ISC2 SSCP Exam Questions

Page 6 of 25

101.

Which of the following is NOT part of the first task of the ISO Standard 31000:2018 Risk Management Guidelines?

  • Identification

  • Scope

  • Context

  • Criteria

Correct answer: Identification

Risk identification is the process of finding, recognizing, and describing risks. It follows the establishment of the context and involves listing potential risks that could affect the organization. It is not part of the initial task of setting the scope, context, and criteria.

The ISO Standard 31000:2018 Risk Management Guidelines has three main tasks:

  1. Scope, context, criteria
  2. Risk assessment, including risk identification, analysis, and evaluation
  3. Risk treatment

102.

Which of the following is a library of standards for industrial process control?

  • ISA/IEC 62443

  • HITRUST CSF

  • NERC CIP

  • PCI DSS

Correct answer: ISA/IEC 62443

ISA/IEC 62443 is a collection of standards for the industrial process control environment.

The Health Information Trust Alliance Common Security Framework (HITRUST CSF) addresses the requirements of overlapping regulations for healthcare providers.

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a collection of cybersecurity best practices for the North American power sector.

The Payment Card Industry Data Security Standard (PCI DSS) was developed to fight payment card fraud by protecting the sensitive data of cardholders.

103.

Which of the following limits the systems and information that a user has access to?

  • Least privilege

  • Need to know

  • Separation of duties

  • Defense in depth

Correct answer: Least privilege

Need to know defines what a user needs to know or access, but least privilege actually enforces those limits by defining access and permissions. 

Separation of duties divides responsibility for critical tasks between multiple users, and defense in depth deals with the importance of never relying on a single security control.

104.

At which stage of the chain of custody lifecycle does the chain of custody start?

  • Taking Possession or Custody of the Evidence Item

  • Creation

  • Recognition and Identification

  • Cataloging

Correct answer: Taking Possession or Custody of the Evidence Item

The chain of custody lifecycle includes the following stages:

  • Creation: Some action creates a piece of evidence.
  • Recognition and Identification: An investigator identifies the evidence as relevant to the investigation.
  • Taking Possession or Custody of the Evidence Item: The evidence is collected, and the chain of custody record begins.
  • Cataloging: Evidence is placed in an evidence bag and uniquely identified.
  • Protection, Preservation, or Control: The evidence custodian preserves the evidence either on-scene or in secure storage, and all future access or modifications to the evidence are documented.
  • Analysis: Various analysis techniques (destructive or non-destructive) are performed, ideally on a copy of the evidence.
  • Reporting: The results of the analysis are collected into a report.
  • Transfer: Control over the evidence is transferred to another location or party (such as law enforcement).
  • Retention: Evidence is securely stored against future need (analysis, legal action, etc.).
  • Destruction or Disposal: Evidence that is no longer needed is disposed of in accordance with applicable requirements.

105.

Which of the following is NOT one of the communications during post-incident recovery?

  • Cease operations

  • Back in business

  • Proceed with caution

  • Get the word out

Correct answer: Cease operations

The three communications included during post-incident recovery consist of the following:

  • Back in business
  • Proceed with caution
  • Get the word out

106.

Which of the following is NOT a common method for improving the security of high-risk or critical processes by adding redundancy?

  • Centralized logging

  • Majority vote

  • Split/shared knowledge

  • Dual/multiple control

Correct answer: Centralized logging

While important for security monitoring and auditing, centralized logging itself does not add redundancy to processes. It focuses on collecting and storing logs from various sources, rather than adding redundancy to critical process controls.

Dual/multiple control involves requiring multiple individuals to perform or approve actions, adding redundancy to ensure that no single person has complete control over a critical process. 

Split/shared knowledge involves distributing critical information among multiple individuals so that no single person has all the information, adding redundancy to reduce the risk of misuse. 

Majority vote uses redundant parallel processing elements (people or systems) that execute separately on the same inputs, adding redundancy to ensure the majority agrees upon decisions or actions.

107.

Public key infrastructure (PKI) as a whole can be BEST described as which of the following?

  • Hierarchy of trust

  • Chain of trust

  • Web of trust

  • Network of trust

Correct answer: Hierarchy of trust

In a hierarchy of trust, an anchor node delegates its authority and trust to other nodes. PKI systems are designed as hierarchies of trust with the root CA as the anchor node. A chain of trust exists between a root CA and a particular end entity.

In a web of trust, no anchor nodes exist, and chains of trust are created via peer-to-peer relationships. Network of trust is a fabricated term.

108.

You are configuring access control for a highly-matrixed organization where employees may wear multiple hats and perform a range of duties. Which access control method is likely the BEST fit?

  • ABAC

  • MAC

  • DAC

  • RBAC

Correct answer: ABAC

Attribute-Based Access Control (ABAC) assigns sets of attributes to each entity. Access control rules are implemented using Boolean logic that describes the combinations of attributes needed to access a resource or perform a particular action. This allows highly granular access control rules and is well suited to environments where employee roles are difficult to clearly define.

Mandatory Access Control (MAC) centrally manages control over files, applications, directories, etc. and denies users the ability to manage access to their own assets.

Discretionary Access Control (DAC) is the access control model built into most operating systems and allows the owner of an asset to manage privileges associated with it.

Role-Based Access Control (RBAC) assigns access and permissions based upon an entity's role within the organization, making it easier to implement least privilege and separation of duties.

109.

Traffic over port 443 is associated with which of the following protocols?

