×

Quiz Session - Attempts With Random Questions

ISC2 SSCP Exam Questions

Page 2 of 25

21.

Which of the following metrics enforces a timeline for recovery after a risk event?

  • RTO

  • MAO

  • MTTR

  • RPO

Correct answer: RTO

The recovery time objective (RTO) is the maximum acceptable time to restore operations after a risk event.

The maximum allowable outage (MAO) is the longest time that a risk event can prevent business operations without causing unacceptable harm to the business. The mean time to repair (MTTR) measures the average amount of time required to restore a failed component to normal operation. The recovery point objective (RPO) measures the maximum acceptable amount of data loss due to a risk event.

22.

Which CVSS metric is influenced by the availability of an exploit for a particular vulnerability?

  • Temporal

  • Base

  • Environmental

  • Intrinsic

Correct answer: Temporal

The Temporal metric group in the Common Vulnerability Scoring System (CVSS) includes factors that change over time, such as the availability of an exploit for a particular vulnerability. This metric helps assess how the risk associated with a vulnerability might evolve as new information, such as the existence of an exploit, becomes available.

The Base metric group assesses the intrinsic qualities of a vulnerability that are constant over time, such as the vulnerability's impact and ease of exploitation, without considering factors like the availability of an exploit.

The Environmental metric group considers factors specific to an organization's environment, such as the potential impact of a vulnerability on that environment. It does not directly address the availability of an exploit.

While "intrinsic" might suggest inherent qualities, it's not a specific metric group within the CVSS framework. The Base metric group would be the closest match, focusing on the inherent characteristics of the vulnerability.

23.

Which of the following defines eight privacy principles?

  • OECD

  • GDPR

  • PCI DSS

  • HIPAA

Correct Answer:  OECD

The Organization for Economic Cooperation and Development (OECD) defines eight privacy principles used worldwide. GDPR, PCI DSS, and HIPAA are all privacy-related regulations.

24.

At which point of the NIST incident handling checklist should the incident response team be collecting evidence?

  • Containment, Eradication, and Recovery

  • Detection and Analysis

  • Report Generation and Legal Action

  • Post-Incident Activity

Correct answer: Containment, Eradication, and Recovery

Evidence can only be collected after the incident is detected and identified and before it is destroyed by recovery efforts. This makes it necessary to collect this evidence during the Containment, Eradication, and Recovery phase of the incident handling process.

25.

The importance of which of the following is greater in the public cloud than in other environments?

  • Data encryption

  • Virtual networking

  • Virtual storage

  • Virtualization

Correct answer: Data encryption

Data encryption helps to isolate and protect customer data from other cloud users.

Virtualization provides greater flexibility and scalability than on-prem infrastructure. Virtual networking enables network infrastructure to adapt rapidly, allowing data and apps to be relocated as needed. Virtual storage definitions and management allow customizable data backup, migration, and other policies for Business Continuity/Disaster Recovery (BC/DR) policies.

26.

Which of the following is NOT something that is useful to assess or estimate for an information systems asset?

  • Depreciation

  • Value

  • Cost

  • Loss or impact

Correct answer: Depreciation

The value, cost, and loss or impact are valuable to estimate or assess for an information systems asset. Depreciation is related to the value of an asset.

27.

A keycard-enabled smart lock on a door is an example of what type of control?

  • Physical

  • Technical

  • Logical

  • Administrative

Correct answer: Physical

Locks manage physical access, so they are physical risk mitigation controls. Technical/logical controls such as access controls manage risk on a computer. Administrative controls are policies and procedures.

28.

An SSCP wants to evaluate their organization's ability to identify security incidents. Which metric do they need to track?

  • MTTD

  • MTTF

  • MTTR

  • MTTE

Correct answer: MTTD

Mean time to detect (MTTD) is the average time it takes an organization to detect a potential intrusion.

Mean time to response (MTTR) is the average time to contain an incident after it has been discovered. Mean time to eradicate (MTTE) is the average time it takes to eradicate a detected incident. Mean time to failure (MTTF) is the average time until a particular component will fail. It is not related to incident response.

29.

Which of the steps in the NIST Risk Management Framework (RMF) directly feeds into all other phases?

