ISC2 SSCP Exam Questions

Correct answer: Active Directory

Active Directory is a Microsoft-developed IAM system commonly used on Windows devices. Linux and Unix systems often use LDAP and Kerberos. RADIUS is another commonly used access management system in enterprise environments.

Correct answer: Data typing

Data typing refers to the enforcement of data types in programming, ensuring that operations on data are appropriate for the types involved (e.g., not allowing arithmetic operations on string variables). If an application allows "inappropriate" operations, such as adding two string variables, it indicates a failure in enforcing correct data typing.

Data modeling involves structuring and organizing data but does not directly control the types of operations allowed on the data.

Data quality refers to the accuracy, consistency, and reliability of data, but it does not address the enforcement of data types or operations.

Data validation ensures that data input meets specific criteria but does not typically handle the enforcement of data types during operations.

Correct answer: Identify, select, acquire, and aggregate data

During the "Identify, select, acquire, and aggregate data" stage, the attacker is gathering and aggregating the data they intend to exfiltrate. Access control monitoring might detect unusual patterns of access, such as bulk retrieval of sensitive data or attempts to access data without proper authorization, which could trigger alerts.

The reconnaissance stage involves the attacker gathering information about the target environment. It is more about information gathering than direct interaction with sensitive data, making it less likely to trigger access control monitoring.

The establish command and control stage involves setting up a persistent connection to the compromised system. While important for the attack, it doesn’t directly involve accessing or aggregating data that would trigger access control alerts.

While access control monitoring can detect data exfiltration attempts, the focus here is on detecting suspicious activities during the data aggregation stage rather than the final exfiltration stage.

Correct answer: PCI DSS

PCI DSS is a risk management framework focused on payment card data. NIST CSF, FIPS, and ITIL standards are comprehensive frameworks.

Correct answer: Inverse ARP

Inverse ARP (InARP) is used to determine the IP address of a remote device when the MAC address is already known. This is particularly useful in Frame Relay or other virtual circuit networking environments where devices need to map layer 2 addresses (MAC addresses) to layer 3 addresses (IP addresses).

Reverse ARP is used to allow a device to learn its own IP address based on its MAC address, not to discover the IP address of a remote device.

Proxy ARP allows a router to respond to ARP requests on behalf of another device, but it is not used to discover the IP address of a remote device based on a known MAC address.

Gratuitous ARP is when a device sends an ARP request for its own IP address, often to detect duplicate IP addresses or update ARP tables. It is not used for discovering remote IP addresses.

Correct answer: TCP

TCP (Transmission Control Protocol) operates at the Transport layer (Layer 4) of the OSI model. It is responsible for providing reliable, ordered, and error-checked delivery of data between applications.

The other options provided all operate at multiple layers of the OSI model.

DNS (Domain Name System) operates at both the Application layer (Layer 7) and the Transport layer (Layer 4). It uses UDP for queries and sometimes TCP for larger data transfers or zone transfers.

ARP (Address Resolution Protocol) operates mainly at the Data Link layer (Layer 2) and the Network layer (Layer 3). It is used to map IP addresses to MAC addresses. 

NAT (Network Address Translation) also operates at multiple layers, primarily the Network layer (Layer 3), and can also involve changes at the Transport layer (Layer 4) as it modifies IP address information in packet headers.

Correct answer: Partial Document Matching

Data Loss Prevention (DLP) systems can use various techniques to identify data exfiltration, including:

• Rule-Based: Uses regular expressions (regexes) or Boolean expressions to define data types of interest. For example, credit card numbers are well-structured data, making them well suited to rule-based detection.
• Database Fingerprinting: Searches for subsets of data from a particular source, such as a set of records from a database.
• Exact File Matching: Uses file digests/hashes to detect the exfiltration of complete, sensitive files from an organization.
• Partial Document Matching: Defines some of the content for a restricted document, such as the template used to create sensitive forms, reports, contracts, etc.
• Conceptual/Lexicon: Combines restricted wordlists, rules, and regular expressions to identify exfiltration of data likely to be restricted.
• Machine Learning: Helps to identify the use of non-standard encryption algorithms for data exfiltration based on entropy, etc.
• Predefined Patterns/Categories: Used to identify particular types of structured data within a given field, such as payment card or healthcare information.

Correct answer: 22

Port 22 is used for SSF, which is a secure protocol to remotely manage a computer. FTP uses ports 20/21, and TFTP uses port 69 for file transfers.

Correct answer: Transport

In the TCP/IP model, the Application layer maps to the Session, Presentation, and Application layers of the OSI model. The Transport layer in TCP/IP maps to the Transport layer in OSI.

Correct answer: SSH

TLS, IPsec, and PPTP are all protocols used by VPNs. SSH provides secure remote access to a computer but is not a VPN protocol.

Correct answer: RADIUS

The Remote Authentication Dial-In User Service (RADIUS) was developed by the NSF in the early 1990s to provide Authentication, Authorization, and Accounting (AAA) in a single service.

The Terminal Access Controller Access Control System Plus (TACACS+) was developed by the US Department of Defense and later taken over by Cisco.  TACACS+ divides Authentication, Authorization, and Accounting (AAA) into separate components and uses TCP for network transport.

The Lightweight Directory Access Protocol (LDAP) is derived from the X.500 Directory Access Protocol standard to take advantage of the IP protocol suite. It organizes information about users into a directory tree structure where each entry has a unique Distinguished Name (DN) and associated attributes.

Active Directory (AD) is a Microsoft-proprietary protocol that must be run on Windows Server but can support other types of devices. The domain controller, which runs Active Directory Domain Services (AD DS) handles entity authentication and authorization.

Correct answer: Transparency

Transparency deals with the ability of regulators, auditors, and other authorities to view and audit data.

