied as the largest at 16 percent each. Cryptography is the lightest domain at 9 percent, while Access Controls, Risk Identification, and Systems and Application Security each carry 15 percent. The choices naming five, six, or eight domains misstate the structure of the exam outline.
- A trainer is explaining to a new analyst how ISC2 distinguishes the SSCP from the Security+ credential. Which characterization is most accurate?
- The SSCP is a vendor-neutral ISC2 practitioner credential typically pursued after foundational knowledge like Security+, with a recommended year of relevant experience
- Security+ is an advanced credential that requires holding the SSCP first
- The SSCP has no experience recommendation and is considered entry-level below Security+
- The SSCP and Security+ are the same exam offered by two different vendors
Correct answer: The SSCP is a vendor-neutral ISC2 practitioner credential typically pursued after foundational knowledge like Security+, with a recommended year of relevant experience
The SSCP is an ISC2 vendor-neutral practitioner certification that sits a step above a foundational credential like CompTIA Security+, and ISC2 requires at least one year of cumulative paid work experience in a tested domain. Security+ does not require the SSCP as a prerequisite, the two are separate exams from different organizations, and the SSCP is not below Security+ in rigor.
- An organization classifies the same dataset differently depending on whether it is sitting in a database, moving across the network, or loaded into application memory. These three conditions are best described as which set of data states?
- Data at rest, data in transit, and data in use
- Data public, data internal, and data restricted
- Data primary, data secondary, and data tertiary
- Data raw, data processed, and data archived
Correct answer: Data at rest, data in transit, and data in use
Information exists in three states the SSCP must protect: data at rest (stored), data in transit (moving over a network), and data in use (actively processed in memory). Each state calls for different controls, such as encryption at rest, TLS in transit, and memory protections in use. The other groupings describe sensitivity labels or processing stages, not the recognized states of data.
- A practitioner is asked to assign each information asset a sensitivity label so that handling, storage, and access requirements can be applied consistently. What is the primary purpose of this data classification activity?
- To guarantee that all data is encrypted with the same algorithm
- To match the level of protection and handling to the sensitivity and value of the information
- To reduce the total volume of data the organization stores
- To eliminate the need for access control on classified systems
Correct answer: To match the level of protection and handling to the sensitivity and value of the information
Data classification exists to align the strength of protection and handling rules with each asset's sensitivity and value, so high-value data receives stronger safeguards and routine data is not over-controlled. It does not by itself shrink data volume, mandate one uniform algorithm, or remove the need for access control; access decisions still depend on the assigned classification.
- After classifying data, an organization must assign someone who is accountable for deciding its classification level and approving who may access it. Which role holds this accountability?
- Data custodian
- End user
- Data owner
- System auditor
Correct answer: Data owner
The data owner is the role accountable for setting an asset's classification and approving access to it; ownership typically rests with a senior business manager responsible for the information. The data custodian implements and maintains the controls the owner specifies, the end user works within granted permissions, and the auditor independently reviews controls rather than owning classification decisions.
- In an information-handling program, who is the data custodian and what is their primary responsibility?
- The end user who consumes the data to perform a job task
- The regulator who audits the organization for compliance
- A technical role responsible for safeguarding data day to day by implementing the controls the owner specifies, such as backups and access settings
- The senior executive who decides the data's classification level
Correct answer: A technical role responsible for safeguarding data day to day by implementing the controls the owner specifies, such as backups and access settings
The data custodian is the hands-on technical caretaker who implements and maintains the protections defined by the data owner, including backups, storage, and configured access controls. The custodian does not decide classification; that authority belongs to the owner. Regulators and end users are separate roles that audit or consume data rather than maintain its controls.
- A security team hardens a new fleet of laptops by removing unnecessary services, closing unused ports, and disabling default accounts before deployment. This process of reducing a system's exposure to the minimum needed for its function is best described as which practice?
- Penetration testing
- Data classification
- System hardening to reduce the attack surface
- Quantitative risk analysis
Correct answer: System hardening to reduce the attack surface
Removing unnecessary services, ports, and default accounts to shrink what an attacker could target is system hardening, which reduces the attack surface. It is commonly applied against a documented baseline. Data classification labels information by sensitivity, penetration testing actively probes for weaknesses, and quantitative risk analysis assigns monetary values to risk, none of which describes locking down a system's configuration.
- A practitioner argues that an organization should never rely on keeping the design of its security controls secret as its main protective measure. Which principle best captures why hidden design alone is a weak strategy?
- Defense in depth means using exactly one strong layer
- Least privilege requires that all designs be public
- Separation of duties forbids documenting any control
- Security through obscurity is not a substitute for robust, independently verified controls
Correct answer: Security through obscurity is not a substitute for robust, independently verified controls
Relying on secrecy of design as the primary defense is security through obscurity, which is considered weak because protection collapses once the secret is discovered. Strong security instead uses controls that remain effective even when their design is known. Least privilege and separation of duties concern access, and defense in depth specifically calls for multiple layers, not a single one.
- When designing a defense-in-depth architecture, a practitioner deliberately combines administrative, technical, and physical controls rather than stacking several of the same kind. What is the main benefit of using diverse control types across the layers?
- It allows all layers to share one set of credentials
- A single class of weakness is less likely to defeat every layer at once
- It removes the need to monitor any individual layer
- It guarantees that no control will ever need maintenance
Correct answer: A single class of weakness is less likely to defeat every layer at once
Mixing administrative, technical, and physical controls in a defense-in-depth design means a flaw that bypasses one control class is unlikely to defeat the others, providing genuine redundancy. Layering identical controls would all share the same weakness. Diversity does not eliminate maintenance or monitoring needs, and sharing one credential set across layers would undermine the redundancy the strategy seeks.
- A change management process requires that every proposed production change first be submitted as a formal request for change (RFC) before it is reviewed or scheduled. What is the primary reason for requiring a documented RFC at the start of the lifecycle?
- To guarantee the change can never be rolled back
- To replace the need for testing the change
- To bypass the change advisory board for routine work
- To create a reviewable record so changes are assessed and authorized rather than made ad hoc
Correct answer: To create a reviewable record so changes are assessed and authorized rather than made ad hoc
A formal request for change starts the change management lifecycle by documenting what is proposed so it can be reviewed, risk-assessed, and authorized before implementation, preventing unauthorized or untracked changes. It does not eliminate rollback planning, skip the change advisory board, or remove testing; those remain later steps in a controlled change process.
- Before deploying an approved change to production, a mature change management process requires that a rollback or back-out plan be defined. What is the primary purpose of this rollback plan?
- To document who approved the change for the audit trail
- To restore the prior known-good state quickly if the change fails or causes problems
- To classify the data affected by the change
- To calculate the annualized loss expectancy of the change
Correct answer: To restore the prior known-good state quickly if the change fails or causes problems
A rollback or back-out plan exists so that if a deployed change fails or degrades the environment, operations can be returned to the prior known-good state quickly, limiting downtime and impact. Recording approvals, classifying data, and calculating loss expectancy are separate activities; none of them restores the system after a failed change.
- An organization institutes an emergency change procedure for urgent fixes, such as patching an actively exploited vulnerability outside the normal schedule. What distinguishes a properly governed emergency change from an unauthorized one?
- It can only be performed by end users, not administrators
- It permanently bypasses any review because it was urgent
- It is never recorded in the change log to save time
- It still follows an expedited approval and is documented and reviewed after the fact
Correct answer: It still follows an expedited approval and is documented and reviewed after the fact
A governed emergency change uses an expedited approval path and is still documented and reviewed retroactively, preserving accountability even under time pressure. Skipping all review or omitting it from the change log would make it an unauthorized change. Emergency changes are typically performed by qualified administrators, not restricted to end users.
- A security awareness program distinguishes between awareness, training, and education for different audiences. Which statement best describes the goal of general security awareness for the broad workforce?
- To teach administrators how to configure firewall rule sets
- To certify employees as professional penetration testers
- To replace the organization's written security policies
- To change everyday behavior by keeping security top of mind, such as recognizing phishing and reporting incidents
Correct answer: To change everyday behavior by keeping security top of mind, such as recognizing phishing and reporting incidents
General security awareness aims to shape everyday behavior and keep security front of mind for all staff, for example recognizing phishing attempts and knowing how to report a suspected incident. It is broader and shallower than role-based training, which teaches specific skills like firewall configuration. Awareness does not certify pentesters or replace written policy; it reinforces compliance with that policy.
- An organization wants to measure whether its security awareness program is actually working. Which approach gives the most direct, behavior-based evidence of effectiveness?
- Tracking metrics such as simulated-phishing click rates and incident-reporting rates over time
- Confirming the training budget was fully spent
- Verifying that training slides were uploaded to the portal
- Counting how many employees signed the acceptable use policy
Correct answer: Tracking metrics such as simulated-phishing click rates and incident-reporting rates over time
Behavior-based metrics like simulated-phishing click rates and how often employees report suspicious activity over time give the most direct evidence that awareness is changing behavior. Signing a policy, uploading slides, or spending a budget shows that activity occurred but does not measure whether the workforce actually behaves more securely as a result.
- Collaboration with physical security operations is a Domain 1 task. An organization defines progressively more controlled zones moving from a public lobby to a reception area to a secured server room. Implementing tiered physical zones with increasing controls is an example of applying which concept to the physical environment?
- Data classification
- Non-repudiation
- Defense in depth using layered physical security zones
- Quantitative risk assessment
Correct answer: Defense in depth using layered physical security zones
Defining successive zones with stronger controls as one moves toward sensitive areas applies defense in depth to physical security, so breaching the lobby does not grant access to the server room. Risk assessment measures exposure, data classification labels information, and non-repudiation proves who took an action; none of those describes layering physical access zones.
- A practitioner collaborating with physical security recommends environmental controls for a data center, including fire suppression, redundant cooling, and humidity monitoring. Which CIA objective do these environmental controls most directly support?
- Separation of duties
- Confidentiality
- Non-repudiation
- Availability
Correct answer: Availability
Fire suppression, redundant cooling, and humidity control protect equipment from environmental damage so systems keep running, which most directly supports availability. They are not aimed at preventing disclosure (confidentiality) or proving who did something (non-repudiation), and separation of duties is an access principle, not an environmental control.
