ISC2 SSCP Exam Questions

Page 5 of 25

81.

Which of the following types of attacks is MOST likely to include a social media profile?

  • Catphishing

  • Whaling

  • Vishing

  • Smishing

Correct answer: Catphishing

Whaling attacks are spear phishing attacks targeting an important individual within an organization. For example, a spoofed email from the CEO to the CFO claiming to be an attempt to close a deal may actually be intended to send money to the attacker.
Vishing attacks use the same techniques as phishing attacks but are performed over the phone.
Smishing attacks use SMS text messages to carry out phishing attacks.
Catphising attacks involve the creation of a fake persona that the attacker uses to trick the target into divulging sensitive information or taking other actions.

82.

Which of the following is NOT one of the layers of the TCP/IP network model?

  • Session

  • Link

  • Transport

  • Application

Correct answer: Session

Session is a layer in the OSI model, not the TCP/IP model. The session layer manages sessions between applications but does not have a direct counterpart in the TCP/IP model.

Transport, link, and application are all layers of the TCP/IP model.

83.

Shoulder surfing is an example of what data classification problem?

  • Read up

  • Read down

  • Write up

  • Write down

Correct answer: Read up

Shoulder surfing is an example of the read up problem because it could allow an entity to read data at a higher classification level than they are authorized to access.

84.

When making a decision as an SSCP, it is MOST important that the decision is which of the following?

  • Ethical

  • Technically correct

  • Cost effective

  • Compliant with legal and regulatory requirements

Correct answer: Ethical

While decisions made by an SSCP should be technically correct, cost effective, and compliant with applicable laws and regulations, it is most important that they are ethically correct.

85.

Which of the following risk metrics is derived from the other two?

  • ALE

  • SLE

  • ARO

  • All of these metrics are independent.

Correct answer: ALE

The annual loss expectancy (ALE) is the product of the SLE and ARO and measures the amount of losses caused by a risk event each year.

The single loss expectancy (SLE) measures the cost of a single event occurring for a particular risk. The annual rate of occurrence (ARO) estimates how many times per year a particular risk event is likely to occur.

86.

Which type of risk analysis attempts to identify the last event before an incident occurred that allowed the incident to happen?

  • Proximate cause

  • Root cause

  • Terminal cause

  • Underlying cause

Correct answer: Proximate cause

Proximate cause analysis attempts to identify the last thing that happened that enabled an incident to occur.

Root cause analysis attempts to identify the underlying issue that enabled a security incident. 

Terminal cause and underlying cause analysis are fabricated terms.

87.

Which of the following is NOT one of the phases of the information lifecycle as defined in ISO 27002?

  • Retention

  • Storage

  • Transmission

  • Deletion and destruction

Correct answer: Retention

Retention is not explicitly listed as a separate phase in the information lifecycle according to ISO 27002. The information lifecycle typically includes phases such as creation/acquisition, classification, storage, use, sharing, transmission, and deletion/destruction.

Deletion and destruction involves securely disposing of information when it is no longer needed.

Transmission involves the transfer of information from one location to another, whether within or outside the organization.

Storage involves securely storing information in a manner that protects its confidentiality, integrity, and availability.

88.

What is the term for the process of disabling and removing an entity's access and permissions on corporate systems?

  • Deprovisioning

  • Access removal

  • Disentitlement

  • Outprocessing

Correct answer: Deprovisioning

Deprovisioning is the process of disabling and removing an entity's (such as an employee's) access and permissions on corporate systems. This process typically occurs when an individual leaves the organization or when their role changes, requiring the removal of access to certain resources to maintain security.

While access removal is part of the deprovisioning process, it is not the formal term used to describe the comprehensive process of revoking all access and permissions.

Outprocessing refers to the general process of managing an employee's departure from an organization, which may include deprovisioning, but it is not specifically about access and permissions.

Disentitlement is not a widely recognized or formal term in the context of access management.

89.

When evaluating risk, an SSCP is estimating the probability of an event occurring. Which risk metric might they be calculating?

  • ARO

  • SLE

  • ALE

  • ROI

Correct answer: ARO

The annual rate of occurrence (ARO) estimates how many times per year a particular risk event is likely to occur.

