ISC2 SSCP Exam Questions

Page 4 of 25

61.

Which of the following is NOT a risk management standard primarily intended for the US?

  • ITIL

  • COSO

  • HITRUST

  • FIPS

Correct answer: ITIL

COSO, HITRUST, and FIPS standards are all intended for US audiences. ITIL standards are for a global audience.

62.

Which of the following is NOT an example of a volatile data source?

  • Log files

  • Mobile device memory

  • In-memory data

  • Network routing tables

Correct answer: Log files

Mobile device memories, data stored in system memory, and network routing tables are examples of volatile memory on a device because the data that they contain could be lost or overwritten if the system continues to run or is shut off. Log files are stable or non-volatile sources of data and should be collected after volatile data.

63.

How many processes are included in the ITIL service management framework?

  • 26

  • 5

  • 6

  • 25

Correct answer: 26

The 5 volumes of the ITIL service management framework include 26 processes.

64.

Which of the following is NOT a common port number associated with email?

  • 21

  • 25

  • 110

  • 143

Correct answer: 21

The three email protocols have the following port numbers:

  • Internet Message Access Protocol (IMAP): 143
  • Post Office Protocol (PoP) v3: 110
  • Simple Mail Transfer Protocol (SMTP): 25

Port 21 is used by the File Transfer Protocol (FTP).

65.

Binary and threshold-based are terms relating to which of the following?

  • Integrity

  • Confidentiality

  • Transparency

  • Privacy

Correct answer: Integrity

Integrity measures how complete and correct data or a system is. A system's integrity can be measured in a binary (yes/no) fashion or based on whether the integrity level meets a particular threshold.

66.

Which endpoint security solution provides in-depth visibility and protection for a single endpoint?

  • EDR

  • XDR

  • MDR

  • UEM

Correct answer: EDR

Many different types of endpoint security solutions have emerged in recent years, including:

  • Endpoint Detection and Response (EDR): Provides in-depth security monitoring and incident response for a single endpoint.
  • Extended Detection and Response (XDR): Integrates monitoring and incident response across multiple endpoints to provide context and address coordinated or distributed attacks.
  • Managed Detection and Response (MDR): Uses a third-party provider to identify and remediate security incidents on an organization's endpoints.
  • Unified Endpoint Management (UEM): Integrates endpoint management capabilities into a single solution and dashboard.

67.

Which of the following actions is specifically prohibited under the Computer Fraud and Abuse Act (CFAA)?

  • Accessing a computer without authorization to obtain information

  • Sending unsolicited commercial emails

  • Using encryption to protect sensitive data

  • Sharing software source code publicly

Correct answer: Accessing a computer without authorization to obtain information

The CFAA prohibits unauthorized access to computers to obtain information, reflecting its primary focus on protecting the confidentiality of data.

Sending unsolicited commercial emails is typically addressed by other laws, such as the CAN-SPAM Act, rather than the CFAA.

Using encryption to protect sensitive data is a security best practice and not prohibited by the CFAA.

Unless it involves proprietary or unauthorized code obtained through illegal means, sharing code is not specifically prohibited by the CFAA.

68.

Which of the following Guest OS security strategies focuses on preventing data leaks between virtual machines by eliminating unauthorized communication channels?

  • Covert channel isolation

  • Partitioning

  • Side-channel remediation

  • Secure virtualization

Correct answer: Covert channel isolation

Covert channel isolation is a security strategy aimed at preventing unauthorized communication channels (covert channels) between virtual machines within a virtualized environment. This approach helps to ensure that data cannot be secretly transferred between guest operating systems, enhancing overall security.

Partitioning involves dividing resources within a virtualized environment, but it doesn't specifically focus on preventing covert channels.

Side-channel remediation targets the mitigation of side-channel attacks, which differ from covert channels in that they involve exploiting physical characteristics, such as timing or power consumption, rather than unauthorized communication.

Secure virtualization is not a Guest OS security strategy.

69.

Which of the following deals with the usability of a data format?

  • Availability

  • Confidentiality

  • Integrity

  • Authenticity

Correct answer: Availability

Availability refers to data that is available when needed in a usable format. Confidentiality restricts unauthorized access to data. Integrity ensures that data is complete and correct. Authenticity verifies that data has only been created and modified by authorized users.

70.

Which security property of the Bell-LaPadula model prevents write down?

  • Star Security Property

  • Simple Security Property

  • Discretionary Security Property

  • Mandatory Security Property

Correct answer: Star Security Property

The security properties of the Bell-LaPadula model are:

  • Simple Security Property (SS): Prevents a subject from reading up
  • * (star) Security Property: Prevents a subject from writing down
  • Discretionary Security Property: Requires the use of an access matrix to enforce discretionary access control when implementing Bell-LaPadula

71.

Which of the following is MOST likely to protect an organization against a Business Email Compromise (BEC) attack where an employee is tricked into sending money to a fake supplier?

  • Separation of duties

  • Least privilege

  • Need to know

  • Defense in depth

Correct answer: Separation of duties

Separation of duties breaks critical processes, such as paying vendors, into multiple stages controlled by different parties. This decreases the probability that a BEC attack would succeed because multiple people would need to be tricked by the email.

Least privilege and need to know would not apply if the employee legitimately had the ability to process vendor payments. Defense in depth refers to the use of multi-layered security controls, and its effectiveness against BEC attacks depends on the controls used.

72.

Which of the following types of events of interest may be benign?

  • Anomaly

  • Intrusion

  • Unauthorized Change

  • Exploit

Correct answer: Anomaly

An anomaly refers to something that deviates from the expected norm or pattern. While anomalies can indicate security threats or issues, they can also be benign, such as legitimate changes in user behavior, system updates, or network configurations. Therefore, not all anomalies are necessarily malicious or harmful.