  • HTTPS

  • HTTP

  • DNS

  • SMTP

Correct answer: HTTPS

HTTPS is used for secure communication over the internet. Port 443 is the default port for HTTPS traffic, which ensures that data is encrypted during transmission.

HTTP uses port 80 by default and is the non-secure version of HTTPS.

DNS typically uses port 53 for DNS queries and responses.

SMTP uses port 25 for sending email.

110.

Which of the following is highest on the knowledge pyramid?

  • Wisdom

  • Data

  • Information

  • Knowledge

Correct answer: Wisdom

The knowledge pyramid from bottom to top is data, information, knowledge, wisdom, and insight.

111.

Before trusting a digital certificate, what should a client check?

  • CRL

  • PKI

  • DSA

  • RCA

Correct answer: CRL

The Certificate Revocation List (CRL) lists revoked digital certificates and should be consulted before trusting a digital certificate.

112.

Which of the following parts of CIANA is essential to achieving the others?

  • Authentication

  • Confidentiality

  • Integrity

  • Non-repudiation

Correct answer: Authentication

Confidentiality, integrity, and non-repudiation all make the assumption that the identities of users are known and verified. Therefore, authentication is essential for all of these.

113.

An attacker is monitoring the power consumption of a chip performing cryptographic operations. What type of attack are they performing?

  • Side-channel

  • Differential fault analysis

  • Brute-force

  • Linear cryptanalysis

Correct answer: Side-channel

Side-channel attacks use unintentional sources of information about a cryptographic implementation, such as time to encrypt or power consumption, to extract information about the secret key.

Differential fault analysis involves injecting faults into circuitry to cause errors that can reveal information about the secret key.

A brute force attack involves attempting to guess the private key used for encryption. This is guaranteed to succeed eventually, but cryptographic algorithms are designed to make this infeasibly long.

Linear cryptanalysis creates systems of linear equations related to the bits of the plaintext, ciphertext, and secret key. These equations may allow an attacker to guess potential keys with higher probability than a brute-force search for vulnerable algorithms.

114.

The Advanced Encryption Standard (AES) is a famous example of which type of encryption algorithm?

  • Block cipher

  • Stream cipher

  • Asymmetric encryption algorithm

  • Hash function

Correct answer: Block cipher

AES is a symmetric, block cipher. It uses 128-bit blocks and the same key for both encryption and decryption.

115.

Which cloud deployment model offers an organization the best balance between customization and scalability, allowing it to tailor its infrastructure while still leveraging public cloud resources?

  • Hybrid

  • Private

  • Public

  • Community

Correct answer: Hybrid

Hybrid clouds combine public and private cloud deployments, allowing an organization to optimize cloud deployment for a particular use case.

Private cloud deployments are hosted on dedicated servers (owned or leased by a company), providing greater security but less flexibility and scalability.

Public cloud users share infrastructure owned by the cloud service provider, offering less privacy and security but greater flexibility and scalability.

Community clouds are shared cloud environments where multiple, collaborating organizations share resources.

116.

Which of the following protocols does NOT use port numbers?

  • ICMP

  • HTTP

  • DNS

  • SMTP

Correct answer: ICMP

Unlike other protocols such as HTTP (Hypertext Transfer Protocol), DNS (Domain Name System), and SMTP (Simple Mail Transfer Protocol), ICMP (Internet Control Message Protocol) does not use port numbers. ICMP is primarily used for sending error messages and operational information (e.g., "ping" requests) within a network.

HTTP typically uses port 80 for web traffic.

DNS uses port 53 to translate domain names into IP addresses.

SMTP uses port 25 for sending email between servers.

117.

In which network topography are the effects of a cable outage restricted to a single host?

  • Star

  • Token ring

  • Bus

  • Mesh

Correct answer: Star

Star topographies have all nodes connected to a central hub, switch, or router that relays the traffic. Star networks are more resilient because a cable outage only affects the endpoint it connects to the central node.

Token rings create a ring of devices that allow traffic to flow one way around it. The network avoids collisions by using a token to determine who can send data.

Bus topographies have all nodes connected into a bus, and, while all nodes on the bus hear all traffic, only the intended recipient listens. Collision avoidance is achieved by listening for data on the line and sending when it is quiet.

Mesh networks have nodes directly connected to other nodes. Mesh networks are the most resilient due to the number of redundant paths but are also more inefficient and expensive.

118.

Which of the following types of signals should trigger incident response activities?

  • IoC

  • Telltale

  • Precursor

  • Alarm

Correct answer: IoC

An Indicator of Compromise (IoC) indicates a real threat that should trigger an incident response. Precursors indicate that an attack may occur, and alarms and telltales may be caused by non-security related events.

119.

Which of the following is a type of network that might be created by a consortium of allied organizations?

  • Extranet

  • Demilitarized Zone

  • Segmented network

  • Microsegmentation

Correct answer: Extranet

Extranets are screened networks designed to host traffic with trusted partners such as vendors or suppliers.

A Demilitarized Zone (DMZ) is a subnet screened off from the rest of an organization's private network and used to host public-facing services such as email and web servers.

Network segmentation breaks a network into isolated zones where traffic between zones passes through a router or switch.

Microsegmentation treats each system or application as its own network zone, inspecting all traffic flowing to and from it. This is a key component of a zero-trust security strategy.

120.

Which of the following is NOT a protocol that runs on TCP?

  • DHCP

  • HTTP(S)

  • SSH

  • SMTP

Correct answer: DHCP

HTTP(S), SSH, and SMTP are all protocols that run on top of TCP, which provides more reliable connectivity. DHCP runs on UDP, which is a lighterweight protocol.