- The ISC2 Code of Ethics is built on four mandatory canons that must be applied in a specific order of precedence when they appear to conflict. Which canon takes the highest precedence?
- Advance and protect the profession
- Protect society, the common good, necessary public trust and confidence, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principals
Correct answer: Protect society, the common good, necessary public trust and confidence, and the infrastructure
The first and highest-precedence canon of the ISC2 Code of Ethics is to protect society, the common good, necessary public trust and confidence, and the infrastructure. ISC2 directs that the canons be applied in the order presented when they seem to conflict, so the duty to society outranks acting honorably, serving principals, and advancing the profession, which follow in sequence.
- An SSCP holder discovers that following a client's instructions would require concealing a serious safety vulnerability from the public. Applying the ISC2 Code of Ethics canon order of precedence, how should the practitioner resolve this conflict?
- Favor protecting society and the public over the duty to the client, because that canon ranks higher
- Always follow the client's instructions because the duty to principals is absolute
- Choose whichever option is least costly to the practitioner
- Resign immediately without taking any other action
Correct answer: Favor protecting society and the public over the duty to the client, because that canon ranks higher
Because the canons are applied in order of precedence, protecting society, public trust, and the infrastructure ranks above providing service to principals, so the practitioner must favor public safety over concealing the vulnerability for the client. The duty to principals is not absolute when it conflicts with the higher canon, and the resolution is guided by canon precedence rather than personal cost or automatic resignation.
- During the asset management lifecycle, a practitioner first establishes a complete, accurate inventory of hardware and software before any other security activity. Why is an accurate asset inventory considered foundational to the rest of the security program?
- It automatically encrypts every asset on the network
- You cannot protect, patch, or monitor assets you do not know you have
- It eliminates the need for data classification
- It replaces the requirement for change management
Correct answer: You cannot protect, patch, or monitor assets you do not know you have
An accurate inventory is foundational because unknown assets cannot be protected, patched, monitored, or properly retired, leaving blind spots an attacker can exploit. The inventory enables, rather than replaces, other disciplines: classification, change management, and encryption still must be applied to the assets it reveals. The inventory itself neither encrypts assets nor removes those requirements.
- When a portable hard drive containing internal but not highly sensitive data is being reassigned to another department within the same organization, which media sanitization action is the appropriate minimum before reuse?
- Physically shredding the drive into fragments
- Degaussing a solid-state drive to erase its flash memory
- Clearing the drive by overwriting it so data is not recoverable by standard means
- Simply deleting the visible files and reassigning it
Correct answer: Clearing the drive by overwriting it so data is not recoverable by standard means
For internal media being reused inside the organization, clearing by overwriting the drive so data cannot be recovered with standard tools is the appropriate, proportionate sanitization level. Physical shredding is reserved for higher-sensitivity media leaving organizational control and would needlessly destroy a reusable drive. Deleting visible files leaves data recoverable, and degaussing does not work on solid-state flash memory because it has no magnetic medium.
- An analyst maps the organization's controls to a recognized framework so that protection requirements are organized into a coherent program rather than applied piecemeal. Which best describes the role of a security control framework in this context?
- It provides a structured catalog of controls and a common language for selecting, implementing, and assessing them
- It is a marketing certification awarded to individual practitioners
- It is a legal contract that transfers all liability to a third party
- It is a tool that automatically remediates every vulnerability it finds
Correct answer: It provides a structured catalog of controls and a common language for selecting, implementing, and assessing them
A security control framework offers a structured catalog of controls and a shared vocabulary for selecting, implementing, and assessing safeguards, helping an organization build a coherent program and demonstrate due care. It is not a liability-transferring contract, an automated remediation engine, or a personal certification; those are different mechanisms entirely.
- A hospital wants to simplify permission management by grouping users such as 'Nurse,' 'Pharmacist,' and 'Billing Clerk' and assigning permissions to each group rather than to individuals. New hires automatically inherit the rights of whichever group they belong to. Which access control model does this describe?
- Mandatory access control (MAC)
- Attribute-based access control (ABAC)
- Discretionary access control (DAC)
- Role-based access control (RBAC)
Correct answer: Role-based access control (RBAC)
Role-based access control (RBAC) assigns permissions to job-function roles, and users inherit those permissions by being placed in a role. Because access follows the role rather than the individual, onboarding and offboarding become a matter of adding or removing a user from a role, which scales well and reduces administrative error. DAC would have each resource owner grant rights individually, and MAC would use clearance labels set by a central authority.
- An employee logs into the corporate portal once in the morning and is then able to open the email system, the HR application, and the expense tool throughout the day without typing credentials again. From a practitioner's standpoint, what is the primary security trade-off introduced by this single sign-on arrangement?
- A compromise of the single set of credentials can expose every connected application
- It prevents the use of multifactor authentication entirely
- It weakens encryption of data in transit between applications
- It forces each application to maintain its own separate password database
Correct answer: A compromise of the single set of credentials can expose every connected application
Single sign-on (SSO) lets a user authenticate once and reach many connected applications without re-entering credentials, which improves usability and reduces password fatigue. The key trade-off is concentration of risk: if that one credential is phished or stolen, the attacker can reach everything the user could, so SSO is typically paired with strong multifactor authentication. SSO does not disable MFA, and it actually centralizes rather than fragments credential storage.
- A practitioner is asked to define multifactor authentication for a new policy. Which login combination genuinely satisfies multifactor authentication?
- A PIN plus a one-time passcode emailed to the same account being protected
- A password plus a fingerprint scan
- Two different passwords entered on two screens
- A password followed by a security question the user set up
Correct answer: A password plus a fingerprint scan
A password combined with a fingerprint scan is true multifactor authentication because it draws on two distinct factor categories: something you know and something you are. Multifactor authentication requires factors from different categories, not merely two items; a password and a security question are both 'something you know,' and two passwords are likewise the same factor type, so neither qualifies. Emailing a code to the protected account also collapses the factors onto one credential.
- A new finance system uses a rule that evaluates the requesting user's department, the sensitivity label of the file, the time of day, and whether the device is corporate-managed before granting access. No fixed roles are assigned; decisions are computed dynamically from these characteristics. Which access control model is in use?
- Attribute-based access control (ABAC)
- Discretionary access control (DAC)
- Mandatory access control (MAC)
- Role-based access control (RBAC)
Correct answer: Attribute-based access control (ABAC)
Attribute-based access control (ABAC) grants or denies a request by evaluating attributes of the subject, the object, and the environment against a policy, exactly as the scenario describes. NIST SP 800-162 defines ABAC this way and notes it scales without pre-assigning every subject, because new users gain access simply by having the right attributes. RBAC would require predefined roles, and DAC would leave the decision to the file owner.
- In a strict mandatory access control (MAC) system, a user holds a 'Secret' clearance and tries to open a document labeled 'Top Secret.' What determines whether access is granted?
- A dynamic evaluation of the user's location and device
- The system policy comparing the user's clearance against the object's classification label
- The user's membership in an administrative role
- The document owner's discretion to share it
Correct answer: The system policy comparing the user's clearance against the object's classification label
In mandatory access control (MAC), access is decided by the system comparing the subject's clearance to the object's security label according to a central policy; the user's clearance must dominate the label. Because the authority enforcing the labels is the organization, not the file owner, individual users cannot override the decision or share the file at their discretion. That owner-driven sharing describes DAC, while role membership describes RBAC and dynamic attribute evaluation describes ABAC.
- On a Windows file server, the owner of a shared folder right-clicks it and adds a coworker to the permissions list, granting read access on their own authority. Which access control model governs this behavior?
- Attribute-based access control (ABAC)
- Rule-based access control
- Mandatory access control (MAC)
- Discretionary access control (DAC)
Correct answer: Discretionary access control (DAC)
Discretionary access control (DAC) lets the owner of a resource decide, at their own discretion, who else may access it, typically by editing an access control list. The defining trait is that control rests with the data owner rather than a central authority. MAC would prevent the owner from overriding label-based policy, and ABAC would compute access from attributes rather than an owner-maintained list.
- A practitioner is comparing discretionary access control (DAC) with mandatory access control (MAC) for a classified environment. Which statement correctly captures the core difference?
- DAC is used only for physical access and MAC only for network access
- Both rely entirely on job roles to assign permissions
- In DAC the resource owner decides access, while in MAC a central authority enforces access using security labels
- In DAC a central authority enforces labels, while in MAC the owner decides access
Correct answer: In DAC the resource owner decides access, while in MAC a central authority enforces access using security labels
The distinction between DAC and MAC is who controls access: under DAC the resource owner grants and revokes rights at will, whereas under MAC a central authority assigns clearances and classification labels that the system enforces, leaving no owner discretion. This makes MAC stronger for highly sensitive or classified data because users cannot loosen protections. Neither model is defined by roles or by physical-versus-network scope.
- A practitioner must recommend an access model for a fast-growing company that wants administration to scale as employees move between departments, without rewriting individual permissions each time. Comparing MAC, DAC, and RBAC, which choice best fits and why?
- RBAC, because permissions are tied to roles so moving a user between roles updates their access
- DAC, because permissions follow job functions automatically
- MAC, because it requires no central administration
- MAC, because owners can freely share resources
Correct answer: RBAC, because permissions are tied to roles so moving a user between roles updates their access
RBAC is the best fit because permissions are attached to roles, so when an employee changes departments the administrator simply reassigns the role and access updates consistently, which scales far better than per-user edits. MAC centers on clearance labels enforced by a central authority and is not driven by job function, while DAC leaves owners to grant access individually, which does not scale and is prone to privilege creep. The descriptions pairing MAC with owner sharing or no administration are inaccurate.
- Leadership asks a practitioner to define identity and access management (IAM) for the security program. Which description most accurately states what IAM encompasses?
- A method for encrypting data at rest on file servers
- Only the firewall rules that filter inbound network traffic
- The framework of policies and technologies that ensures the right identities have appropriate access to resources across their lifecycle
- A backup scheduling system for disaster recovery
Correct answer: The framework of policies and technologies that ensures the right identities have appropriate access to resources across their lifecycle
Identity and access management (IAM) is the framework of policies, processes, and technologies that ensures the right individuals and systems obtain appropriate access to resources, governing the full identity lifecycle of provisioning, management, and deprovisioning. It spans identification, authentication, authorization, and accountability rather than any single technology. Firewall filtering, encryption at rest, and backup scheduling are separate functions outside the definition of IAM.
