ISC2 SSCP Exam Questions

Correct answer: NPI

NPI (Non-Published Information) refers to sensitive information about a person that is not publicly known and is protected due to its confidentiality. This term is often used in financial and legal contexts to describe data that must be safeguarded from unauthorized disclosure.

PII (Personally Identifiable Information) refers to any information that can uniquely identify an individual; it might include both public and private details. It is broader than NPI and may include publicly available information.

PNI (Personally Non-Identifiable Information) refers to information that is private but not necessarily identifiable to a specific person; it is not as specific or commonly used as NPI.

CPI (Confidential Personal Information) is not a standard term and is less commonly used compared to NPI or PII, making it less relevant in this context.

Correct answer: Simulation

A simulation begins with a scenario, and the participants respond to that scenario in a simulated environment.

Drills are shorter simulations performed on real-world production systems without notice to test reactions to a particular event. Parallel testing is performed at a hot site or involves testing data restoration at a cold site, enabling a realistic simulation without impacting operations. Full interruption testing is the most disruptive and tests the ability of staff to respond to a real issue that is injected into production systems, such as a simulated power outage.

Correct answer: Type II

The three main types of authentication factors are:

• Type I: Something you know
• Type II: Something you have
• Type III: Something you are

Correct answer: Datagram

Datagrams are the fundamental unit of information within a protocol, such as a bit or byte.

A packet is a chunk of data along with routing information that is sent over the network.

Correct answer: Information security and privacy

NIST's Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy is defined in NIST SP 800-37r2. Its areas of concern include:

1. Organization-wide risk management
2. Information security and privacy
3. System and system elements
4. Control allocation
5. Security and privacy posture
6. Supply chain risk management

Correct answer: Modem

ISO's Open Systems Interconnect Reference Model has seven layers.  From bottom to top, they are the following:

• Physical (Layer 1): The Physical layer performs the transmission of bits over the network using electricity, photons, radio waves, or other means.  Network topologies are defined at the Physical layer based on the connections via physical links between different systems' NICs.
• Data Link (Layer 2): The Data Link layer converts between packets and bits and sends traffic over the physical layer while providing error control, flow control, synchronization, and alerting. MAC addresses work at Layer 2, and Layer 2 devices include modems, bridges, NICs, layer 2 switches, and firewalls.
• Network (Layer 3): The Network layer performs routing and switching of packets using IP addresses and provides congestion control, error handling, and packet sequencing. Routers, layer 3 switches, and firewalls operate at Layer 3.
• Transport (Layer 4): The Transport layer moves streams of data from source to destination. The TCP and UDP protocols are defined at the Transport layer.
• Session (Layer 5): The Session layer manages a complete communication session between two systems, including performing synchronization and remembering session credentials.
• Presentation (Layer 6): The Presentation layer translates the data and formats used by Layer 7 applications into the formats needed by lower levels of the OSI stack. This includes serialization and deserialization of data from independent fields to a stream of data.
• Application (Layer 7): The Application layer is where the two applications at the end of a network session communicate with one another. Protocols like HTTP(S), FTP, and SSH operate at the Application layer.

Correct answer: SHA-256

SHA-256 is a hash algorithm, which is commonly used to store user credentials on a computer because the original password cannot be extracted from the stored hash (except by guessing it).  

RSA, RC4, and AES are all encryption algorithms, which should never be used to store passwords.

Correct answer: Traffic to and from a corporate webserver

East-west traffic flows occur between systems within an organization's network, while north-south flows are between internal servers and external users.  Traffic to a webserver is most likely to be north-south because most of this traffic will be external users requesting content.

Correct answer: Differential fault analysis

Differential fault analysis involves injecting faults into circuitry to cause errors that can reveal information about the secret key.

A brute force attack involves attempting to guess the private key used for encryption. This is guaranteed to succeed eventually, but cryptographic algorithms are designed to make this infeasibly long.

Side-channel attacks use unintentional sources of information about a cryptographic implementation, such as time to encrypt or power consumption, to extract information about the secret key.

Man-in-the-Middle (MitM) attacks involve an attacker attempting to interject themselves into a communication to view and potentially modify data being sent.  By intercepting handshake messages, an attacker can substitute their public key for that of the communicating parties, enabling the attacker to generate digital signatures that each party would accept as coming from the other. This attack would not work in the presence of digital certificates, which tie identities to public keys.

Correct answer: Development and Test

The Waterfall Software Design LifeCycle (SDLC) consists of the following stages:

• Systems Analysis: Identify the function, non-functional, and performance requirements of the software to determine what needs to be built and how to assess if it meets business needs.
• Systems Design: Breaks the requirements into elements and defines subsystems to fulfill each element of the requirements.
• Development and Test: Write the software based on the requirements and system designs. Validate that the software is complete.
• Validation or Acceptance Testing: Test to verify that the software meets all the requirements defined in the Systems Analysis phase.
• Operational Deployment: The software is released, and responsibility for management moves from the developers to the users.
• Systems Replacement and Retirement: At end of life or end of use, the system is decommissioned, often after a replacement is ready and in place.