The single loss expectancy (SLE) measures the cost of a single event occurring for a particular risk. The annual loss expectancy (ALE) is the product of the SLE and ARO and measures the amount of losses caused by a risk event each year. Return on investment (ROI) measures the value derived from a purchase or investment.

90.

Which of the following organizations publishes widely used guidelines for temperature control for data centers?

  • ASHRAE

  • Uptime Institute

  • IEEE

  • IEC

Correct answer: ASHRAE

ASHRAE (American Society of Heating, Refrigerating, and Air-Conditioning Engineers) is the organization that publishes widely used guidelines for temperature control in data centers. Their standards, such as ASHRAE TC 9.9, provide recommendations for the environmental conditions, including temperature and humidity, that should be maintained in data centers to ensure optimal performance and reliability of equipment.

IEEE (Institute of Electrical and Electronics Engineers) develops standards related to electrical and electronic systems, but it does not specifically focus on temperature control for data centers.

The Uptime Institute is known for its Tier Classification System, which rates the reliability and availability of data centers; it does not specifically publish guidelines on temperature control.

IEC (International Electrotechnical Commission) publishes international standards for electrical and electronic technologies; it is not focused on temperature control guidelines for data centers.

91.

Which of the following is NOT a common backup strategy?

  • Transactional

  • Full

  • Differential

  • Incremental

Correct answer: Transactional

Transactional backups is a fabricated term and does not represent an official common backup strategy.

Common types of backup strategies include: 

  • Full: A complete copy of all data is made each time a backup is generated.
  • Differential: Backs up only the data that has been changed since the last full backup.
  • Incremental: Backs up the data that has been changed since the last backup.

92.

Which type of access control provides an organization with the greatest control over access to its data and resources?

  • MAC

  • DAC

  • RBAC

  • ABAC

Correct answer: MAC

Mandatory Access Control (MAC) centrally manages control over files, applications, directories, etc. and denies users the ability to manage access to their own assets.

Discretionary Access Control (DAC) is the access control model built into most operating systems and allows the owner of an asset to manage privileges associated with it.

Role-Based Access Control (RBAC) assigns access and permissions based upon an entity's role within the organization, making it easier to implement least privilege and separation of duties.

Attribute-Based Access Control (ABAC) assigns sets of attributes to each entity. Access control rules are implemented using Boolean logic that describes the combinations of attributes needed to access a resource or perform a particular action.

93.

Where does an individual have a "reasonable expectation of privacy"?

  • At home

  • In a public park

  • On the sidewalk

  • At the office

Correct answer: At home

An individual generally has a "reasonable expectation of privacy" in their home. This is one of the most protected areas in terms of privacy rights, where people can expect to be free from unwarranted surveillance.

While there may be some expectation of privacy at work, it is often limited. Employers typically have the right to monitor workspaces, emails, and computer usage, so the expectation of privacy is reduced compared to one's home.

In public spaces like parks, individuals generally do not have a reasonable expectation of privacy. Activities and conversations conducted in these areas are typically open to observation by others.

Similar to a public park, being on a sidewalk is considered being in a public space where there is no reasonable expectation of privacy. People walking on sidewalks are in full view of others, including law enforcement and surveillance cameras.

94.

Which class of IP addresses uses 16 bits to identify a host?

  • Class B

  • Class A

  • Class C

  • Class D

Correct answer:  Class B

IP addresses are composed of four 8-bit octets.  The classes of IP addresses are as follows:

  • Class A IP addresses use a single octet for the network and three to identify the host (i.e. <network>.<host>.<host>.<host>).
  • Class B IP addresses use two octets for the network and two to identify the host (i.e. <network>.<network>.<host>.<host>).
  • Class C IP addresses use three octets for the network and one to identify the host (i.e. <network>.<network>.<network>.<network>).
  • Classes D and E are reserved classes.

95.

Which of the following is NOT one of the canons in the (ISC)2 code of ethics?

  • Obey all applicable laws and regulations.

  • Advance and protect the profession.

  • Act honorably, honestly, justly, responsibly, and legally.

