Sample Questions for ISC2's Systems Security Certified Practitioner (SSCP) Exam

Which choice describes precisely the step by step actions required to complete a specific task?

• ❏ A. Security baseline

• ❏ B. Organizational policy statement

• ❏ C. Guidance document

• ❏ D. Standard operating procedure

A regional insurance firm called Summit Assurance needs to detect when complete sensitive documents are leaving its network. Which data loss prevention approach relies on the collision resistance of cryptographic hashes to recognize identical files?

• ❏ A. Conceptual lexicon and pattern lists

• ❏ B. Exact file fingerprinting using hashes

• ❏ C. Cloud DLP API

• ❏ D. Database fingerprinting

• ❏ E. Rule based detection using regexes and patterns

Which concept is most directly underscored by the saying “you cannot protect what you do not know about”?

• ❏ A. Investing in Cloud Security Command Center

• ❏ B. Emphasizing hiring highly specialized security engineers

• ❏ C. Prioritizing a thorough inventory of all IT assets

• ❏ D. Focusing only on physical security controls

A regional credit union is auditing its security controls for governance and compliance. Which of the following activities would not be considered a breach of the Due Diligence principle?

• ❏ A. Data custodians have not documented the enterprise data protection framework

• ❏ B. Servers are updated according to the organization patch management process and receive current security fixes

• ❏ C. System administrator omits the required three week vacation schedule

• ❏ D. The security policy is no longer current or aligned with standards

What term describes using technologies like fingerprint scans retinal scans and iris scans to verify people who request access to systems and data?

• ❏ A. Physiometrics

• ❏ B. Biometrics

• ❏ C. Behavioral biometrics

• ❏ D. Micrometrics

A cybersecurity startup called BlueGate is assessing biometric evaluation methods for access control. Which three standard performance metrics are used to measure biometric system performance? (Choose 3)

• ❏ A. Detection error tradeoff

• ❏ B. False acceptance rate

• ❏ C. Negative error rate

• ❏ D. Crossover error rate

• ❏ E. False rejection rate

A mid sized cloud provider called Crestline Networks has network logs that show systematic probes across multiple host ports which looks like port scanning activity. Which category of event of interest does this represent?

• ❏ A. IoA

• ❏ B. Indicators of Compromise (IoCs)

• ❏ C. Precursor

• ❏ D. Indicator

For a mid sized technology consultancy which type of failure generally causes the most severe business interruption?

• ❏ A. Extended network connectivity outage

• ❏ B. Major hardware or system software breakdown

• ❏ C. Unrecoverable data loss

• ❏ D. Core application platform failure

Which of the listed security services is not fulfilled by the Digital Signature Standard?

• ❏ A. Integrity verification

• ❏ B. Digital signatures

• ❏ C. Encryption

• ❏ D. Entity authentication

A security engineer at North Ridge Technologies is working remotely while the corporate virtual private network is unreliable which makes access to internal systems slow. What activity would pose the largest data security risk in this circumstance?

• ❏ A. Data remanence

• ❏ B. Use of unauthorized cloud file sharing

• ❏ C. Data displayed or output on the screen

• ❏ D. Data download or copying to the endpoint

All ISC2 questions come from my SSCP Udemy course and certificactionexams.pro

A regional networking firm is comparing copper cable types and wants to know which cabling family includes the CAT4 and CAT6 classifications?

• ❏ A. Fiber optic cables

• ❏ B. Shielded twisted pair cabling

• ❏ C. Twisted Pair cables

• ❏ D. Coaxial cables

Why is safeguarding audit logs against alteration and unauthorized access especially important for reliable incident investigations and meeting compliance requirements?

• ❏ A. Cloud Logging

• ❏ B. It preserves the integrity of records used in security investigations

• ❏ C. It boosts overall system performance

• ❏ D. It reduces the burden of long retention policies

During a business impact analysis for a regional consulting firm which of the following activities would not be part of the BIA process?

• ❏ A. Develop surveys and questionnaires for data collection

• ❏ B. Select staff to interview for information gathering

• ❏ C. Choose an alternate recovery location

• ❏ D. Document the organization’s essential business functions

A regional university network team is deciding on cabling for the campus core and they want to understand why fiber optic lines are commonly chosen for backbone connections between buildings and main switches?

• ❏ A. Cloud Interconnect

• ❏ B. Use of standard RJ45 connectors

• ❏ C. Lower upfront cost and easier installation

• ❏ D. Greater resistance to electromagnetic interference and support for much longer transmission distances

A cloud consulting firm needs a public key method to let two endpoints agree on a secret over an untrusted network. Which asymmetric algorithm is most commonly used to accomplish this?