Static code analysis does not require a complete application to run and can be performed for each commit to a code repository. For this reason, it should be used starting at the Development and Test stage of the SDLC.

Correct answer: Write blocker

Debuggers allow analysts to step through software and inspect its current state of execution.

Drive imaging tools exactly copy a hard drive or other piece of media.

Write blockers prevent changes to the data stored on a drive while it is being copied or analyzed, ensuring the integrity of the evidence.

Hashing tools are used to validate the integrity of evidence by creating a hash digest that will make it evident if data is modified.

Correct answer: N

The CIANA acronym stands for:

• Confidentiality: Limiting who has access to data
• Integrity: Protecting the completeness and correctness of data
• Availability: Ensuring that data is available in a timely manner and usable format
• Non-Repudiation: Preventing someone from denying that they took an action
• Authentication: Proving that data was created or modified only by approved parties

Correct answer: CER

The Crossover Error Rate (CER) is the point where the false positive and false negative rates of an authentication system are equal. This means that it is equally likely that a legitimate user will be denied access and that an illegitimate user will be granted access.

Correct answer: Information architecture baseline

An information architecture baseline provides the foundational structure for how information is organized, accessed, and managed within an organization. It captures what individuals or groups need to know to perform their work, ensuring the information is accessible and categorized according to the organization's requirements. This aligns with the "need to know" principle, as it defines the necessary information that must be available to authorized personnel.

The information security architecture baseline is concerned with the implementation of security controls and measures to protect information. It provides the "how-to" for securing information but does not focus on what information needs to be known for work to be done.

The information systems architecture baseline focuses on the design and structure of information systems, including hardware, software, and networks. It ensures the systems support the organization's needs but doesn't specifically focus on "need to know" information.

The information technology architecture baseline deals with the overall technology infrastructure, ensuring that IT systems and processes align with business goals.

Correct answer: Regression

Regression testing validates that a newly-introduced security control doesn't break the system.

Security acceptance testing validates that a risk management control works and reduces residual risk to an acceptable amount. Risk remediation and security effectiveness testing are fabricated terms.

Correct answer: Reconnaissance

The kill chain is the series of actions an attacker takes to perform their attacks. Reconnaissance is the first stage of the Cyber Kill Chain, where the attacker gathers information about the target. During this stage, attackers use OSINT to collect publicly available information about the target organization, its employees, systems, network infrastructure, and potential vulnerabilities. This information helps the attacker plan and prepare for subsequent stages of the attack.

The Cyber Kill Chain model developed by Lockheed Martin includes the following steps:

• Reconnaissance
• Weaponization
• Delivery
• Exploitation
• Installation
• Command and Control
• Actions on Objective

Correct answer: RAID 6

The RAID levels are as follows:

• RAID 0 (Block-Level Striping): Data is distributed across multiple drives. The failure of any drive may cause data loss.
• RAID 1 (Mirroring): Copies data to multiple drives to eliminate single points of failure.
• RAID 2 (Bit-Level Striping): A commercially non-viable strategy in which striping is performed at the bit level with error correction.
• RAID 3 (Byte-Level Striping with Parity Bits): Data is distributed across multiple drives. Parity bits enable restoration of data if a single drive fails.
• RAID 4 (Block-Level Striping with Parity Bits): Data is striped at block level and distributed across multiple drives. Parity bits stored on a dedicated disk enable restoration of data if a single drive fails.
• RAID 5 (Block-Level Striping with Interleaved Parity): Data is striped at block level and parity bits are distributed across all drives, enabling restoration if a single drive fails.
• RAID 6 (Block-Level Striping with Duplicate Interleaved Parity): Data is striped at block level and two parity blocks are distributed across all drives, making it possible to restore data in the event of multiple drive failures.
• RAID 1+0 and 0+1: Stripes mirrored data or mirrors striped data. Most expensive RAID option but offers best reliability and performance.

Correct answer: Incompatible backups

The backup copy may have already been infected by malware or contain data that was corrupted. Also, backups for access control systems may include fake account information. Backups should have been generated from the system being restored, so compatibility should not be an issue.

Correct answer: Fingerprint scanner

A fingerprint scanner is an example of a biometric authentication factor, not a knowledge-based one. Biometric factors rely on physical aspects of a person (e.g., your fingerprint) rather than something they know.

Passwords, passphrases, and security questions all require a user to know something to authenticate. Fingerprint scanners are a "something you are" factor.

Correct answer: Job rotation

Need to know, least privilege, and separation of duties can create single points of failure if only one party is authorized to perform a task or fulfill a role. Job rotation helps to prevent single points of failure because employees know how to perform other roles and can step in as needed.