- Two organizations want users from one company to access an application hosted by the other without creating duplicate accounts. The home organization's identity provider issues a signed assertion that the application's service provider trusts. What is this arrangement called?
- Privilege escalation
- Mandatory access control
- Local account provisioning
- Federated identity (federation)
Correct answer: Federated identity (federation)
Federated identity establishes a trust relationship between an identity provider and one or more service providers so that an authentication performed at the home organization is accepted elsewhere, avoiding duplicate accounts. Standards such as SAML and OpenID Connect carry the signed assertions that make this trust work. Privilege escalation is an attack outcome, MAC is an access model, and local provisioning would create the very duplicate accounts federation avoids.
- A web and mobile application needs to let a user grant a third-party app limited access to their data without sharing their password. Which framework is purpose-built for this delegated authorization?
- RADIUS
- LDAP
- OAuth 2.0
- Kerberos
Correct answer: OAuth 2.0
OAuth 2.0 is an authorization framework that issues access tokens so a third-party application can act on a user's behalf with scoped, limited permissions and without ever receiving the user's password. It is distinct from authentication: OpenID Connect layers identity on top of OAuth 2.0 when login is also needed. RADIUS and Kerberos handle network and enterprise authentication, and LDAP is a directory protocol, none of which provide delegated third-party authorization.
- A practitioner is documenting the four pillars of access control, often abbreviated as the components that make up AAA plus identification. Which component ensures that actions can be traced back to a specific individual after the fact?
- Authentication
- Authorization
- Accountability
- Identification
Correct answer: Accountability
Accountability ties recorded actions to a uniquely identified individual, typically through logging and audit trails, so behavior can be reconstructed and attributed after an event. Identification merely asserts a claimed identity, authentication proves that claim, and authorization decides what the proven identity may do; accountability is what makes non-repudiation and auditing possible. This is why shared accounts undermine accountability, since actions cannot be traced to one person.
- A company is moving to a model where no user or device is trusted by default, and every access request is verified explicitly regardless of whether it originates inside or outside the corporate network. Which approach does this describe?
- Zero trust
- Implicit trust perimeter
- Single sign-on
- Discretionary access control
Correct answer: Zero trust
Zero trust assumes no implicit trust based on network location and requires every request to be authenticated, authorized, and continuously validated, embodying the principle 'never trust, always verify.' It replaces the old perimeter model that trusted anything inside the corporate network. DAC concerns owner-granted permissions and SSO concerns authenticating once across apps; neither defines the trust posture that zero trust establishes.
- A practitioner reviewing network architecture is asked, 'what is a DMZ in networking,' in the context of where to place internet-facing servers. Which description is correct?
- An encrypted partition on a server's hard drive
- A fully isolated network segment with no connectivity to any other zone
- A perimeter network segment that hosts public-facing services and sits between the untrusted internet and the trusted internal network
- A virtual private network tunnel used by remote employees
Correct answer: A perimeter network segment that hosts public-facing services and sits between the untrusted internet and the trusted internal network
A demilitarized zone (DMZ) is a screened perimeter network segment that hosts internet-facing services such as web, mail, or DNS servers, placed between the untrusted internet and the trusted internal network so that a compromise of a public server does not directly expose internal systems. From a network segmentation perspective it enforces a boundary that limits how outside traffic can reach internal resources. It is neither a fully isolated island, a VPN tunnel, nor a disk encryption feature.
- An identity platform watches a user's typical sign-in patterns and, when a login arrives from an unusual country on an unrecognized device, it steps up the requirement by prompting for an additional factor. What is this technique called?
- Static single-factor authentication
- Adaptive (risk-based) authentication
- Mandatory access control
- Implicit deny
Correct answer: Adaptive (risk-based) authentication
Adaptive or risk-based authentication adjusts the strength of verification according to the assessed risk of a request, prompting for additional factors when context such as a new location or device looks anomalous. The 2024 SSCP Access Controls domain explicitly includes adaptive authentication and behavioral biometrics for detecting unusual access in real time. Implicit deny is a default-deny posture, static single-factor never changes its demand, and MAC is a label-based access model.
- A practitioner provisions a contractor's account so that elevated administrative rights are granted only at the moment a task requires them and are automatically revoked afterward, rather than standing permanently. Which practice best reduces the attack surface from excessive standing privileges?
- Just-in-time (JIT) privileged access
- Permanent role assignment
- Shared administrator accounts
- Disabling all logging for admin sessions
Correct answer: Just-in-time (JIT) privileged access
Just-in-time (JIT) privileged access grants elevated rights only for the limited window a task needs and removes them afterward, shrinking the period during which a compromised account holds admin power. It directly supports least privilege by eliminating always-on standing privileges. Permanent assignments and shared admin accounts enlarge the attack surface and undermine accountability, and disabling logging would destroy the audit trail rather than reduce risk.
- A smart card stores a private key and must be physically inserted into a reader, while the user also enters a PIN to unlock the card. Categorizing these by authentication factor type, which pairing is correct?
- Both the smart card and the PIN are something you have
- The smart card is something you know and the PIN is something you are
- The smart card is something you are and the PIN is something you have
- The smart card is something you have and the PIN is something you know
Correct answer: The smart card is something you have and the PIN is something you know
A smart card is a 'something you have' (possession) factor because the user must physically present the token, while the PIN that unlocks it is a 'something you know' (knowledge) factor. Combining the two yields multifactor authentication from two distinct categories, which is why a stolen card alone cannot be used without the PIN. A PIN is never a biometric, and a card is not a knowledge factor.
- A new employee's manager submits a request, and the IAM system automatically creates the account, assigns role memberships, and enables access to the systems the role requires on the first day. Which stage of the identity lifecycle does this represent?
- Provisioning
- Recertification
- Privilege escalation
- Deprovisioning
Correct answer: Provisioning
Provisioning is the identity lifecycle stage where an account is created and granted the access appropriate to the user's role, ideally automated and tied to an authoritative source such as HR. It is the front end of the lifecycle that later includes ongoing management, periodic recertification, and eventual deprovisioning when access is no longer needed. Recertification reviews existing access, and privilege escalation describes gaining rights beyond what was authorized.
- A security team maintains a central document that lists each identified risk along with its description, likelihood, impact, assigned owner, current treatment, and status. What is this artifact called?
- A configuration management database
- A risk register
- A network baseline
- A penetration test report
Correct answer: A risk register
A risk register is the central record that catalogs each identified risk with details such as its description, likelihood, impact, owner, chosen treatment, and current status. It is the working tool that lets practitioners track and prioritize risks over time and report on them to management. A configuration management database inventories assets and their settings, not risk decisions, and a penetration test report documents a single assessment rather than the ongoing list of organizational risks.
- A vulnerability assessment and a penetration test are both used to evaluate security weaknesses. What primarily distinguishes a penetration test from a vulnerability assessment?
- A penetration test scans for missing patches, while a vulnerability assessment encrypts sensitive data
- A vulnerability assessment is performed only by external attackers, while a penetration test is performed only by internal staff
- A penetration test actively attempts to exploit weaknesses to demonstrate real-world impact, while a vulnerability assessment identifies and catalogs weaknesses without exploiting them
- A vulnerability assessment is always automated, while a penetration test never uses any tools
Correct answer: A penetration test actively attempts to exploit weaknesses to demonstrate real-world impact, while a vulnerability assessment identifies and catalogs weaknesses without exploiting them
The key difference is that a penetration test actively attempts to exploit discovered weaknesses to prove real-world impact, whereas a vulnerability assessment identifies, classifies, and reports weaknesses without trying to exploit them. A vulnerability assessment answers what could be wrong, while a penetration test answers what an attacker could actually achieve. Both may use automated tools, so tool usage is not the distinguishing factor.
- Management asks a practitioner to perform a vulnerability assessment of a new application server. Which activity best describes what a vulnerability assessment is?
- A legal contract that transfers breach liability to a third party
- A real-time alerting service that blocks malicious network traffic
- The encryption of data at rest to protect it from disclosure
- A systematic process of identifying, classifying, and prioritizing security weaknesses in a system, typically without exploiting them
Correct answer: A systematic process of identifying, classifying, and prioritizing security weaknesses in a system, typically without exploiting them
A vulnerability assessment is a systematic process of identifying, classifying, and prioritizing security weaknesses in a system or network, generally without exploiting them. Its goal is to produce an actionable inventory of weaknesses ranked by severity so they can be remediated. Transferring liability is a risk-treatment option, and encryption or traffic blocking are controls rather than assessment activities.
- An organization wants to maintain ongoing awareness of its security posture rather than relying on periodic point-in-time audits. Which approach best meets this goal?
- A single annual penetration test scheduled each January
- Disabling logging to reduce noise and storage costs
- Continuous monitoring, which provides ongoing collection and analysis of security information to maintain awareness of vulnerabilities and threats
- Transferring all risk to a cyber insurance provider
Correct answer: Continuous monitoring, which provides ongoing collection and analysis of security information to maintain awareness of vulnerabilities and threats
Continuous monitoring is the ongoing collection, analysis, and reporting of security-relevant information to maintain current awareness of an organization's vulnerabilities, threats, and overall security posture. Unlike a once-a-year test, it supports near-real-time detection and informed risk decisions. Disabling logging would eliminate the data needed for awareness, and insurance addresses financial impact rather than visibility.
- A CVSS base score of 8.4 has been assigned to a newly disclosed vulnerability. Using the standard CVSS qualitative severity ranges, what severity rating does this score map to?
Correct answer: High
A CVSS base score of 8.4 falls in the High range, which spans 7.0 to 8.9. The standard qualitative bands are Low (0.1 to 3.9), Medium (4.0 to 6.9), High (7.0 to 8.9), and Critical (9.0 to 10.0). A score must reach 9.0 to be rated Critical, so 8.4 is High rather than Critical.
- A practitioner wants to classify the specific behaviors an adversary used during an intrusion using a globally recognized knowledge base of tactics and techniques drawn from real-world observations. Which resource is designed for this?