• ❏ A. RSA

• ❏ B. SHA-256

• ❏ C. Diffie-Hellman

• ❏ D. AES

After a security incident has been contained and normal operations resumed, what step should the response team perform to help prevent the same incident from recurring?

• ❏ A. Detection analysis and escalation

• ❏ B. Service recovery

• ❏ C. Perform a post incident review and implement new countermeasures

• ❏ D. Proactive preparation

Which of the following items is classified as a “something you have” authentication factor?

• ❏ A. Biometric fingerprint

• ❏ B. Cloud Identity

• ❏ C. Smart card token

• ❏ D. Secret passphrase

Since the Kerberos Ticket Granting Service and the authentication servers store all secret keys and perform client authentication what kinds of attacks are these servers most exposed to?

• ❏ A. Susceptible only to attacks from malicious software

• ❏ B. Susceptible to both physical tampering and malicious software infections

• ❏ C. Susceptible to credential guessing and offline password cracking attacks

• ❏ D. Susceptible only to physical tampering

Under an IPv4 addressing scheme which address class can accommodate the greatest number of host addresses?

• ❏ A. Class C

• ❏ B. Class B

• ❏ C. Class E

• ❏ D. Class A

If a malicious actor transmits an ICMP packet that exceeds 72 kilobytes to a server what type of network attack does this represent?

• ❏ A. Teardrop attack

• ❏ B. Ping of Death

• ❏ C. TCP SYN flood

• ❏ D. Buffer overflow exploit

• ❏ E. Smurf amplification attack

All ISC2 questions come from my SSCP Udemy course and certificactionexams.pro

In which setting would a person have a “reasonable expectation of privacy”?

• ❏ A. Community park

• ❏ B. City sidewalk

• ❏ C. Private residence

• ❏ D. Workplace office

A regional cloud operator wants its server sites to remain functional during utility outages so they install duplicate power modules backup diesel generators and two separate utility feeds. What resilience strategy is being used?

• ❏ A. Active active deployment

• ❏ B. Geographic redundancy

• ❏ C. N plus one redundancy

• ❏ D. Multipath network design

Marcus is head of operations at a financial technology startup that is deploying cloud services across several continents. He needs to ensure that customer records are stored and processed in line with global privacy and compliance rules. Which legal risk is most relevant to his cloud security strategy?

• ❏ A. Identity and Access Management

• ❏ B. Network security monitoring and intrusion detection

• ❏ C. Data residency and jurisdictional requirements

• ❏ D. Service level agreement obligations

When a certified SSCP practitioner must choose a course of action what quality should be the primary consideration?

• ❏ A. Cost effective and mindful of budgets

• ❏ B. Technically accurate and operationally feasible

• ❏ C. Ethical conduct and professional integrity

• ❏ D. Compliant with applicable laws and regulations

At a neighborhood bookstore who has the strongest reasonable expectation of privacy regarding the premises and daily operations?

• ❏ A. Independent contractor

• ❏ B. Store proprietor

• ❏ C. Guest on site

• ❏ D. Staff member

A regional digital agency called Meridian Studios needs a dependable way to find unauthorized software on employee desktops and to uncover license misuse. What approach is most effective for detecting software license violations?

• ❏ A. Enforce diskless thin client workstations

• ❏ B. Cloud Asset Inventory

• ❏ C. Perform periodic automated scans of employee workstations to inventory installed applications

• ❏ D. Deploy software metering on the corporate network

In access control terminology what word describes the item that a user or application performs actions on?

• ❏ A. Actor

• ❏ B. Resource

• ❏ C. Object

• ❏ D. Entity

A digital health startup that uses multiple cloud providers needs to implement a retention policy that meets GDPR and HIPAA requirements. What is the most important initial action to take when developing a data retention policy?

• ❏ A. Google Cloud Data Loss Prevention

• ❏ B. Apply legal holds to all sensitive datasets

• ❏ C. Encrypt all records before storing them in the cloud

• ❏ D. Inventory and classify data types by sensitivity and applicable regulations

Within the information security CIA model what concept does the letter C denote?

• ❏ A. Configuration

• ❏ B. Control

• ❏ C. Compliance

• ❏ D. Confidentiality

How can a software company best demonstrate that its incident response plan is aligned with its commercial goals and leadership priorities?

