ISC2 SSCP Exam Questions

Correct answer: Initial Reconnaissance

The initial reconnaissance stage is where attackers gather information about the target, including scanning for open ports and services. Organizations with proper monitoring tools, like intrusion detection systems (IDS), are likely to detect these activities during this phase.

Delivery of exploit involves delivering the malicious payload to the target, typically after reconnaissance is complete. Port scanning would likely be detected before this stage.

Installation of malware occurs after the attacker has successfully exploited a vulnerability. Port scanning would generally have been completed earlier in the attack cycle.

System compromise refers to the point at which the attacker has fully compromised the system. Detection of port scanning would typically occur during the reconnaissance phase, well before system compromise.

Correct answer: Interruption

A disaster renders most or all critical business functions inoperable.
An interruption disables one or more business processes for a short time.
A partial disruption disables some business processes, but others can continue, potentially with degraded performance.
A minor disruption disables a few critical business functions but most of the business continues with minimal impact.

Correct answer: Token ring

Token rings create a ring of devices that allow traffic to flow one way around it. The network avoids collisions by using a token to determine who can send data.

Bus topographies have all nodes connected into a bus, and, while all nodes on the bus hear all traffic, only the intended recipient listens. Collision avoidance is achieved by listening for data on the line and sending when it is quiet.

Star topographies have all nodes connected to a central hub, switch, or router that relays the traffic. Star networks are more resilient because a cable outage only affects the endpoint it connects to the central node.

Mesh networks have nodes directly connected to other nodes. Mesh networks are the most resilient due to the number of redundant paths but are also more inefficient and expensive.

Correct answer: Side-Channel Remediation

Remediating side-channel attacks is often considered the hardest to accomplish because these attacks exploit indirect information leakage, such as timing, power consumption, or electromagnetic emissions, rather than traditional vulnerabilities. The complexity and subtlety of these attacks make them difficult to detect and even more challenging to mitigate effectively.

Partitioning involves dividing resources within a system or virtual environment to isolate different processes or VMs (virtual machines). While it requires careful planning and configuration, it is generally more straightforward to accomplish than side-channel remediation.

Covert channel isolation is challenging as it requires preventing unauthorized communication channels between virtual machines. However, it is still generally more manageable than addressing the wide array of potential side-channel attacks.

Although complex, preventing cross-VM side-channel attacks focuses on specific scenarios where one VM might attempt to gather information from another. It is challenging but tends to be more focused and slightly less broad than general side-channel remediation.

Correct answer: Systems Design

The Systems Design phase breaks the requirements into elements and defines subsystems to fulfill each element of the requirements.

During the Development and Test phase the software is written based on the requirements and systems design.

During Validation or Acceptance Testing, testing is performed to verify the software meets all the requirements defined in the Systems Analysis phase.

Operational Deployment refers to when the software is released, and responsibility for management moves from the developers to the users.

Correct answer: Circuit-level

Circuit-level firewalls are similar to stateful inspection firewalls but act at the Session layer of the OSI model. These firewalls verify the completion of TCP handshakes and mask information about the protected network from outside systems. This helps maintain privacy by not exposing internal network addresses and information to external entities.

Packet filtering firewalls operate at the Network layer of the OSI model and use the information contained within a packet's headers to allow or block traffic based on predefined Access Control Lists (ACLs).

Application-level firewalls operate at OSI Layer 7 and perform deep-level inspection of network traffic. These are the slowest types of firewalls but can understand the traffic of various applications and apply application-specific rules.

Stateful inspection firewalls track the current state of a connection and can block packets that come out of sequence, such as a SYNACK without a corresponding SYN in a TCP handshake. This type of firewall operates at the Network and Transport layers of the OSI model.

Correct answer: Software as a Service

Cloud services can be deployed under different service models, where responsibility for managing and securing the cloud infrastructure stack is divided in various ways. Some of the common cloud service models include:

• Infrastructure as a Service (IaaS): The cloud service provider essentially provides the hardware that a customer's data center is hosted on. Responsibility for networking is shared, and everything from the operating system on up is the customer's responsibility.
• Platform as a Service (PaaS): The cloud service provider manages an environment (including databases), where a customer can develop and deploy applications. The customer configures databases and creates the apps, and the CSP manages everything else.
• Software as a Service (SaaS): The cloud service provider provides customers with access to CSP-developed applications. Webmail systems such as G-Suite and Microsoft 365 are an example of SaaS solutions.
• Function as a Service (FaaS)/Serverless: Serverless platforms enable individual functions to be defined as standalone services. These functions can then be chained together to implement desired functionality or event flows.

Correct answer: Inconsistent use of proven, tested design and code libraries

Insecure software can exist for various reasons. Some common causes include:

• Poor design practices: Good software design decomposes and translates high-level requirements into functional units. A failure to use established design best practices can result in less functional, secure, robust, and resilient software.
• Inconsistent use of design patterns: Best practice design patterns describe how a particular task or function is usually implemented. Reinventing the wheel by failing to use established design patterns can make software more difficult and time-consuming to develop and maintain.
• Poor coding practices: The OWASP Top Ten list and similar resources describe known vulnerabilities that commonly appear in production code. Failing to test for and remediate these vulnerabilities in application code makes software more vulnerable.
• Inconsistent use of proven, tested design and code libraries: Use of trusted libraries is considered best practice because it speeds development, and these libraries may offer better performance and security than code implemented from scratch. Failing to use trusted libraries or using untrusted libraries can create functionality and security issues.

Correct answer: IAL2

The three Identity Assurance Levels (IALs) in just-in-time identity are the following:

• IAL1: No proofing is performed to verify the entity's identity.
• IAL2: The applicant's claim to an identity is validated using an online identity authentication service, which may include checking social media profiles.
• IAL3: The identity documents presented by the applicant are physically verified.