- The CVSS calculator
- The CVE list
- The risk register
- The MITRE ATT&CK framework
Correct answer: The MITRE ATT&CK framework
The MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations, organized so analysts can map and describe how attackers operate. Tactics represent an adversary's goals (such as Initial Access or Exfiltration) and techniques are the methods used to achieve them. CVSS scores severity and CVE catalogs individual vulnerabilities, but neither describes adversary behavior the way ATT&CK does.
- In quantitative risk analysis, what does Single Loss Expectancy (SLE) represent?
- The percentage of an organization's budget allocated to security controls
- The number of times a threat is expected to occur in one year
- The total yearly loss expected from a threat across all occurrences
- The monetary loss expected from a single occurrence of a specific threat against an asset
Correct answer: The monetary loss expected from a single occurrence of a specific threat against an asset
Single Loss Expectancy is the monetary loss expected from one occurrence of a particular threat affecting a specific asset, calculated as asset value multiplied by the exposure factor. It measures the impact of a single event, not how often the event happens. The expected number of occurrences per year is the annualized rate of occurrence, and the yearly total is the annualized loss expectancy.
- A practitioner knows that a server outage causes a Single Loss Expectancy of $10,000 and that the outage is expected to happen twice per year. How should Annualized Loss Expectancy (ALE) be calculated?
- Multiply the Single Loss Expectancy by the Annualized Rate of Occurrence, giving $20,000
- Add the Single Loss Expectancy to the Annualized Rate of Occurrence, giving $10,002
- Multiply the asset value by the exposure factor, giving $10,000
- Divide the Single Loss Expectancy by the Annualized Rate of Occurrence, giving $5,000
Correct answer: Multiply the Single Loss Expectancy by the Annualized Rate of Occurrence, giving $20,000
Annualized Loss Expectancy is calculated by multiplying the Single Loss Expectancy by the Annualized Rate of Occurrence (ALE = SLE x ARO). With an SLE of $10,000 and an ARO of 2, the ALE is $20,000. Adding or dividing the values does not reflect the expected total yearly loss, and multiplying asset value by exposure factor yields the SLE, an earlier step in the process.
- A board states that the company is willing to accept a moderate level of cyber risk overall to enable digital transformation, while a department manager sets a rule that no single incident may cause more than four hours of customer-facing downtime. Which terms correctly describe these two statements?
- The board's statement is risk tolerance, and the manager's limit is risk appetite
- Both statements describe residual risk
- Both statements describe risk transference
- The board's broad statement is risk appetite, and the manager's specific limit is risk tolerance
Correct answer: The board's broad statement is risk appetite, and the manager's specific limit is risk tolerance
Risk appetite is the broad, organization-wide amount and type of risk an entity is willing to accept in pursuit of its objectives, so the board's general willingness to accept moderate cyber risk is risk appetite. Risk tolerance is the specific, measurable boundary applied at a process or project level, so the four-hour downtime limit is risk tolerance. The terms are not interchangeable: appetite is strategic and broad, tolerance is operational and quantifiable.
- An organization decides to discontinue a feature entirely because the security risk it introduces is unacceptable and cannot be reduced to an acceptable level. How does this risk response differ from risk mitigation?
- Risk avoidance and risk mitigation are two names for the same response
- Risk avoidance applies controls to reduce likelihood, while risk mitigation eliminates the activity entirely
- Risk avoidance transfers the risk to an insurer, while risk mitigation accepts the risk as-is
- Risk avoidance eliminates the risk by not engaging in the activity, while risk mitigation reduces the risk by applying controls while still performing the activity
Correct answer: Risk avoidance eliminates the risk by not engaging in the activity, while risk mitigation reduces the risk by applying controls while still performing the activity
Risk avoidance eliminates a risk by not undertaking the activity that creates it, whereas risk mitigation reduces the likelihood or impact of a risk by applying controls while still performing the activity. Discontinuing the feature removes the exposure entirely, which is avoidance. Mitigation would instead keep the feature and add safeguards, and neither response is the same as transferring risk to an insurer.
- During risk analysis, a practitioner multiplies an asset's value by the exposure factor for a given threat. Which value does this calculation produce?
- Single Loss Expectancy
- Annualized Loss Expectancy
- Annualized Rate of Occurrence
- Residual risk
Correct answer: Single Loss Expectancy
Multiplying asset value by the exposure factor produces the Single Loss Expectancy, the expected monetary loss from one occurrence of the threat. The exposure factor is the percentage of the asset's value lost in a single event. Annualized Loss Expectancy requires also multiplying by the annualized rate of occurrence, so it is a later step.
- A practitioner receives a list of indicators of compromise (IOCs) from an industry threat intelligence feed. What is the primary value of sharing and consuming IOCs for risk monitoring?
- They guarantee that an organization will never experience a security incident
- They replace the need to patch vulnerabilities by encrypting affected systems
- They assign a 0 to 10 severity score to each vulnerability
- They provide observable artifacts, such as malicious IP addresses or file hashes, that help detect or confirm that a known threat is present in an environment
Correct answer: They provide observable artifacts, such as malicious IP addresses or file hashes, that help detect or confirm that a known threat is present in an environment
Indicators of compromise are observable artifacts such as malicious IP addresses, domain names, file hashes, or registry keys that signal a known threat may be present, so sharing and consuming them improves detection and confirmation during monitoring. They support faster identification of attacks others have already seen. They do not replace patching, prevent all incidents, or assign severity scores, which is the role of CVSS.
- A practitioner is reviewing a vulnerability and wants to understand the assumptions behind its severity. The CVSS base score reflects which characteristics of a vulnerability?
- Only the financial cost of remediation for a specific company
- The likelihood that an organization will buy cyber insurance
- The intrinsic qualities of the vulnerability that are constant over time and across environments, such as attack vector, complexity, and impact
- The exact date the vulnerability will be exploited
Correct answer: The intrinsic qualities of the vulnerability that are constant over time and across environments, such as attack vector, complexity, and impact
The CVSS base score captures the intrinsic characteristics of a vulnerability that remain constant over time and across environments, including factors like attack vector, attack complexity, privileges required, and the impact to confidentiality, integrity, and availability. Temporal and environmental metric groups exist separately to adjust for changing conditions and an organization's specific context. The base score does not represent remediation cost, insurance decisions, or a predicted exploitation date.
- A practitioner notices that a vulnerability scanner can authenticate to target hosts using valid credentials during a scan. What is the main advantage of running a credentialed (authenticated) vulnerability scan instead of an unauthenticated one?
- It exploits each vulnerability to confirm it is real
- It can inspect installed software, patch levels, and configurations from inside the host, producing more accurate and complete results with fewer false positives
- It guarantees zero impact on network bandwidth during the scan
- It eliminates the need to maintain a risk register
Correct answer: It can inspect installed software, patch levels, and configurations from inside the host, producing more accurate and complete results with fewer false positives
A credentialed scan logs into the target with valid credentials, allowing it to inspect installed software, patch levels, and local configurations from the inside, which yields more accurate and complete findings with fewer false positives than an unauthenticated scan that can only observe the host externally. It does not exploit vulnerabilities, which is the role of a penetration test, and it still consumes network resources and does not replace risk tracking artifacts.
- A manager asks why the security team correlates events from firewalls, servers, and endpoint tools rather than reviewing each log source separately. What is the primary analytical benefit of event correlation in security monitoring?
- It assigns each event a CVSS base score automatically
- It permanently deletes logs to save storage space
- It replaces the need for a behavioral baseline
- Combining and relating events from multiple sources can reveal multi-step attack patterns that are not visible in any single log on its own
Correct answer: Combining and relating events from multiple sources can reveal multi-step attack patterns that are not visible in any single log on its own
Event correlation combines and relates activity from many sources so that multi-step attack patterns, which would appear as isolated or benign events in any single log, become visible as a coordinated sequence. This improves detection of genuine incidents and reduces noise. Correlation does not delete logs, assign CVSS scores, or remove the need for a baseline that defines what normal activity looks like.
- A help desk technician notices repeated failed logins on an executive account but is unsure whether it qualifies as a security incident. According to a standard incident response lifecycle, what should happen next?
- Wait until the next quarterly review to assess the pattern
- Immediately rebuild the executive's workstation from a clean image
- Begin eradication by deleting the executive's account
- Escalate the event to the incident response team for triage and classification
Correct answer: Escalate the event to the incident response team for triage and classification
Escalating the event to the incident response team for triage and classification is the correct action. During the detection and analysis phase, frontline staff escalate suspicious events so trained responders can determine whether a true incident exists and assign severity. Rebuilding or deleting the account jumps to recovery or eradication before the incident has even been confirmed and scoped.
- An organization wants to understand the difference between RTO and RPO when planning recovery. Which statement correctly contrasts the two?
- RTO and RPO both measure acceptable downtime but for different systems
- RTO measures acceptable data loss; RPO measures acceptable downtime
- RTO applies only to backups; RPO applies only to hardware
- RTO measures acceptable downtime to restore a service; RPO measures acceptable data loss before the disruption
Correct answer: RTO measures acceptable downtime to restore a service; RPO measures acceptable data loss before the disruption
RTO measures acceptable downtime to restore a service, while RPO measures acceptable data loss expressed as a time window before the disruption. The Recovery Time Objective answers how quickly a system must be back online, while the Recovery Point Objective answers how much data can be lost and therefore how often backups must run. Swapping these two definitions is the most common mistake on this topic.
- A practitioner is asked, in plain terms, what digital forensics is. Which description is most accurate?
- The automated patching of vulnerable systems after a scan
- The structured identification, collection, preservation, and analysis of digital evidence in a defensible manner
- The encryption of data at rest to prevent unauthorized disclosure
- The real-time blocking of malicious network traffic at a firewall
Correct answer: The structured identification, collection, preservation, and analysis of digital evidence in a defensible manner
Digital forensics is the structured identification, collection, preservation, and analysis of digital evidence in a defensible manner. The goal is to recover and examine data so that findings can withstand scrutiny, including in legal proceedings. Firewalling, patching, and encryption are protective or operational controls, not the investigative discipline of forensics.
- In one sentence, what is chain of custody in an investigation?