  • Prepare

  • Assess

  • Monitor

  • Implement

Correct answer: Prepare

The Prepare phase feeds into all other phases of the NIST RMF, while the others generally move through a cycle from phase to phase.

30.

An insurance provider is MOST likely to be a part of which risk treatment strategy?

  • Transfer

  • Accept

  • Mitigate

  • Avoid

Correct answer: Transfer

In risk management, transfer refers to the strategy of shifting the risk to a third party, such as through insurance. By purchasing insurance, an organization transfers the financial impact of certain risks (e.g., damage, liability, or loss) to the insurance provider, making the insurance provider a key part of the risk transfer strategy.

Accept means the organization acknowledges the risk and decides to deal with the potential impact without transferring, mitigating, or avoiding it. An insurance provider is not typically involved in this strategy.

Mitigation involves taking steps to reduce the likelihood or impact of a risk. While insurance can be part of an overall risk management plan, mitigation usually involves internal actions, not transferring risk to another party.

The avoid strategy involves changing plans or processes to eliminate the risk. Insurance does not play a role in avoiding risks, as it deals with managing the impact of risks that cannot be avoided.

31.

Which IAM protocol divides the three A's into separate components of a single protocol?

  • TACACS+

  • RADIUS

  • LDAP

  • AD

Correct answer: TACACS+

The Remote Authentication Dial-In User Service (RADIUS) was developed by the NSF in the early 1990s to provide Authentication, Authorization, and Accounting (AAA) in a single service.

The Terminal Access Controller Access Control System Plus (TACACS+) was developed by the US Department of Defense and later taken over by Cisco.  TACACS+ divides Authentication, Authorization, and Accounting (AAA) into separate components and uses TCP for network transport.

The Lightweight Directory Access Protocol (LDAP) is derived from the X.500 Directory Access Protocol standard to take advantage of the IP protocol suite. It organizes information about users into a directory tree structure where each entry has a unique Distinguished Name (DN) and associated attributes.

Active Directory is a Microsoft-proprietary protocol that must be run on Windows Server but can support other types of devices. The domain controller, which runs Active Directory Domain Services (AD DS) handles entity authentication and authorization.

32.

Which of the following describes the terms of the relationship between a service provider and customer?

  • SLA

  • NDA

  • KPI

  • AUP

Correct answer: SLA

An SLA (Service Level Agreement) is a formal document that defines the terms of the relationship between a service provider and a customer. It specifies the expected level of service, performance metrics, responsibilities, and remedies for any breaches of the agreement. The SLA is key to outlining what the customer can expect from the service provider and what actions will be taken if those expectations are not met.

A Non-Disclosure Agreement (NDA) protects the sensitive information disclosed by one or both parties from disclosure.

Key Performance Indicators (KPIs) are a metric by which success is measured.

An Acceptable Use Policy (AUP) describes how corporate systems can be used.

33.

Which testing methodology is MOST likely to be influenced by inaccuracies in the documentation of an organization's IT architecture and security solutions?

  • White-box

  • Gray-box

  • Black-box

  • Rainbow-box

Correct answer: White-box

In a black-box evaluation, the tester is given no special knowledge of the design of the system under test or access to it. This simulates an attack by an external threat actor who needs to do their own reconnaissance and identify and exploit an attack vector for access.

In a gray-box evaluation, the tester is provided with some knowledge of the system and limited access. This best simulates an attack by a trusted insider with no special knowledge of the system (like an average employee).

In a white-box evaluation, the tester is granted full documentation of the system and often privileged access. This simulates an attack by a trusted, privileged insider like a system administrator.

Rainbow-box is a fabricated term.

34.

What is the term for a backup site which can take over operations after recovering a small amount of data from storage?

  • Hot backup

  • Cold backup

  • Active backup

  • Passive backup

Correct answer: Hot backup

Hot backups use two geographically-separated sites where the backup is updated regularly. The primary site keeps a log of actions taken since the last backup, enabling the backup to catch up if the primary site fails.

Cold backups create a backup site but do not keep the backup site up to date. If the primary site fails, the cold site is brought online and up to date based on archival data storage.

Active and passive backups are fabricated terms.