• ❏ A. Access to the plan is limited to a small dedicated incident response group

• ❏ B. Executive leadership has formally approved and authorized the incident response plan

• ❏ C. The plan is maintained by the operations team and undergoes an annual technical review

• ❏ D. The document contains detailed step-by-step procedures for eradicating malware and disinfecting systems

A network analyst inspects an IPv4 packet and finds the protocol field set to 17. Which transport layer protocol does that value represent?

• ❏ A. TCP

• ❏ B. IGMP

• ❏ C. ICMP

• ❏ D. UDP

A regional fintech company called Solace Financial is concerned about weaknesses in its public facing web applications and APIs. Which testing approach is best suited to evaluate that external exposure?

• ❏ A. Gray box testing

• ❏ B. Automated vulnerability scanning

• ❏ C. White box testing

• ❏ D. Black box testing

A security team at Meridian Tech is comparing cryptographic approaches and asks which technique is regarded as theoretically unbreakable?

• ❏ A. Elliptic curve cryptography

• ❏ B. Single DES

• ❏ C. Symmetric ciphers

• ❏ D. One time pad

A mid sized payments company named Northfield uses a federated identity platform and needs to enable single sign on for external applications. What is the primary function of the Security Assertion Markup Language protocol in identity and access management?

• ❏ A. Cloud Identity Aware Proxy

• ❏ B. Holding user passwords in a single directory

• ❏ C. Encrypting authentication traffic between clients and servers

• ❏ D. Transmitting authentication and authorization assertions between identity providers and service providers

When a company finds its disaster recovery plan does not work as intended what is the most common root cause?

• ❏ A. Insufficient rehearsal and testing

• ❏ B. Inadequate executive sponsorship and ongoing oversight

• ❏ C. Technology component failures

• ❏ D. Shortfalls in employee training and preparedness

Standard operating procedure is correct.

Standard operating procedure specifies the exact step by step actions operators must perform to complete a specific task. It translates higher level rules into task level instructions and checklists so work is repeatable and verifiable. That procedural and prescriptive nature is what makes it the precise match for a request for step by step actions.

Security baseline is incorrect because a baseline defines required configuration settings or minimum security levels for systems rather than a sequence of actions to perform a task. A baseline tells you what settings to enforce and not how to perform an operational task.

Organizational policy statement is incorrect because a policy is high level and states objectives rules and responsibilities. A policy describes what must be achieved and not the detailed steps staff must follow to complete a task.

Guidance document is incorrect because guidance provides recommendations and best practices and it is often optional. Guidance may include examples but it does not usually mandate the precise step by step procedures that a standard operating procedure provides.

When the question asks for exact step by step actions pick a procedure rather than a policy or baseline. Policies set direction and baselines set configurations while procedures give repeatable task steps.

The correct answer is Exact file fingerprinting using hashes.

Exact file fingerprinting using hashes generates a cryptographic digest of the entire file and compares those digests to recognize identical files. Cryptographic hash functions are designed for collision resistance so the probability of two different files producing the same digest is negligible. That collision resistance is what allows exact file fingerprinting to detect complete sensitive documents leaving the network even when filenames or metadata change.

Conceptual lexicon and pattern lists rely on keyword lists and contextual rules to find sensitive content and they do not use cryptographic hashes. They are useful for term based detection but they cannot reliably detect exact file copies.

Cloud DLP API is an interface to a service and not the specific hash based method described in the question. The API may offer multiple detection techniques but invoking the API is not itself the collision resistant hashing approach the question asks about.

Database fingerprinting typically fingerprints structured records or fields rather than producing whole file cryptographic hashes. It is focused on database row or column data and not on file level exact matches for document exfiltration detection.

Rule based detection using regexes and patterns searches for textual patterns and formats and it can generate false positives or false negatives for whole file detection. Regex and pattern rules do not depend on collision resistant cryptographic hashing and so they are not the method the question describes.

When a question asks about detecting identical files or exact matches think about cryptographic hashes and exact file fingerprinting instead of pattern matching or service names.

Prioritizing a thorough inventory of all IT assets is correct because it directly expresses the principle that you cannot protect what you do not know about.

A complete inventory gives the visibility required to identify and classify hardware software and cloud services so that risk assessments patching monitoring and access controls can be applied where they are needed.

Investing in Cloud Security Command Center is incorrect because this is a specific product that can help with cloud visibility but it does not capture the general practice of cataloging all assets across the enterprise.

Emphasizing hiring highly specialized security engineers is incorrect because skilled personnel are important but the saying is about discovering and knowing assets first rather than relying on staffing alone.