IAL0 does not exist.

Correct answer: Layer 2

The Address Resolution Protocol (ARP) is used to map IP addresses to MAC addresses, and attacks against it occur at OSI Layer 2.

Correct answer: Indicator

An indicator has medium urgency, signaling that an event of interest has occurred or may be occurring, but it does not necessarily require immediate action. It is less urgent than alarms, telltales, or IoCs (Indicators of Compromise), which typically demand more immediate attention.

A telltale is an early warning sign, often with higher urgency than an indicator, because it suggests something may be wrong and needs further investigation.

An alarm is a direct and urgent signal indicating immediate action is required to address a potential threat or issue.

An IOC (Indicator of Compromise) is a critical signal that a security breach or malicious activity has already occurred, requiring an immediate response.

Correct answer: Cataloging

The chain of custody lifecycle includes the following stages:

• Creation: Some action creates a piece of evidence.
• Recognition and Identification: An investigator identifies the evidence as relevant to the investigation.
• Taking Possession or Custody of the Evidence Item: The evidence is collected, and the chain of custody record begins.
• Cataloging: Evidence is placed in an evidence bag and uniquely identified.
• Protection, Preservation, or Control: The evidence custodian preserves the evidence either on-scene or in secure storage, and all future access or modifications to the evidence are documented.
• Analysis: Various analysis techniques (destructive or non-destructive) are performed, ideally on a copy of the evidence
• Reporting: The results of the analysis are collected into a report.
• Transfer: Control over the evidence is transferred to another location or party (such as law enforcement).
• Retention: Evidence is securely stored against future need (analysis, legal action, etc.).
• Destruction or Disposal: Evidence that is no longer needed is disposed of in accordance with applicable requirements.

Correct answer: Diffie-Hellman-Merkle

The Diffie-Hellman-Merkle algorithm uses asymmetric cryptography to establish a shared secret key over a public channel.

The Digital Signature Algorithm (DSA) is a digital signature algorithm, and ElGamal and RSA are encryption algorithms.

Correct answer: Unauthorized changes

Events of interest may be categorized as the following:

• Anomalies: Any event that is out of the ordinary, which could be benign or suspicious.
• Intrusions: An event in which an attacker gained unauthorized access to IT assets.
• Unauthorized changes: Modifications to configurations, settings, etc. that are not compliant with configuration management and change control processes.

Exploits are not a type of event of interest.

Correct answer: Endpoint Behavioral Modeling

Malicious activity on a system could be detected in a few different ways, such as:

• User Behavioral Modeling: User behavioral modeling attempts to identify what is "normal" for a user. Based on this definition of "normal," it can identify potential attacks as deviations from "normal" behavior. For example, unusual attempts to access corporate databases (especially without authorization) may indicate a compromised account.
• Endpoint Behavioral Modeling: Endpoints also have "normal" and "abnormal" behavior that can be used to detect attacks. For example, a program accessing and modifying many files very quickly is anomalous and a potential sign of a ransomware infection.
• Access Control: Attackers commonly attempt to abuse the access of a compromised account and potentially access corporate systems and resources without authorization. Access control systems can alert on anomalous or unauthorized access attempts that point to a compromised account.
• Security Logs: Endpoints, security solutions, and other tools will generate log files that record important events that occurred on the system. This could include events that point to a malware infection or other security event.

Correct answer: MTTR

The mean time to repair (MTTR) measures the average amount of time required to restore a failed component to normal operation.

The maximum allowable outage (MAO) is the longest time that a risk event can prevent business operations without causing unacceptable harm to the business. The recovery time objective (RTO) is the maximum acceptable time to restore operations after a risk event. The recovery point objective (RPO) measures the maximum acceptable amount of data loss due to a risk event.

Correct answer: NERC CIP

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a collection of cybersecurity best practices for the North American power sector.

The Health Information Trust Alliance Common Security Framework (HITRUST CSF) addresses the requirements of overlapping regulations for healthcare providers.

ISA/IEC refers to a set of standards jointly developed by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). ISA/IEC 62443 is a collection of standards for the industrial process control environment.

The Payment Card Industry Data Security Standard (PCI DSS) was developed to fight payment card fraud by protecting cardholders' sensitive data.

Correct answer: Intrinsic

The three metrics used in the CVSS are as follows:

• Base metrics: Qualities intrinsic to a vulnerability
• Temporal metrics: How a vulnerability evolves over time
• Environmental metrics: How an organization's environment impacts its exposure to a vulnerability

Correct answer: Triage risks

Triage risks is not one of the four phases of the OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) threat modeling framework. The OCTAVE framework focuses on a structured approach to identifying, assessing, and mitigating risks.

The establish drivers phase involves defining the organization’s strategic objectives, risk tolerances, and security requirements, which guide the entire threat modeling process.

The profile assets phase involves identifying critical assets within the organization and assessing their value, importance, and potential vulnerabilities.

The identify threats phase involves recognizing potential threats to the organization's assets, which is crucial for determining where vulnerabilities may exist and how they could be exploited.

Correct answer: Chosen plaintext

In the chosen plaintext threat model, the attacker has the greatest control over the cryptosystem because they can choose arbitrary plaintexts to be encrypted and then analyze the resulting ciphertexts. This level of control allows the attacker to explore the relationship between the plaintext and the ciphertext, which can provide valuable information for breaking the encryption.

In a known plaintext threat model, the attacker knows both the plaintext and the corresponding ciphertext but does not have the ability to choose the plaintexts. The attacker has less control compared to the chosen plaintext model.

In ciphertext-only threat models, the attacker only has access to ciphertexts without knowing the corresponding plaintexts. This provides the least amount of information and control for the attacker.

Known key is not a standard cryptographic threat model.