Correct answer: Confidentiality

Confidentiality is specifically focused on preventing unauthorized access to sensitive information. It ensures that data is only accessible to those who have the necessary permissions, protecting it from being exposed to unauthorized individuals.

The CIANA acronym stands for:

• Confidentiality: Limiting who has access to data
• Integrity: Protecting the completeness and correctness of data
• Availability: Ensuring that data is available in a timely manner and usable format
• Non-Repudiation: Preventing someone from denying that they took an action
• Authentication: Proving that data was created or modified only by approved parties

Correct answer: Man-in-the-Middle attack

Man-in-the-Middle (MitM) attacks involve an attacker attempting to interject themselves into a communication to view and potentially modify data being sent.  By intercepting handshake messages, an attacker can substitute their public key for that of the communicating parties, enabling the attacker to generate digital signatures that each party would accept as coming from the other. This attack would not work in the presence of digital certificates, which tie identities to public keys.

Side-channel attacks use unintentional sources of information about a cryptographic implementation, such as time to encrypt or power consumption, to extract information about the secret key.

Meet-in-the-Middle attacks apply to encryption of data with multiple iterations of the same algorithm, such as Triple DES (3DES). The attacker works forward from a plaintext (encryption) and backward from a ciphertext (decryption) to find a matching intermediate value. With a Meet-in-the-Middle attack, 3DES has an effective key length of 108 bits, not 162 (3 54-bit DES keys).

In a replay attack, the attacker retransmits an intercepted, valid ciphertext for which the plaintext is unknown. If the recipient can't detect the replay, they may accept the message and take some action in response.

Correct answer: WEP

Wired Equivalent Privacy (WEP) is the oldest and weakest wireless security protocol. It has significant vulnerabilities, including flaws in its encryption algorithm, making it relatively easy for attackers to crack. Due to these weaknesses, WEP is considered obsolete and should not be used for securing wireless networks.

WPA (Wi-Fi Protected Access) was introduced as an improvement over WEP, offering better encryption methods, although it still has some vulnerabilities compared to later protocols.

WPA2 (Wi-Fi Protected Access 2) further improved security by implementing stronger encryption through the use of AES (Advanced Encryption Standard). It has been the standard for many years and offers strong security for most environments.

WPA3 (Wi-Fi Protected Access 3) is the latest and most secure wireless security protocol, offering even stronger encryption and enhanced protection against attacks, such as brute-force attempts.

Correct answer: Data display and output

Some examples of data security risks on the endpoint include:

• Data Display and Output: In general, users will only be able to work with decrypted data, which means that data is at risk when displayed/output for a user. Shoulder surfing, malware, and screen capture tools are risks to confidentiality at this stage.
• Data Download/Copy: Data may be protected at its primary storage location but may be placed at risk when downloaded or copied to another device. This may occur with or without a user's knowledge/consent.
• Data Remanence: After data is decrypted for use, it may remain within a computer's memory for some time even after the session is complete. This data may be vulnerable to collection by malware or digital forensics tools.
• Human Covert Paths: Humans may intentionally or unintentionally expose data to a third party by combining unclassified information from multiple sources. For example, sensitive information about an organization's capabilities or existing contracts may be included or implied within a proposal to a third party.

Correct answer: n

802.11n is the first wireless standard to support both 2.4 and 5 GHz frequencies.

Correct answer: Routing attack

Routing (RIP) attacks occur at Layer 3 of the OSI model.

ARP, VLAN, and SSID spoofing attacks are all Layer 2 attacks.

Correct answer: Layer 3

ISO's Open Systems Interconnect Reference Model has seven layers.  From bottom to top, they are the following:

• Physical (Layer 1): The Physical layer performs the transmission of bits over the network using electricity, photons, radio waves, or other means.  Network topologies are defined at the Physical layer based on the connections via physical links between different systems' NICs.
• Data Link (Layer 2): The Data Link layer converts between packets and bits and sends traffic over the physical layer while providing error control, flow control, synchronization, and alerting. MAC addresses work at Layer 2, and Layer 2 devices include modems, bridges, NICs, layer 2 switches, and firewalls.
• Network (Layer 3): The Network layer performs routing and switching of packets using IP addresses and provides congestion control, error handling, and packet sequencing. Routers, layer 3 switches, and firewalls operate at Layer 3.
• Transport (Layer 4): The Transport layer moves streams of data from source to destination. The TCP and UDP protocols are defined at the Transport layer.
• Session (Layer 5): The Session layer manages a complete communication session between two systems, including performing synchronization and remembering session credentials.
• Presentation (Layer 6): The Presentation layer translates the data and formats used by Layer 7 applications into the formats needed by lower levels of the OSI stack. This includes serialization and deserialization of data from independent fields to a stream of data.
• Application (Layer 7): The Application layer is where the two applications at the end of a network session communicate with one another. Protocols like HTTP(S), FTP, and SSH operate at the Application layer.

Correct answer: Monitoring and review

While monitoring and review are important aspects of a comprehensive risk management process, they are not listed as one of the three main tasks in the ISO 31000:2018 Risk Management Guidelines. These guidelines focus on the systematic approach to managing risk, but monitoring and review are part of the ongoing risk management process rather than one of the core tasks.

The scope, context, criteria task involves defining the scope of the risk management process, understanding the external and internal context, and establishing the criteria against which risks will be evaluated.

Risk assessment includes the identification, analysis, and evaluation of risks. It is a fundamental component of the risk management process where potential risks are identified and assessed for their impact and likelihood.

Risk treatment involves selecting and implementing measures to modify risk. This may include avoiding, mitigating, transferring, or accepting risks depending on the organization's risk tolerance and the nature of the risks.