Focusing only on physical security controls is incorrect because that approach misses software configurations cloud resources and other nonphysical assets and the principle applies to all asset types.

When you see choices that mention inventory or asset discovery on the exam pick them when the question emphasizes visibility or what can be protected.

Servers are updated according to the organization patch management process and receive current security fixes is correct because it describes an active, documented control that shows the organization is maintaining its security posture and managing risks.

Applying patch management and timely security fixes demonstrates ongoing attention to vulnerabilities and provides tangible evidence for auditors that due diligence is being practiced. Regular updates reduce exposure to known threats and show that the organization follows its governance and compliance processes.

Data custodians have not documented the enterprise data protection framework is incorrect because missing documentation of a data protection framework is a governance gap. That omission indicates a failure to perform required oversight and it is a breach of due diligence.

System administrator omits the required three week vacation schedule is incorrect because mandatory, enforced vacations are a control to detect fraud and ensure segregation of duties. Not following that schedule is a breakdown of controls and thus a violation of due diligence.

The security policy is no longer current or aligned with standards is incorrect because an outdated policy means governance and compliance activities are not being maintained. A current and aligned security policy is a basic expectation of due diligence and its absence is a breach.

When you see a choice that shows an ongoing, documented process such as regular patching, favor it. Focus on answers that demonstrate active maintenance and verifiable evidence of controls rather than absent or outdated documentation. Emphasize ongoing actions when assessing due diligence.

The correct answer is Biometrics.

Biometrics refers to authentication techniques that rely on unique physical or physiological traits of a person. Fingerprint scans retinal scans and iris scans are classic biometric modalities used to confirm the identity of someone requesting access to systems or data.

Physiometrics is not the standard term used in information security. The accepted and widely used term for fingerprint retinal and iris based verification is biometrics.

Behavioral biometrics focuses on patterns of behavior such as typing rhythm gait or mouse movement. Those behavioral methods do not describe physical scans like fingerprints or iris scans so this option is incorrect.

Micrometrics is not a recognized term for human identity verification by biological traits and it does not refer to fingerprint retinal or iris scanning. That makes it incorrect for this question.

When you see specific examples such as fingerprint or iris scans think Biometrics and distinguish those from options that describe behaviors or use unfamiliar terminology.

The correct options are False acceptance rate, Crossover error rate, and False rejection rate.

False acceptance rate measures the proportion of impostors who are incorrectly granted access. It is a standard scalar metric for biometric systems and it quantifies the system risk of allowing unauthorized users.

False rejection rate measures the proportion of genuine users who are incorrectly denied access. It is the complementary error to the acceptance side and it quantifies the user convenience impact of the system.

Crossover error rate is the operating point where the False acceptance rate and the False rejection rate are equal. It is commonly reported as a single number that summarizes the trade off between security and usability and lower values indicate better overall biometric performance.

Detection error tradeoff is not one of the three scalar metrics. It usually refers to a DET curve which visualizes the trade off between false acceptances and false rejections across thresholds rather than providing a single performance number.

Negative error rate is not a standard biometric performance term. It may be a misnomer for a false negative concept, but the standard terms used in biometric evaluation are False rejection rate for false negatives and False acceptance rate for false positives.

When you see biometric performance questions look for the three scalar metrics FAR, FRR, and EER and remember that curves like DET or ROC are visualization tools rather than single performance metrics.

Precursor is correct.

Systematic probes across multiple host ports are reconnaissance actions that attackers use to map targets and find open services. That kind of activity is a classic Precursor because it happens before exploitation and it signals preparatory intent rather than proof of a successful breach.

IoA is incorrect because indicators of attack generally describe behaviors that show an attack is in progress such as exploit attempts, privilege escalation, or lateral movement. Port scanning is preparatory reconnaissance and is more appropriately labeled a Precursor than an ongoing attack indicator.

Indicators of Compromise (IoCs) is incorrect because IoCs are artifacts left by a successful compromise such as malicious files, altered system artifacts, or confirmed command and control traffic. A port scan alone does not demonstrate that a system has been compromised.

Indicator is incorrect because it is a generic term and not the specific taxonomy term used for preparatory reconnaissance. The correct, specific category for scanning activity is Precursor.

When a question describes scanning, probing, or reconnaissance think preparation rather than evidence of a breach or an in progress exploit.

The correct option is Unrecoverable data loss. This choice best matches the type of failure that causes the most severe and long lasting business interruption for a mid sized technology consultancy.