35.

Which of the following deals with translating business logic to data items and placing constraints on their use?

  • Data modeling

  • Data typing

  • Data quality

  • Data validation

Correct answer: Data modeling

Data models describe the data elements used to implement business logic and the constraints on their use. 

Data types describe how a program can interact with a particular data item, such as preventing the addition of strings.

Data within an application may be incorrect or changed, and user input may not match submitted data due to changes, typos, etc. Data quality efforts attempt to identify and address these issues to keep related information together within an application.

Data validation is not a core process associated with software data errors.

36.

Which of the following is used to ensure that data is sent to the correct party?

  • TLS

  • TCP

  • UDP

  • ICMP

Correct answer: TLS

TLS (Transport Layer Security) is a cryptographic protocol designed to provide secure communication over a computer network. It ensures data is sent to the correct party by establishing an encrypted connection and verifying the identity of the parties involved through the use of digital certificates.

While TCP (Transmission Control Protocol) provides reliable, ordered, and error-checked delivery of data between applications, it does not inherently ensure that data is sent to the correct party. It focuses on establishing connections and delivering data reliably.

UDP (User Datagram Protocol) is a connectionless protocol that provides no guarantees for delivery, order, or error correction, nor does it verify the recipient of the data.

ICMP (Internet Control Message Protocol) is used for network diagnostics and error messages (e.g., ping), not for ensuring that data is sent to the correct party.

37.

Which wireless infrastructure mode has multiple wireless access points with the same extended service set identifier (ESSID)?

  • Enterprise extended

  • Bridge

  • Wired extension

  • Standalone

Correct answer: Enterprise extended

Standalone infrastructure mode creates a wireless network with no connectivity to wired networks.

Wired extension mode uses a WAP to link a wireless and wired network.

Enterprise extended mode uses multiple WAPs to create a wireless network connected to a wired network.

Bridge mode uses wireless networks to link multiple wired networks where a wired connection is inconvenient.

38.

According to the Shift Left Security movement, where should security considerations first appear within the Waterfall SDLC?

  • System analysis

  • System design

  • Development and test

  • Validation or acceptance testing

Correct answer: Systems analysis

According to the Shift Left Security movement, security considerations should be integrated as early as possible in the software development lifecycle (SDLC). In the Waterfall SDLC, this means starting with the system analysis phase. By addressing security during this phase, potential risks can be identified and mitigated before they become more difficult and costly to manage later in the development process.

While security considerations should definitely be part of the system design phase, Shift Left Security advocates for addressing security even earlier, starting during the system analysis phase.

Although security testing should be part of the development and test phase as well, Shift Left Security emphasizes the importance of considering security before coding begins, making the system analysis phase a more appropriate starting point.

Validation or acceptance testing occurs late in the Waterfall SDLC and focuses on verifying that the system meets the specified requirements. Waiting until this phase to address security is too late, as it may lead to significant vulnerabilities being discovered after much of the development is complete.

39.

Which of the following is designed to host an organization's public-facing services?

  • Demilitarized zone

  • Extranet

  • Segmented network

  • Microsegmented network

Correct answer: Demilitarized zone

A DeMilitarized Zone (DMZ) is a subnet screened off from the rest of an organization's private network and used to host public-facing services such as email and web servers.

Extranets are screened networks designed to host traffic with trusted partners, such as vendors or suppliers.

Network segmentation breaks a network into isolated zones where traffic between zones passes through a router or switch.

Microsegmentation treats each system or application as its own network zone, inspecting all traffic flowing to and from it. This is a key component of a zero-trust security strategy.

40.

Which of the following types of exercises may cause disruptions to production systems?

  • Drill

  • Simulation

  • Read-through

  • Walk-through

Correct answer: Drill

A simulation begins with a scenario, and the participants respond to that scenario in a simulated environment. Drills are shorter simulations performed on real-world production systems without notice to test reactions to a particular event.

A read-through or tabletop assessment involves the parties involved in a particular process (such as incident response or forensic investigation) reading through the script or role-playing based on it. In a walk-through, the role playing of a tabletop exercise is performed in situ. When saying that they would perform an action, such as pressing a button, the player indicates the button in question.

×