  • Provide diligent and competent service to principals.

Correct answer: Obey all applicable laws and regulations.

The four canons in the (ISC)2 code of ethics are:

  1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  2. Act honorably, honestly, justly, responsibly, and legally.
  3. Provide diligent and competent service to principals.
  4. Advance and protect the profession.

Obey all applicable laws and regulations is not one of the core canons of the (ISC)2 code of ethics.

96.

Dual control and two-person integrity are examples of which of the following?

  • Separation of duties

  • Least privilege

  • Need to know

  • Defense in depth

Correct answer: Separation of duties

Dual control and two-person integrity require two parties to perform actions to complete a task. This is an example of separation of duties because no single person can independently complete the task.

97.

Which of the following is always an unexpected type of signal?

  • IoC

  • Alarm

  • Indicator

  • Telltale

Correct answer: IoC

An IOC is an unexpected type of signal. It refers to evidence that a security breach or malicious activity has occurred within a system. IOCs are usually discovered after the fact and indicate that an intrusion or other compromise has already taken place, making them unexpected and concerning.

An alarm is a signal designed to alert to a specific condition or event. While it can be triggered unexpectedly, it is a predefined and expected type of signal in systems where it is implemented.

A telltale signal indicates a specific condition or state of a system, often used in monitoring or control systems. It is expected in its context, providing information on the system's status.

An indicator is a signal or piece of information that provides insight into a condition or state. It is typically expected within the context it is used, such as indicators on a dashboard showing system health or performance.

98.

Which of the following terms refers to a component, defined by FIPS 140-2, that provides cryptographic services and can be implemented in hardware, firmware, or software?

  • Cryptographic module

  • Trusted Platform Module

  • Hardware Security Module

  • Trusted Cryptographic Module

Correct answer: Cryptographic module

Cryptographic modules are dedicated devices used to perform cryptographic operations attached to another system. By keeping cryptographic key material on these devices, they better protect against malware and other attacks. Cryptographic modules may comply with FIPS 140-2, ISO/IEC 15408, or other standards.

Trusted Platform Modules (TPMs) are secure processors with requirements defined in ISO/IEC 11889. They can be used to perform cryptographic operations while ensuring that sensitive data (private keys, etc.) never leave the protected chip. A TPM has a private endorsement key (PEK) burned into it by the manufacturer that is vital to the security of the system.

Hardware security modules (HSMs) are standalone devices used to store cryptographic key material and perform cryptographic operations. Some HSMs may host hypervisors and virtual machines for secure computing. HSMs are commonly used by certificate authorities, financial institutions, and hardware wallets for cryptocurrency.

Trusted Cryptographic Module is a fabricated term.

99.

Which of the following involves calculating mathematical relationships between bits of the plaintext, ciphertext, and secret key?

  • Linear cryptanalysis

  • Differential cryptanalysis

  • Quantum cryptanalysis

  • Brute force attack

Correct answer: Linear cryptanalysis

Linear cryptanalysis creates systems of linear equations related to the bits of the plaintext, ciphertext, and secret key. These equations may allow an attacker to guess potential keys with higher probability than a brute-force search for vulnerable algorithms.

Differential cryptanalysis involves submitting similar plaintexts and examining the differences in ciphertexts. If an algorithm is vulnerable to differential cryptanalysis, this may reveal information about the secret key.

Quantum cryptanalysis uses the unique features of qubits in quantum computers to attack cryptographic algorithms. This has little impact on symmetric algorithms but can break some asymmetric ones. For example, the factoring and discrete logarithm problems are "hard" for classical computers but not for quantum ones, so RSA and similar algorithms will be broken once large enough quantum computers become available.

A brute force attack involves attempting to guess the private key used for encryption. This is guaranteed to succeed eventually, but cryptographic algorithms are designed to make this infeasibly long.

100.

Which of the following BEST protects against fraudulent activity within an organization?

  • Job rotation

  • Need to know

  • Separation of duties

  • Least privilege

Correct answer: Job rotation

Job rotation protects against fraudulent activities because it creates opportunities for employees rotated into a role to detect these activities and limits the opportunity of an employee to abuse their role and permissions.