When a consultancy experiences Unrecoverable data loss it can lose client deliverables source code configurations and billing and contractual records. Loss of those assets stops revenue generation damages client trust and can require lengthy rebuilding and legal remediation which makes the interruption far more severe than a temporary outage.

Recovery from infrastructure or application failure usually depends on restoring data. If data cannot be recovered then failover and replacement strategies are of limited use. That is why Unrecoverable data loss carries the greatest business impact when backups or other long term recovery mechanisms are not available or fail.

Extended network connectivity outage can disrupt access and productivity but it is often mitigated by redundant circuits alternate connectivity and the ability to work offline. Network outages tend to be temporary and do not by themselves destroy stored business data.

Major hardware or system software breakdown can be serious but hardware can be replaced and software can be reinstalled or restored from images and backups. Such breakdowns rarely cause permanent loss of critical business information when standard recovery controls are in place.

Core application platform failure may stop key services and be high impact for users but platforms are often designed with clustering failover and provider recovery options. Platform failures are usually recoverable if data remains intact and accessible.

Focus on the long term impact on data recoverability rather than short term downtime. If an event makes recovery impossible it is usually the most severe choice to pick.

The correct option is Encryption.

The Digital Signature Standard defines how to create and verify Digital signatures and so it provides Integrity verification and supports Entity authentication. The standard specifies signature algorithms and verification procedures and it is not intended to provide confidentiality. For that reason Encryption is not a service provided by the Digital Signature Standard.

Integrity verification is incorrect because digital signatures detect any alteration of signed data and so the standard delivers integrity protection.

Digital signatures is incorrect because that is the primary function of the standard and the option therefore does not answer which service is not fulfilled.

Entity authentication is incorrect because verifying a signature confirms that the signer controls the private key and so the standard supports authentication of the signer.

When a question asks which service a signing standard does not provide remember to separate signing from confidentiality. Signing gives integrity and authentication and not encryption.

Data download or copying to the endpoint is the correct choice because it creates the largest and most persistent data security risk when a user is working remotely with an unreliable VPN.

When a user performs Data download or copying to the endpoint sensitive information is removed from the controlled corporate environment and placed on a device that may be unmanaged or inadequately protected. Once data exists on the endpoint it is far harder to enforce access controls or Data Loss Prevention and it can be retained, shared, or exfiltrated without corporate visibility.

Data remanence is not the best answer because it refers to residual information left on storage after deletion and is mainly a concern for media sanitization or decommissioning rather than the active risk of a remote user copying files to their device.

Use of unauthorized cloud file sharing is a meaningful risk but it is less directly aligned with the scenario. The question highlights slow internal access and a local download bypasses corporate controls more immediately than moving data to an unsanctioned cloud service in many remote work situations.

Data displayed or output on the screen can lead to transient exposures such as shoulder surfing or screenshots but it does not produce the same persistent, portable copies that downloading or copying to the endpoint does and so it poses a lower long term exfiltration risk in this context.

When a question describes slow VPN or remote work focus on actions that create persistent local copies. Watch for answers that mention downloading or copying to endpoints as they often represent the highest exfiltration risk.

All ISC2 questions come from my SSCP Udemy course and certificactionexams.pro

The correct answer is Twisted Pair cables. The Category designations such as CAT4 and CAT6 are classifications for copper twisted pair cabling families and they describe performance levels for unshielded and shielded variants used in Ethernet networks.

Category numbers define electrical performance and maximum frequency for the twisted pair family and they are the standard way to identify copper Ethernet cable grades from early low speed types up to modern high speed types.

Fiber optic cables are a different transmission medium that use glass or plastic fibers to carry light and they do not use the CAT numbering scheme for copper twisted pair cables.

Shielded twisted pair cabling is a subtype of the twisted pair family and it is not the overall family name asked for. Shielded variants may also receive category ratings but the family that includes CAT4 and CAT6 is the broader twisted pair family.

Coaxial cables use a single center conductor with a surrounding shield and they follow different standards and naming conventions rather than the CAT classification used for twisted pair copper cabling.

When you see CAT numbers think twisted pair copper cabling and not fiber or coax. Remember that shielded or unshielded are subtypes of the same family.

It preserves the integrity of records used in security investigations is correct.

Protecting audit logs from alteration and unauthorized access ensures that the records investigators rely on remain accurate and trustworthy. Reliable logs support a clear chain of custody and allow analysts to reconstruct events without concern that evidence was changed or deleted, and that is essential for both internal incident response and legal or regulatory reviews.