- The encryption key hierarchy used to protect evidence files
- A chronological record documenting every person who handled a piece of evidence and what they did with it
- A list of all employees authorized to access a building
- The order in which volatile data must be collected from a system
Correct answer: A chronological record documenting every person who handled a piece of evidence and what they did with it
Chain of custody is a chronological record documenting every person who handled a piece of evidence and what they did with it. By tracking each transfer, time, and action from collection to court, it proves the evidence was not altered and preserves its admissibility. The order of collecting volatile data is a separate concept called the order of volatility.
- A company can keep operating during a regional power outage but its data center is offline. Which statement best captures the difference between a business continuity plan and a disaster recovery plan?
- The BCP keeps the overall business functioning during a disruption; the DRP focuses on restoring IT systems and data
- The BCP restores IT systems; the DRP keeps the business running
- The DRP applies only to natural disasters; the BCP applies only to cyberattacks
- They are two names for the same document
Correct answer: The BCP keeps the overall business functioning during a disruption; the DRP focuses on restoring IT systems and data
The business continuity plan keeps the overall business functioning during a disruption, while the disaster recovery plan focuses on restoring IT systems and data. BCP is the broad, organization-wide plan covering people, facilities, and processes; DRP is a subset concerned specifically with recovering technology. Neither is limited to a single category of cause.
- A practitioner is summarizing the incident response lifecycle for new analysts. Which sequence reflects the commonly taught phases?
- Preparation, Detection and Analysis, Containment, Eradication, Recovery, Lessons Learned
- Detection, Preparation, Recovery, Containment, Eradication, Lessons Learned
- Containment, Eradication, Recovery, Detection, Preparation, Lessons Learned
- Preparation, Recovery, Detection, Eradication, Containment, Lessons Learned
Correct answer: Preparation, Detection and Analysis, Containment, Eradication, Recovery, Lessons Learned
The commonly taught incident response lifecycle runs Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Lessons Learned — the six-phase model widely used in SSCP and CISSP training materials. This is derived from the NIST SP 800-61r2 structure; the SSCP Domain 4 exam outline specifically calls the second phase 'Detection, Analysis, and Escalation,' making escalation explicit. The other orderings place reactive phases before preparation or detection, which breaks the logical flow.
- After containing a ransomware infection, the response team rebuilds servers but the malware returns within a day. Which incident response activity was most likely performed inadequately?
- Detection, because the incident was never identified
- Preparation, because no plan existed
- Lessons learned, because no review was held
- Eradication, because the root cause and persistence mechanisms were not fully removed
Correct answer: Eradication, because the root cause and persistence mechanisms were not fully removed
Eradication was most likely performed inadequately, because the root cause and persistence mechanisms were not fully removed. If backdoors, scheduled tasks, or compromised accounts survive, the threat reappears even after systems are rebuilt. The incident was clearly detected and contained, so the failure lies in incomplete removal of the attacker's foothold.
- A recovery site has servers, network equipment, and software pre-installed but its data must be restored from the most recent backup before it can take over. Which type of site is this?
- Hot site
- Mobile site
- Cold site
- Warm site
Correct answer: Warm site
This is a warm site, which has hardware, network, and software in place but lacks fully current data, requiring a restore before cutover. It sits between a hot site — ready almost immediately with live or near-live data — and a cold site, which provides only space and utilities. The need to restore backups before going live is the defining trait of a warm site.
- An organization sets its RPO for a customer database at four hours. What is the most direct operational consequence of this objective?
- The database must be encrypted using a four-hour key rotation
- Systems must be fully restored within four hours of an outage
- Staff must respond to alerts within four hours
- Backups or replication must capture changes at least every four hours
Correct answer: Backups or replication must capture changes at least every four hours
A four-hour RPO means backups or replication must capture changes at least every four hours. The Recovery Point Objective caps how much data the business can afford to lose, which dictates backup or replication frequency. Restoring within a set time is governed by the Recovery Time Objective, a different metric.
- During evidence handling, a practitioner photographs a running laptop's screen, then captures its memory before powering it down. Which principle drives capturing memory before shutting down?
- Separation of duties
- Chain of custody
- Least privilege
- Order of volatility
Correct answer: Order of volatility
The order of volatility drives capturing memory before shutting the system down. Volatile data such as RAM and running processes is lost when power is removed, so it must be collected before less volatile sources like disk and backups. Chain of custody governs documenting who handles the evidence, not the sequence in which it is acquired.
- A disaster recovery team performs an exercise in which members talk through their response steps in a conference room without touching production systems. What type of test is this?
- Parallel test
- Simulation with live failover
- Full interruption test
- Tabletop (walkthrough) exercise
Correct answer: Tabletop (walkthrough) exercise
This is a tabletop (walkthrough) exercise, in which participants discuss their roles and decisions against a scenario without affecting live systems. It is low risk and useful for validating plans and communication. A parallel test brings up recovery systems alongside production, and a full interruption test actually shifts operations to the recovery site, both carrying far more operational risk.
- A practitioner must decide which contact and notification details belong in the incident response plan versus the playbook. Which item belongs in the broader incident response plan?
- The overall escalation and communication structure, including who has authority to declare an incident
- The registry keys a particular trojan modifies
- The exact command to isolate a specific server brand
- The hash value of a known malware sample
Correct answer: The overall escalation and communication structure, including who has authority to declare an incident
The overall escalation and communication structure, including who has authority to declare an incident, belongs in the incident response plan. The plan defines roles, responsibilities, and high-level process, while playbooks contain the granular, threat-specific technical steps such as commands, indicators, and registry keys. Keeping strategy in the plan and tactics in playbooks keeps both usable.
- After recovering systems following an intrusion, the team monitors them closely for several days before declaring the incident closed. What is the primary reason for this monitoring period?
- To confirm the threat has been fully removed and systems are operating normally
- To satisfy backup retention requirements
- To allow time for the cyber insurance claim to process
- To finish writing the lessons learned report
Correct answer: To confirm the threat has been fully removed and systems are operating normally
The monitoring period exists to confirm the threat has been fully removed and systems are operating normally. Heightened observation after recovery catches reinfection, residual attacker activity, or instability before the organization returns to business as usual. The lessons learned review and insurance claims are separate activities that do not justify the technical watch period.
- An organization implements redundant power supplies, clustered servers, and a secondary internet circuit. Which recovery objective do these measures most directly support?
- Lengthening the data retention period
- Reducing the recovery time objective by minimizing or avoiding downtime
- Increasing the exposure factor of critical assets
- Reducing the false acceptance rate of authentication
Correct answer: Reducing the recovery time objective by minimizing or avoiding downtime
Redundancy such as dual power, clustering, and a backup circuit most directly supports reducing the recovery time objective by minimizing or avoiding downtime. By eliminating single points of failure, these measures keep services available or restore them almost instantly, shrinking the time needed to recover. They do not relate to biometric error rates, exposure factors, or retention periods.
- A retailer must restore from backups after corruption. The team has the last full backup plus several incremental backups taken each night since. To fully restore, what must they apply?
- Only the full backup
- Only the most recent incremental backup
- The full backup, then just the most recent incremental backup
- The full backup, then every incremental backup in order
Correct answer: The full backup, then every incremental backup in order
To fully restore with incremental backups, the team must apply the full backup, then every incremental backup in order. Each incremental captures only the changes since the previous backup of any type, so all of them are needed to rebuild the complete data set. Applying just the latest incremental, as would suffice with a differential scheme, would leave most changes missing.
- A team must encrypt a 50 GB nightly database export and also needs an efficient way to share the protected key with a partner who is online only briefly. Why is it common to combine symmetric and asymmetric encryption in a hybrid scheme rather than use asymmetric encryption for the whole file?
- Symmetric algorithms use two keys, which makes them better for key distribution than asymmetric algorithms
- Asymmetric encryption cannot protect confidentiality, so symmetric encryption must do all the work
- Asymmetric encryption is faster than symmetric encryption but cannot encrypt files larger than 1 GB
- Symmetric encryption is far faster for bulk data, while asymmetric encryption solves the problem of securely distributing the symmetric key
Correct answer: Symmetric encryption is far faster for bulk data, while asymmetric encryption solves the problem of securely distributing the symmetric key
Combining the two works because symmetric encryption is far faster for bulk data while asymmetric encryption securely distributes the symmetric (session) key. Symmetric ciphers like AES use one shared key and are computationally cheap, but the parties must agree on that key; asymmetric cryptography lets each side use the recipient's public key to deliver the session key safely over an untrusted channel. The claim that asymmetric is faster is backward, and symmetric encryption uses a single key, not two.
- A practitioner is explaining how asymmetric (public-key) encryption works to a new analyst. Which statement correctly describes the key relationship in an asymmetric key pair?
- Both keys are identical and must be kept secret by both parties
- The private key is published in a directory and the public key is kept secret
- The two keys are mathematically related, but the private key cannot be feasibly derived from the public key, so the public key can be freely shared
- The public key decrypts whatever the same public key encrypted
Correct answer: The two keys are mathematically related, but the private key cannot be feasibly derived from the public key, so the public key can be freely shared
Asymmetric encryption works because the two keys are mathematically related yet the private key cannot feasibly be derived from the public key, so the public key can be published freely while the private key stays secret. Data encrypted with one key of the pair is reversed only by the other key. The keys are never identical, and it is the private key that must stay secret, not the public key.
- A vendor sends a signed contract file. The recipient wants to confirm the file truly came from the vendor and was not altered. Which combination of security services does a digital signature provide?
- Integrity, authentication of the signer, and non-repudiation
- Key exchange and anti-replay only
- Encryption of the message body and compression
- Confidentiality and availability only
Correct answer: Integrity, authentication of the signer, and non-repudiation
A digital signature provides integrity, authentication of the signer, and non-repudiation. The signer hashes the message and encrypts that hash with their private key; any change to the document breaks integrity verification, and because only the signer holds the private key, they cannot later deny signing. A digital signature does not by itself encrypt or hide the message body, so it does not provide confidentiality.
- An auditor asks the security team to ensure that a user who submits a financial transaction cannot later credibly deny having done so. Which cryptography-related property satisfies this requirement?