An intrusion is an unauthorized and often malicious act of gaining access to a system or network. This is inherently harmful as it compromises security and potentially leads to data breaches or other attacks.

An unauthorized change refers to any change made without proper authorization or approval. Such changes can lead to security vulnerabilities, data integrity issues, or compliance violations, making them inherently risky or harmful.

An exploit is a method or technique used to take advantage of a vulnerability in a system. Exploits are typically malicious as they are used to execute unauthorized actions or gain control over a system, compromising its security.

73.

Which of the following is NOT a common trust relationship?

  • Bilateral

  • One-way

  • Two-way

  • Transitive

Correct answer: Bilateral

The main types of trust relationships are as follows:

  • One-way: A trusts B, but B doesn't trust A.
  • Two-way: A trusts B and B trusts A.
  • Transitive: A trusts B and B trusts C, so A trusts C.

74.

Which of the following is NOT one of the three levels of the NIST Risk Management Framework (RMF)?

  • Security Architecture

  • Organization

  • Mission/Business Process

  • Information System or Component

Correct answer: Security Architecture

While security architecture is an important aspect of overall cybersecurity, it is not one of the three levels of the NIST Risk Management Framework (RMF). The RMF focuses on a structured process to manage security and privacy risk across an organization at different levels.

The three levels of the NIST RMF:

  • Organization: This level involves the organization's overarching governance, risk management strategy, and enterprise-level decisions.
  • Mission/Business Process: This level focuses on how information systems support the organization's missions and business processes, ensuring that security and privacy risks are managed within the context of these processes.
  • Information System or Component: This level addresses the management of risk for individual information systems or specific components within those systems, including their security and privacy controls.

75.

Which type of malware spreads without relying on user interaction?

  • Worm

  • Virus

  • Rootkit

  • Trojan horse

Correct answer: Worm

A worm is a type of malware that spreads autonomously across networks by exploiting vulnerabilities, without any need for user interaction.

A Trojan horse disguises itself as legitimate software to trick users into executing it. It relies on user interaction to spread, as users must download and run the malicious software.

A rootkit is designed to grant unauthorized access to a computer while hiding its presence. It often requires user interaction or another malware component to be installed initially and does not spread on its own.

A virus requires user interaction, such as opening an infected file or program, to activate and spread. It attaches itself to legitimate files and spreads when those files are shared.

76.

Which access control method is BEST suited to an environment containing highly sensitive information or data protected under data protection regulations?

  • MAC

  • DAC

  • RBAC

  • ABAC

Correct answer: MAC

Mandatory Access Control (MAC) centrally manages control over files, applications, directories, etc. and denies users the ability to manage access to their own assets. This makes it best suited to managing access to sensitive or restricted information.

Discretionary Access Control (DAC) is the access control model built into most operating systems and allows the owner of an asset to manage privileges associated with it.

Role-Based Access Control (RBAC) assigns access and permissions based upon an entity's role within the organization, making it easier to implement least privilege and separation of duties.

Attribute-Based Access Control (ABAC) assigns sets of attributes to each entity. Access control rules are implemented using Boolean logic that describes the combinations of attributes needed to access a resource or perform a particular action. This allows highly granular access control rules.

77.

Which form of analytics used by UEBA systems could be used to identify security gaps that are MOST likely to pose a risk to an organization?

  • Predictive

  • Descriptive

  • Inquisitive

  • Prescriptive

Correct answer: Predictive

User Entity and Behavioral Analytics (UEBA) systems can use various analytical approaches, such as:

  • Descriptive: Compares current events to past events and behavioral profiles to identify unusual behavior.
  • Inquisitive: Attempts to identify proximate causes that triggered a particular event or set of events.
  • Predictive: Identifies likely future events based on knowledge of the person or system being analyzed.
  • Prescriptive: Uses various analytic techniques to inform and develop responses to predicted events.

Identifying the security gaps that attackers are most likely to exploit can help in minimizing risk. Predictive analytics can help with this by predicting potential future attack campaigns that an organization can evaluate its vulnerability against.

78.

Which of the following is MOST likely to protect against phishing attacks?

  • Security awareness training

  • Email filtering solutions

  • Multi-factor authentication

  • Regular software updates

Correct answer: Security awareness training

Security awareness training educates users on how to recognize and respond to phishing attempts. It is critical in preventing these types of attacks since phishing often exploits human behavior. Training is the best line of defense for protecting against phishing attacks.

While email filtering solutions can reduce the number of phishing emails that reach users, they are not foolproof and some phishing attempts may still get through.

Multi-factor authentication (MFA) adds an extra layer of security, but does not prevent phishing attacks; it only helps mitigate the impact if credentials are compromised.

Regular software updates are important for maintaining overall security and patching vulnerabilities, but they do not specifically address the risk of phishing attacks.

79.

Which of the following is used to implement and enforce need to know?

  • Least privilege

  • Separation of duties

  • Defense in depth

  • Security via obscurity

Correct answer: Least privilege

The principle of least privilege states that an entity should only be granted the access and permissions needed to do their job. This implements and enforces the concept of need to know.

80.

In which type of risk analysis is the goal to identify the underlying issue that caused a security incident?

  • Root cause

  • Proximate cause

  • Immediate cause

  • Contributory cause

Correct answer: Root cause

Root cause analysis attempts to uncover the fundamental underlying issue that led to the security incident, allowing for effective preventative measures.

A proximate cause analysis attempts to identify the last thing that happened that enabled an incident to occur.

An immediate cause refers to the direct and immediate trigger of the incident, but not the deeper underlying issue.

A contributory cause identifies factors that contributed to the incident but are not the primary underlying cause.