Cloud Logging is incorrect because it names a logging service rather than giving a reason why safeguarding logs matters. The question asks for the purpose of protecting logs during investigations and compliance activities, not for a product name.

It boosts overall system performance is incorrect because log protection does not improve runtime performance. Securing logs is about integrity, confidentiality, and availability of audit data, and it is separate from efforts to optimize system throughput or latency.

It reduces the burden of long retention policies is incorrect because safeguarding logs does not change retention requirements. Retention policies are determined by legal and business rules and securing logs typically complements retention by ensuring stored records remain trustworthy while they are kept.

When choices mention logs and investigations look for words like integrity or chain of custody as those concepts usually point to the correct answer on forensics and compliance questions.

Choose an alternate recovery location is the correct answer because choosing a recovery site is an action taken during business continuity and disaster recovery planning rather than during the business impact analysis.

The BIA focuses on identifying and prioritizing critical business functions, assessing the impact of downtime, and determining recovery time objectives and required resources. Its outputs inform choices such as alternate locations but the actual selection and implementation of a recovery site are part of recovery planning.

Develop surveys and questionnaires for data collection is incorrect because creating surveys and questionnaires is a typical BIA activity used to gather information about processes, dependencies, and resource requirements.

Select staff to interview for information gathering is incorrect because identifying which staff and subject matter experts to interview is a standard step in the BIA to ensure accurate and complete data collection.

Document the organization’s essential business functions is incorrect because documenting essential functions is a core BIA output that defines what must be recovered and in what priority.

Focus on the difference between analysis and planning. The BIA identifies critical functions and impact tolerances while business continuity planning decides how to recover, including choosing alternate locations.

Greater resistance to electromagnetic interference and support for much longer transmission distances is correct.

Fiber optic cabling carries data as light in glass or plastic fibers so it is not affected by electromagnetic interference from power lines motors or nearby copper cables. This physical property makes fiber a reliable choice for campus backbone links between buildings and main switches where electrical noise can be present.

Fiber also exhibits much lower attenuation than copper so a single run can span tens to thousands of meters depending on the fiber type. That capacity for longer transmission distances and higher bandwidth makes fiber the practical medium for backbones that must support aggregated traffic and future growth.

Cloud Interconnect is incorrect because it describes a service or connection model for linking to cloud providers rather than a physical cabling medium for campus backbones. It does not address why one cable type would be chosen over another.

Use of standard RJ45 connectors is incorrect because RJ45 is the connector for copper twisted pair Ethernet. Fiber uses different connectors such as LC or SC and requires optical transceivers or media converters to connect to networking equipment.

Lower upfront cost and easier installation is incorrect because fiber components and termination often cost more up front and require specialized tools and skills. Fiber can lower long term costs and provide greater capability over distance but it is not generally chosen for lower initial cost or simpler installation.

Look for answers that describe the physical properties of the medium such as EMI immunity and maximum distance when the question asks why one cabling type is used for a backbone.

The correct answer is Diffie-Hellman.

Diffie-Hellman is the canonical public key key agreement algorithm that allows two endpoints to derive a shared secret over an untrusted network without sending the secret itself. It is widely used as the key exchange component in protocols such as TLS and IPsec and it supports ephemeral modes that provide forward secrecy.

RSA is an asymmetric algorithm used for encryption and digital signatures and it can be used to transport keys in some protocols. It does not perform the same interactive key agreement process as Diffie-Hellman and it will not provide forward secrecy unless combined with ephemeral mechanisms.

SHA-256 is a cryptographic hash function and not an asymmetric algorithm. It produces message digests and cannot be used by itself to perform key agreement between two parties.

AES is a symmetric block cipher used for bulk encryption and it requires a shared key. It is not a method for two endpoints to agree on a secret, although the key AES uses can be established via a key agreement algorithm such as Diffie-Hellman.

When a question asks about two endpoints agreeing on a secret or performing key exchange look for Diffie-Hellman or its elliptic curve variant rather than encryption or hashing algorithms.

The correct answer is Perform a post incident review and implement new countermeasures.

Perform a post incident review and implement new countermeasures is the right choice because this step occurs after containment and service restoration and focuses on preventing recurrence. The review phase captures lessons learned and performs root cause analysis so the organization can identify what failed and which controls need strengthening.

The team should update incident response plans and playbooks and implement technical and procedural countermeasures such as improved detection rules, configuration changes, and targeted user training. Turning the findings of the post incident review into concrete changes is how an organization reduces the likelihood of the same incident happening again.