- Anti-replay
- Least privilege
- Availability
- Non-repudiation
Correct answer: Non-repudiation
Non-repudiation is the property that prevents a party from credibly denying an action they performed. In cryptography it is achieved primarily through digital signatures, where a private key uniquely controlled by the signer binds the action to that individual; supporting mechanisms include certificates and audit trails. Least privilege and availability are unrelated security goals, and anti-replay only blocks reused packets rather than proving who originated an action.
- A practitioner is documenting the difference between hashing and encryption for a data-handling standard. Which statement most accurately distinguishes the two?
- Both hashing and encryption require a shared secret key to reverse the output
- Hashing is a one-way function that cannot be reversed to recover the input, while encryption is reversible with the correct key
- Hashing is a reversible operation, while encryption is a one-way operation
- Hashing protects confidentiality, while encryption only verifies integrity
Correct answer: Hashing is a one-way function that cannot be reversed to recover the input, while encryption is reversible with the correct key
Hashing is a one-way function whose output cannot be reversed to recover the input, while encryption is reversible by anyone holding the correct key. Hashing is used to verify integrity and to store password digests, whereas encryption protects confidentiality so authorized parties can recover the original data. The reversed description and the claim that hashing protects confidentiality are both incorrect.
- Which characteristic is a required property of a strong cryptographic hash function used in cybersecurity?
- It must produce a variable-length output that grows with the input size
- It must be reversible so the original message can be recovered from the digest
- It must require a shared secret key to compute the digest
- It must be collision resistant, so it is computationally infeasible to find two different inputs that produce the same digest
Correct answer: It must be collision resistant, so it is computationally infeasible to find two different inputs that produce the same digest
A strong cryptographic hash function must be collision resistant, meaning it is computationally infeasible to find two different inputs that produce the same fixed-length digest. Good hashes are also one-way (preimage resistant) and produce a fixed-length output regardless of input size. They do not use a secret key on their own and are deliberately not reversible, which is why the other options are wrong.
- A web server presents a digital certificate during the TLS handshake. Beyond the public key, what other essential information does an X.509 digital certificate bind together and present to the client?
- The client's browsing history and IP address
- The subject's identity, validity period, and the issuing CA's digital signature
- A list of all symmetric session keys ever negotiated by the server
- The subject's private key and password hash
Correct answer: The subject's identity, validity period, and the issuing CA's digital signature
A digital certificate binds the subject's identity (such as a domain name), the public key, a validity period, and the issuing certificate authority's digital signature. The CA's signature lets a client verify the certificate has not been altered and was vouched for by a trusted authority. A certificate never contains the subject's private key or session keys, which must remain secret.
- An organization is standing up a Public Key Infrastructure. Which statement best describes what a PKI is and the role of the Registration Authority (RA) within it?
- A PKI is a symmetric key database, and the RA distributes one shared key to every user
- A PKI is a backup system, and the RA stores copies of users' private keys for recovery by anyone
- A PKI is a single firewall appliance, and the RA inspects packets for malware
- A PKI is a framework of policies, roles, and technologies for managing keys and certificates, and the RA verifies a requester's identity before the CA issues a certificate
Correct answer: A PKI is a framework of policies, roles, and technologies for managing keys and certificates, and the RA verifies a requester's identity before the CA issues a certificate
A Public Key Infrastructure is a framework of policies, roles, hardware, and software for creating, distributing, and managing digital certificates and keys, and the Registration Authority verifies a requester's identity before the certificate authority issues the certificate. This division lets the RA handle vetting while the CA performs the trusted signing. A PKI is not a firewall, a symmetric key store, or a backup product, so the other choices are incorrect.
- A site-to-site VPN must protect IP traffic between two office networks. The team chooses IPsec. Which statement correctly describes IPsec and its core protocols?
- IPsec only works at the application layer and cannot operate in tunnel mode
- IPsec is an application-layer email standard that signs messages using AH and ESP
- IPsec uses AH to encrypt payloads and ESP solely to compress headers
- IPsec is a suite that secures IP traffic, using ESP for confidentiality, integrity, and authentication, and AH for integrity and authentication without encryption
Correct answer: IPsec is a suite that secures IP traffic, using ESP for confidentiality, integrity, and authentication, and AH for integrity and authentication without encryption
IPsec is a suite of protocols that secures IP traffic at the network layer, using Encapsulating Security Payload (ESP) for confidentiality, integrity, and authentication, and Authentication Header (AH) for integrity and authentication without encryption. It can run in transport mode between hosts or tunnel mode between networks, and IKE negotiates the keys. IPsec is not an application-layer or email protocol, and AH does not encrypt payloads.
- Two systems need to verify both the integrity and the authenticity of API messages using a single shared secret key rather than a certificate. Which mechanism is purpose-built for this and combines a hash function with that shared key?
- A plain SHA-256 digest with no key
- A Certificate Revocation List (CRL)
- A Diffie-Hellman key exchange
- A Hash-based Message Authentication Code (HMAC)
Correct answer: A Hash-based Message Authentication Code (HMAC)
A Hash-based Message Authentication Code (HMAC) is purpose-built to verify both integrity and authenticity by combining a cryptographic hash with a shared secret key, so a recipient who holds the same key can confirm the message was not altered and came from a party that knows the key. A plain SHA-256 digest with no key proves integrity but not authenticity, since anyone can recompute it. A CRL lists revoked certificates and Diffie-Hellman performs key exchange, so neither authenticates messages.
- A practitioner is asked to define what a firewall does in a corporate network. Which statement best describes the core function of a firewall?
- It encrypts all data stored on internal file servers
- It scans email attachments for viruses before delivery
- It enforces a set of rules that permit or deny network traffic between zones of differing trust
- It assigns IP addresses automatically to client devices
Correct answer: It enforces a set of rules that permit or deny network traffic between zones of differing trust
A firewall enforces rules that permit or deny traffic passing between network zones of differing trust, such as between an internal LAN and the internet. It inspects traffic against a policy and allows or blocks it accordingly; it does not encrypt stored data, hand out addresses (that is DHCP), or scan email (that is an antivirus or mail gateway).
- An administrator wants to logically separate the accounting computers from the engineering computers even though they share the same physical switches. Which technology accomplishes this?
- A reverse proxy
- A virtual LAN (VLAN)
- Network address translation (NAT)
- A virtual private network (VPN)
Correct answer: A virtual LAN (VLAN)
A VLAN logically groups devices into separate broadcast domains on shared physical switch hardware, so accounting and engineering traffic stay isolated without separate cabling. A VPN secures traffic over an untrusted network, NAT rewrites IP addresses, and a reverse proxy fronts servers; none of those create the logical Layer 2 separation a VLAN provides.
- The OSI model is frequently referenced when troubleshooting and securing networks. What is the OSI model?
- An encryption algorithm used to protect data in transit
- A seven-layer conceptual framework describing how network functions are organized from physical transmission up to applications
- A cabling standard that defines maximum Ethernet segment lengths
- A routing protocol used to exchange routes between autonomous systems
Correct answer: A seven-layer conceptual framework describing how network functions are organized from physical transmission up to applications
The OSI model is a seven-layer conceptual framework that organizes networking functions into layers, from physical transmission at the bottom to application services at the top. It is a reference model for understanding and troubleshooting communications, not a cabling standard, a routing protocol, or an encryption algorithm.
- In order, what are the seven layers of the OSI model from Layer 1 to Layer 7?
- Application, Presentation, Session, Transport, Network, Data Link, Physical
- Physical, Data Link, Network, Transport, Session, Presentation, Application
- Data Link, Physical, Transport, Network, Presentation, Session, Application
- Physical, Network, Data Link, Session, Transport, Application, Presentation
Correct answer: Physical, Data Link, Network, Transport, Session, Presentation, Application
From Layer 1 to Layer 7 the OSI layers are Physical, Data Link, Network, Transport, Session, Presentation, and Application. The reverse of this list runs Layer 7 down to Layer 1; the other sequences scramble the order. A common mnemonic for bottom to top is Please Do Not Throw Sausage Pizza Away.
- A company wants to stop employees from emailing files that contain customer Social Security numbers to outside addresses. Which control is specifically designed to detect and block this kind of sensitive-data exfiltration?
- Data loss prevention (DLP)
- A load balancer
- Network address translation (NAT)
- A stateful firewall
Correct answer: Data loss prevention (DLP)
Data loss prevention (DLP) inspects data in use, in motion, and at rest for sensitive patterns such as Social Security numbers and can block or quarantine unauthorized transfers. A stateful firewall filters by connection state rather than content, NAT rewrites addresses, and a load balancer distributes traffic, so none of those are built to recognize and stop sensitive-content leakage.
- What is network segmentation, and why is it used as a security control?
- Combining many subnets into one large flat broadcast domain for easier management
- Encrypting individual files before they are stored on a server
- Dividing a network into smaller isolated zones so a compromise in one zone cannot easily spread to others
- Increasing available bandwidth by adding more switches
Correct answer: Dividing a network into smaller isolated zones so a compromise in one zone cannot easily spread to others
Network segmentation divides a network into smaller, isolated zones so that traffic between them can be controlled and a breach in one segment is contained rather than spreading across the whole network. Flattening the network into one broadcast domain does the opposite, and segmentation is about containment and control, not file encryption or raw bandwidth.
- A router interface is configured with an access control list (ACL). In networking, what is an access control list?
- A schedule that defines when backups run
- A list of usernames and the passwords assigned to each
- An ordered set of permit and deny rules that filter traffic based on attributes such as source, destination, port, or protocol
- A directory of all MAC addresses learned by a switch
Correct answer: An ordered set of permit and deny rules that filter traffic based on attributes such as source, destination, port, or protocol
A network ACL is an ordered list of permit and deny statements that the device evaluates top to bottom to filter traffic by attributes like source and destination address, port, and protocol. It is not a password store, a switch MAC table, or a backup schedule; it is a rule set that decides which packets are allowed through.
- A manager asks a practitioner to explain the difference between a firewall and a proxy. Which statement is most accurate?
- A firewall operates only at the application layer, while a proxy operates only at the physical layer
- A proxy can only block traffic, while a firewall can only allow traffic
- There is no functional difference; the terms are interchangeable
- A firewall filters traffic against rules, while a proxy terminates and forwards connections on a client's behalf, often inspecting or caching application content
Correct answer: A firewall filters traffic against rules, while a proxy terminates and forwards connections on a client's behalf, often inspecting or caching application content
A firewall filters traffic against permit and deny rules, whereas a proxy acts as an intermediary that terminates a client's connection and makes the request on its behalf, allowing it to inspect, cache, or filter application-layer content. They are distinct devices with overlapping but different roles, and a proxy does far more than just block traffic.
- An organization is comparing WPA2 and WPA3 for its wireless network. What is the principal security improvement WPA3-Personal provides over WPA2-Personal?
- It replaces AES encryption with the older WEP cipher
- It removes the need for any wireless password
- It disables all over-the-air encryption to improve speed
- It uses Simultaneous Authentication of Equals (SAE) to resist offline dictionary attacks on the password
Correct answer: It uses Simultaneous Authentication of Equals (SAE) to resist offline dictionary attacks on the password
WPA3-Personal replaces the WPA2 pre-shared-key handshake with Simultaneous Authentication of Equals (SAE), a password-authenticated key exchange that resists offline dictionary attacks because a captured handshake cannot be cracked offline. WPA3 still requires a password and still uses strong AES-based encryption; it does not revert to WEP or turn encryption off.
- Users report that traffic between their browser and a banking site appears to be silently intercepted and read by an attacker positioned between them. What type of attack is this?
- A SQL injection attack
- A password spraying attack
- A denial-of-service attack
- A man-in-the-middle (MITM) attack
Correct answer: A man-in-the-middle (MITM) attack
A man-in-the-middle (MITM) attack occurs when an attacker secretly positions themselves between two communicating parties to intercept, read, or alter the traffic while both sides believe they are talking directly. A denial-of-service attack disrupts availability, SQL injection targets databases, and password spraying guesses credentials, so none describe silent interception of a session.
- A remote employee needs to securely connect to the corporate network over the public internet so that their traffic is encrypted and appears to originate from inside the company. Which technology provides this?
- A content delivery network (CDN)
- A virtual LAN (VLAN)
- A virtual private network (VPN)
- A demilitarized zone (DMZ)
Correct answer: A virtual private network (VPN)
A VPN creates an encrypted tunnel across an untrusted network such as the internet, protecting confidentiality and integrity and allowing the remote device to communicate as if it were on the internal network. A VLAN segments a local network, a DMZ hosts internet-facing servers in a buffer zone, and a CDN caches content, so none provide an encrypted remote-access tunnel.
- A practitioner is securing wired switch ports in a public lobby so that a visitor cannot plug in a rogue laptop and gain network access. Which control directly enforces authentication of devices before a switch port grants access?
- Spanning Tree Protocol
- 802.1X port-based network access control
- Network address translation
- A captive DNS resolver
Correct answer: 802.1X port-based network access control
802.1X provides port-based network access control, requiring a device (the supplicant) to authenticate through an authenticator switch to a RADIUS server before the port is opened for normal traffic. NAT rewrites addresses, a DNS resolver answers name queries, and Spanning Tree prevents switching loops, so none of those authenticate a device at the port.
- Which statement correctly distinguishes a packet-filtering firewall from an application-layer (proxy) firewall?
- A packet-filtering firewall makes decisions on header fields such as IP addresses and ports, while an application-layer firewall inspects the content and commands of specific protocols
- An application-layer firewall operates only at Layer 1, while a packet filter operates at Layer 7
- A packet-filtering firewall can read encrypted payloads, while an application-layer firewall cannot read anything
- There is no difference in the layers at which they operate
Correct answer: A packet-filtering firewall makes decisions on header fields such as IP addresses and ports, while an application-layer firewall inspects the content and commands of specific protocols
A packet-filtering firewall makes allow or deny decisions using header fields such as source and destination IP addresses, ports, and protocol, while an application-layer (proxy) firewall understands and inspects the actual protocol content and commands at Layer 7. The application-layer firewall works higher in the stack and provides deeper inspection, not the reverse.
- At which OSI layer do protocols such as TLS provide encryption and integrity for application traffic like HTTPS?
- It operates above the Transport layer, sitting between Transport and the Application layer to secure application data
- At the Data Link layer, encrypting individual Ethernet frames
- At the Network layer, encrypting routing tables
- At the Physical layer, encrypting the electrical signal on the wire
Correct answer: It operates above the Transport layer, sitting between Transport and the Application layer to secure application data
TLS sits above the Transport layer and below the application protocol, securing application data such as HTTP by adding encryption, integrity, and server authentication before it is handed to TCP. It does not encrypt raw signals at the Physical layer, individual frames at the Data Link layer, or routing tables at the Network layer.
- A switch is configured to allow only one specific MAC address on each access port and to shut the port down if a different device is connected. What is this feature called?
- Jumbo frames
- Quality of service
- Link aggregation
- Port security
Correct answer: Port security
Port security limits which MAC addresses may use a switch port and can disable the port when an unauthorized device connects, helping prevent rogue devices and MAC-flooding attacks. Quality of service prioritizes traffic, link aggregation bonds links for bandwidth, and jumbo frames increase frame size, none of which restrict devices by MAC address.
- A security team wants to isolate individual AI training workloads and servers from each other so that a compromise of one host cannot reach the others, even within the same data center segment. Which technique applies fine-grained, per-workload isolation?
- Broadcast forwarding
- Micro-segmentation
- Port mirroring
- DNS round-robin
Correct answer: Micro-segmentation
Micro-segmentation applies granular, workload-level policies that isolate individual hosts or services from one another, so lateral movement is blocked even within the same broader network segment. Port mirroring copies traffic for monitoring, broadcast forwarding spreads traffic widely, and DNS round-robin distributes name resolution, none of which provide per-workload isolation.
- A practitioner deploys a gateway that intercepts users' outbound web requests, enforces category-based browsing policy, and blocks access to known malicious or disallowed sites. What is this device best described as?
- A web content filter (secure web gateway)
- An authoritative DNS server
- A wireless access point
- A network tap
Correct answer: A web content filter (secure web gateway)
A web content filter, often delivered as a secure web gateway, inspects outbound web requests and enforces policy by category and reputation, blocking malicious or prohibited sites. An authoritative DNS server answers name lookups, an access point provides wireless connectivity, and a network tap passively copies traffic, so none enforce web-browsing policy.
- An organization needs two branch offices to communicate securely over the internet as if they were on one private network, with the tunnel always established between the office routers. Which VPN type fits this requirement?
- A site-to-site VPN
- A remote-access (client) VPN
- A clientless reverse proxy
- A split-tunnel personal VPN on each employee laptop
Correct answer: A site-to-site VPN
A site-to-site VPN establishes a persistent encrypted tunnel between the gateways or routers of two locations, joining their networks over the internet without per-user client software. A remote-access VPN connects individual user devices, and a reverse proxy fronts servers, so neither links two whole sites the way a site-to-site VPN does.
- An administrator is asked to explain, in one sentence, what a hypervisor is. Which description is correct?
- A backup utility that snapshots disk volumes for disaster recovery
- A firewall appliance that filters traffic between physical network segments
- Software that creates and manages virtual machines by abstracting and allocating the host's physical hardware
- An agent installed on endpoints to detect and respond to malware
Correct answer: Software that creates and manages virtual machines by abstracting and allocating the host's physical hardware
A hypervisor is software (sometimes firmware) that creates, runs, and manages virtual machines by abstracting the host's physical CPU, memory, and storage and allocating those resources to each guest. It is also called a virtual machine monitor (VMM). It is not a firewall, a backup tool, or an endpoint agent; those perform unrelated functions.
- A company wants the strongest workload isolation for its production servers and asks which hypervisor type to deploy. Which statement about Type 1 versus Type 2 hypervisors is accurate?
- A Type 1 hypervisor runs directly on the bare-metal hardware, while a Type 2 hypervisor runs as an application on top of a host operating system
- A Type 2 hypervisor runs on bare metal and is preferred for enterprise data centers
- A Type 1 hypervisor requires a full host operating system underneath it to function
- Type 1 and Type 2 hypervisors are identical except for their licensing model
Correct answer: A Type 1 hypervisor runs directly on the bare-metal hardware, while a Type 2 hypervisor runs as an application on top of a host operating system
A Type 1 (bare-metal) hypervisor installs directly on the physical hardware, giving each guest stronger isolation because there is no underlying host OS to compromise. A Type 2 (hosted) hypervisor runs as an application on top of a conventional operating system, so vulnerabilities in that host OS can expose the guests. For maximum isolation in production, a Type 1 hypervisor is generally preferred.
- A security team is documenting virtualization-specific risks. They describe an attack in which an adversary subverts or inserts a malicious hypervisor so it controls every guest VM on the host. What is this attack called?
- Credential stuffing
- Hyperjacking
- ARP poisoning
- Cross-site scripting
Correct answer: Hyperjacking
Hyperjacking is an attack in which the adversary takes malicious control of the hypervisor, for example by injecting a rogue hypervisor beneath the legitimate one. Because the hypervisor sits below every guest, controlling it can compromise all VMs on the host, making it a single point of failure. Cross-site scripting, ARP poisoning, and credential stuffing target web apps, link-layer addressing, and accounts respectively, not the hypervisor.
- A practitioner is asked to summarize what virtualization security focuses on. Which goal best captures it?
- Encrypting only the corporate email gateway
- Ensuring physical badge readers are installed at every data-center door
- Protecting the hypervisor, guest VMs, and the management plane while preserving isolation between virtual machines
- Maximizing the number of VMs per host regardless of resource contention
Correct answer: Protecting the hypervisor, guest VMs, and the management plane while preserving isolation between virtual machines
Virtualization security focuses on protecting the hypervisor, the guest virtual machines, and the management/orchestration plane while maintaining strong isolation so one compromised VM cannot reach others or the host. Patching the hypervisor, hardening the management interface, and limiting administrative access are core practices. Badge readers and email encryption are unrelated, and overpacking hosts increases risk rather than reducing it.
- A manager asks the SSCP to define what cloud security means for their new SaaS deployment. Which answer is most accurate?