Detection analysis and escalation is incorrect because that activity belongs to the identification and triage phases when an incident is first detected. It is not the action you perform after containment and normal operations have resumed.

Service recovery is incorrect because recovering services is the step that restores normal operations. The question states that normal operations have already resumed and asks what to do next to prevent recurrence.

Proactive preparation is incorrect because preparation happens before an incident. Proactive measures are important but they are not the post incident step that turns lessons learned into new countermeasures.

On exam questions identify where in the incident response lifecycle the task belongs. Look for answers that mention post-incident review or lessons learned when the prompt says containment and recovery are complete.

The correct answer is Smart card token.

Smart card token is a physical device that stores cryptographic credentials or private keys and proves possession during authentication. It is classified as a something you have factor because the user must physically present or insert the card or token to authenticate. Smart cards are often used together with a PIN so that possession and knowledge are combined for stronger authentication.

Biometric fingerprint is incorrect because fingerprints are biometric traits and belong to the something you are category rather than a possession factor.

Cloud Identity is incorrect because it names an identity service or account and not a physical object that a user possesses. An identity provider is not a something you have authentication factor in the classic model.

Secret passphrase is incorrect because a passphrase is information the user knows and therefore fits the something you know category instead of a possession factor.

When you see factor classification questions ask whether the item is a physical object, something remembered, or a biological trait. Focus on whether the user must physically possess the item to authenticate to identify a something you have factor.

The correct answer is Susceptible to both physical tampering and malicious software infections.

Kerberos Ticket Granting Service and authentication servers function as key distribution centers and they store long lived secret keys for many principals. Because they hold those secrets they are high value targets and are therefore vulnerable to attackers who can gain physical access and to attackers who can install or run malicious software on them.

Physical tampering can allow an attacker to extract keys or firmware and bypass protections by accessing hardware directly. Malicious software infections can capture keys from memory, alter authentication logic, or exfiltrate credentials over the network. Both attack classes can lead to full compromise of the authentication service.

Susceptible only to attacks from malicious software is incorrect because it ignores the serious risk from physical access and hardware compromise which can give direct access to stored keys.

Susceptible to credential guessing and offline password cracking attacks is incorrect because those attacks target user passwords or captured hashes and are not the primary risks to a server that centrally stores long term keys. The server is more at risk from direct compromise through tampering or malware than from simple guessing attacks against individual credentials.

Susceptible only to physical tampering is incorrect because it overlooks the real threat posed by malware which can remotely extract keys or subvert the authentication process without any physical access.

When a question says a server “stores secret keys” think about threats that allow extraction of those keys both by direct physical access and by software based attacks. Focus on the highest value vectors that can expose keys.

Class A is correct because it supports the largest number of host addresses under the original classful IPv4 addressing scheme.

Class A uses a default mask of /8 which leaves 24 bits for host addresses. That yields 2^24 minus 2 usable addresses per network which equals 16,777,214 hosts after removing the network and broadcast addresses.

Class B is incorrect because it uses a default /16 mask which leaves 16 bits for hosts. That gives 2^16 minus 2 usable addresses which equals 65,534 hosts per network and that is far fewer than a Class A network.

Class C is incorrect because it uses a default /24 mask which leaves only 8 bits for hosts. That yields 2^8 minus 2 usable addresses which equals 254 hosts per network and that is much smaller than Class A or Class B.

Class E is incorrect because those addresses are reserved for experimental or future use and are not assigned for general host addressing. Class E is not available for normal host networks which makes it irrelevant when choosing the class with the greatest number of hosts.

Remember that Class A has the largest host space under classful addressing and that modern networks use CIDR and subnetting instead of strict class boundaries.

The correct answer is Ping of Death.

An ICMP packet that exceeds the IPv4 maximum datagram size can cause problems during fragmentation and reassembly and that behavior is the classic characteristic of the Ping of Death. IPv4 limits a packet to 65,535 bytes and a 72 kilobyte ICMP packet is larger than that limit. Historically some implementations attempted to reassemble oversized fragments which led to memory corruption or crashes and that is why this attack is identified as the Ping of Death. Modern systems are generally patched to discard or properly handle such oversized fragments so it is largely a historical attack pattern.

Teardrop attack is incorrect because it relies on sending fragments with overlapping offsets to confuse reassembly logic rather than sending a single ICMP packet that exceeds the maximum IP datagram size.

TCP SYN flood is incorrect because that attack exhausts server TCP connection state by sending many SYN packets and not by sending oversized ICMP fragments.