- It is solely the cloud provider's job; customers have no security duties once they sign up
- It is the set of controls and shared responsibilities that protect data, applications, and infrastructure delivered through cloud services
- It means moving all servers off the internet entirely
- It refers only to encrypting backups stored on local tape
Correct answer: It is the set of controls and shared responsibilities that protect data, applications, and infrastructure delivered through cloud services
Cloud security is the collection of policies, controls, and shared responsibilities that protect data, applications, and infrastructure hosted in cloud environments. Under the shared responsibility model the provider secures the underlying cloud while the customer remains responsible for items such as data, identities, and access configuration. Security is never solely the provider's job, and the concept extends well beyond local tape encryption.
- An organization adopts an IaaS platform. Under the cloud shared responsibility model, which task remains the customer's responsibility rather than the provider's?
- Patching and hardening the guest operating system and applications they run on the virtual machines
- Protecting the provider's core network backbone
- Maintaining the underlying virtualization host hardware
- Securing the physical data-center facilities
Correct answer: Patching and hardening the guest operating system and applications they run on the virtual machines
In Infrastructure as a Service the provider secures the physical facilities, hardware, and virtualization layer, while the customer is responsible for the guest operating system, applications, data, and access configuration. Patching and hardening the guest OS therefore falls to the customer. The other tasks listed sit below the IaaS boundary and belong to the provider.
- A user opens an email attachment that they believe is a free PDF utility, but installing it secretly opens a backdoor for an attacker. Which type of malware best describes this program?
- A network worm
- A boot-sector virus
- A trojan horse
- A keylogger embedded in firmware
Correct answer: A trojan horse
A trojan horse is malware disguised as legitimate or desirable software that performs hidden malicious actions, such as installing a backdoor, once the user runs it. Unlike a worm it does not self-replicate across the network on its own; it relies on tricking the user into executing it. The fake utility that opens a backdoor is a classic trojan.
- A help-desk analyst needs a quick working definition of a trojan horse to brief staff. Which statement is correct?
- A legitimate program that has simply not been patched yet
- Malware that encrypts files and demands a ransom payment
- Malware that masquerades as legitimate software to trick users into running it, then performs hidden malicious actions
- Malware that spreads automatically without any user action
Correct answer: Malware that masquerades as legitimate software to trick users into running it, then performs hidden malicious actions
A trojan horse masquerades as legitimate or useful software to deceive a user into installing and running it, after which it carries out hidden malicious actions such as data theft or backdoor installation. Encrypting files for ransom describes ransomware, and spreading automatically without user action describes a worm. The defining trait of a trojan is deception plus a concealed payload.
- A practitioner is building a one-page reference on the major types of malware. Which option correctly pairs a malware type with its defining behavior?
- Ransomware hides its presence by replacing core operating-system files
- A worm requires a user to manually run it before it can spread
- A botnet is a single isolated computer with no network connectivity
- Spyware secretly gathers information about a user and transmits it without consent
Correct answer: Spyware secretly gathers information about a user and transmits it without consent
Spyware is malware that secretly collects information about a user or system, such as browsing habits or keystrokes, and transmits it to a third party without consent. By contrast a worm self-propagates without user action, ransomware extorts payment rather than hiding files, and a botnet is a network of compromised, remotely controlled machines. Correctly distinguishing malware types guides the right countermeasures.
- A group of internet-connected computers has been compromised and is now remotely controlled by an attacker to send spam and launch denial-of-service attacks. What is this collection of machines called?
- A botnet
- A sandbox
- A demilitarized zone
- A honeynet
Correct answer: A botnet
A botnet is a network of compromised computers, often called bots or zombies, controlled remotely through command-and-control infrastructure to perform coordinated malicious tasks such as spam distribution or distributed denial-of-service attacks. A honeynet is a deliberate decoy network, a DMZ is a network segment, and a sandbox is an isolated execution environment, none of which describe attacker-controlled compromised hosts.
- An incident responder finds that a workstation was infected after the user simply visited a compromised website, without clicking or downloading anything. The malicious code exploited a browser plug-in vulnerability automatically. What is this infection method called?
- A SYN flood
- A pass-the-hash attack
- A drive-by download
- A dictionary attack
Correct answer: A drive-by download
A drive-by download infects a system when a user merely visits a malicious or compromised web page and the page silently exploits a browser or plug-in vulnerability to deliver malware, with no deliberate download required. Keeping browsers and plug-ins patched and using script controls are key defenses. A dictionary attack, SYN flood, and pass-the-hash attack target passwords, TCP availability, and credential reuse respectively.
- An analyst describes malware that operates primarily in memory and abuses built-in tools like PowerShell and WMI rather than writing an executable to disk. Which term best fits this technique?
- Fileless malware
- Logic bomb
- Macro virus
- Adware
Correct answer: Fileless malware
Fileless malware runs largely in memory and leverages legitimate, built-in operating-system tools such as PowerShell or WMI (living off the land), so it leaves little or no executable file on disk and evades signature-based scanners. Behavioral monitoring and script logging help detect it. A macro virus relies on document macros, a logic bomb triggers on a condition, and adware merely displays unwanted ads.
- A security awareness page needs a plain-language answer to 'what is ransomware?' Which definition is correct?
- Software that displays unwanted advertisements in the browser
- Malware that encrypts a victim's data or locks systems and demands payment, usually in cryptocurrency, to restore access
- A backup technology that compresses files to save disk space
- A tool that scans a network for open ports
Correct answer: Malware that encrypts a victim's data or locks systems and demands payment, usually in cryptocurrency, to restore access
Ransomware is malware that encrypts the victim's files or locks their systems and then demands a ransom, frequently paid in cryptocurrency, in exchange for the decryption key or restored access. Maintaining tested offline backups is the single most reliable defense because it lets an organization recover without paying. The other options describe adware, port scanning, and backup compression, not ransomware.
- A hospital wants the most dependable way to recover operations if ransomware encrypts its servers, without paying the attacker. Which control is the most effective for that recovery goal?
- Maintaining regularly tested, offline (or otherwise isolated and immutable) backups
- Disabling all logging to reduce noise
- Increasing the monitor brightness on administrator consoles
- Paying the ransom immediately to guarantee fast recovery
Correct answer: Maintaining regularly tested, offline (or otherwise isolated and immutable) backups
Regularly tested offline or immutable backups are the most effective control for recovering from ransomware because they let the organization restore clean data without paying or trusting the attacker. Backups that are isolated from the network cannot be encrypted along with the production systems. Paying the ransom is discouraged: it funds crime and offers no guarantee of recovery, and brightness and logging settings are irrelevant to recovery.
- An SSCP candidate is asked to define a rootkit. Which statement is correct?
- A legitimate utility that displays the directory tree of a file system
- Malware designed to gain and hide privileged (root or kernel-level) access while concealing its presence from users and security tools
- A type of network cable used in data centers
- Software that only encrypts files for ransom
Correct answer: Malware designed to gain and hide privileged (root or kernel-level) access while concealing its presence from users and security tools
A rootkit is malware designed to obtain and maintain privileged (root or kernel-level) access to a system while actively hiding its own presence and that of other malicious components from users and security tools. Because it can subvert the operating system itself, detection often requires offline or boot-time scanning and integrity checking. It is not a benign directory tool, ransomware, or hardware.
- Investigators suspect a kernel-mode rootkit on a server because the live operating system's own tools report nothing unusual yet behavior is abnormal. Which detection approach is most reliable for finding it?
- Trusting the on-host antivirus running inside the possibly compromised OS
- Renaming suspicious files and restarting the server
- Booting from known-good trusted media (or examining an offline image) and comparing file and memory integrity against a known-good baseline
- Increasing the screen resolution to view more log lines
Correct answer: Booting from known-good trusted media (or examining an offline image) and comparing file and memory integrity against a known-good baseline
Booting from trusted external media or analyzing an offline forensic image and comparing integrity against a known-good baseline is the most reliable way to detect a kernel-mode rootkit, because a rootkit can subvert the running OS so its native tools and on-host antivirus report false 'clean' results. Renaming files or changing display settings does nothing to expose the rootkit's concealment.
- A developer left code in a payroll application that quietly deletes records if their own employee ID is ever removed from the database. The malicious action only fires when that specific condition occurs. What is this called?
- A polymorphic virus
- A buffer overflow
- A man-in-the-middle attack
- A logic bomb
Correct answer: A logic bomb
A logic bomb is malicious code that lies dormant and executes its payload only when a specific condition is met, such as a date, an event, or, as here, the removal of the developer's own account. Because it is hidden inside otherwise legitimate software, code review and separation of duties are key defenses. A polymorphic virus changes its code to evade detection, which is a different mechanism.
- An SSCP is asked for the difference between a logic bomb and a virus. Which statement is correct?
- Both terms describe the same thing and are interchangeable
- A logic bomb only affects printers, while a virus only affects keyboards
- A logic bomb self-replicates and spreads automatically, while a virus only triggers on a condition
- A logic bomb is dormant malicious code that triggers when a specific condition or time is met and does not self-replicate, while a virus attaches to files and replicates when those files run
Correct answer: A logic bomb is dormant malicious code that triggers when a specific condition or time is met and does not self-replicate, while a virus attaches to files and replicates when those files run
A logic bomb is dormant malicious code that triggers its payload when a predefined condition or time arrives, and it does not replicate on its own. A virus, by contrast, attaches itself to host files or programs and replicates when those are executed. The two are distinct mechanisms, not interchangeable, and neither is limited to a single peripheral.
- An organization is hardening its servers and wants to define what endpoint security means before selecting tools. Which description is most accurate?
- A method of load-balancing traffic across multiple web servers
- The practice of protecting end-user and host devices such as laptops, desktops, servers, and mobile devices from threats using controls like anti-malware, hardening, and detection and response
- Securing the corporate building's physical perimeter and parking lot
- Encrypting only the data that crosses the internet backbone
Correct answer: The practice of protecting end-user and host devices such as laptops, desktops, servers, and mobile devices from threats using controls like anti-malware, hardening, and detection and response
Endpoint security is the practice of protecting end devices and hosts, such as laptops, desktops, servers, and mobile devices, from threats by combining controls like anti-malware, host hardening, patching, encryption, and endpoint detection and response. It treats each device as a defensible point that attackers target. Physical perimeter security, backbone encryption, and load balancing address different concerns.