Buffer overflow exploit is incorrect as an answer because it describes a general class of vulnerabilities and exploits rather than naming the specific network attack. The Ping of Death is the specific historical network attack that caused a buffer overflow via oversized ICMP reassembly.

Smurf amplification attack is incorrect because it uses spoofed ICMP echo requests to broadcast addresses to amplify traffic toward a victim and it does not involve sending an ICMP packet that exceeds the IP maximum size.

When you see an ICMP packet larger than the IP maximum think Ping of Death. If the question mentions overlapping fragments think Teardrop. Use protocol behavior to rule out amplification and SYN flood answers.

All ISC2 questions come from my SSCP Udemy course and certificactionexams.pro

The correct answer is Private residence.

A private residence is where a person typically has the strongest and most reasonable expectation of privacy because the occupant controls access and personal activities within the home. Courts have long recognized that a home is the quintessential private space and that people generally expect freedom from unreasonable observation and intrusion there.

Community park is incorrect because parks are public places that are open to anyone and visible to passersby. There is no meaningful expectation that activities in an open park are shielded from observation by the public or authorities.

City sidewalk is incorrect for the same reason. Sidewalks are public thoroughfares and what a person exposes to public view on a sidewalk is not typically protected by a reasonable expectation of privacy.

Workplace office is incorrect because the expectation of privacy at work is limited and depends on factors such as employer policies, shared space, and monitoring practices. Employers often have the right to monitor communications and access in offices, so the privacy expectation is not as strong as in a private home.

When deciding which setting offers a reasonable expectation of privacy ask whether the area is privately controlled and not open to the public or subject to employer monitoring.

The correct option is N plus one redundancy.

This scenario is an example of N plus one redundancy because the operator has installed duplicate power modules, backup diesel generators, and two separate utility feeds so that there is at least one independent spare component available if a primary component or feed fails. Under N plus one redundancy the infrastructure is sized to tolerate a single failure without losing functionality, which matches the described measures.

Active active deployment is incorrect because that term describes multiple systems or sites actively sharing load at the same time for capacity and failover. The question describes added spare power capacity at sites rather than multiple active sites handling the workload.

Geographic redundancy is incorrect because geographic redundancy means placing resources in separate physical locations to survive regional failures or disasters. The described duplicate modules and generators are site level power resiliency measures and do not indicate separate geographic sites.

Multipath network design is incorrect because that concept applies to having multiple physical network paths to avoid connectivity single points of failure. The question focuses on power infrastructure redundancy and not on network path diversity.

When an exam item lists duplicate power equipment and a single spare unit think N+1 as the likely answer. Focus on whether the question is about power or about multiple active sites to avoid confusing it with active active or geographic options.

Data residency and jurisdictional requirements is the correct option for Marcus to prioritize in his cloud security strategy.

When customer records are stored and processed across multiple continents governments and regulators can impose rules about where data must be kept and which legal systems can access it. These rules create legal risks that are separate from technical controls and they can force changes to data placement encryption and contract terms to remain compliant.

Identity and Access Management is important for controlling who can access systems and data but it does not directly address the legal question of which country has authority over the data.

Network security monitoring and intrusion detection provide detection and response capabilities that help protect data from breaches but they do not resolve jurisdictional obligations or cross border transfer restrictions.

Service level agreement obligations cover availability performance and some contractual liabilities and they are important for operations but they are not the primary legal risk when the concern is where customer records may lawfully be stored or accessed.

Focus on the question words such as where and who has legal authority when deciding whether the risk is legal jurisdictional or technical.

Ethical conduct and professional integrity is the correct choice.

Ethical conduct and professional integrity must be the primary consideration because certified practitioners have a duty to protect people and systems and to maintain public trust when making decisions.

When technical options and legal requirements conflict or when resources are limited the guiding principle should be ethical judgment and professional integrity so that actions do not cause harm even if they are feasible or cheaper.

Cost effective and mindful of budgets is an important operational concern but it is not primary because prioritizing cost can lead to unsafe or unethical outcomes.

Technically accurate and operationally feasible is necessary for implementation but it does not address moral obligations or conflicts of interest and so it cannot be the sole guiding quality.

Compliant with applicable laws and regulations is required and it sets a baseline for behavior but legal compliance alone does not ensure ethical conduct and laws may lag behind professional responsibilities.

When faced with choices pick the option that emphasizes integrity and protection of stakeholders rather than one that focuses only on cost, technical ease, or minimal legal compliance.

The correct answer is Store proprietor. The Store proprietor has the strongest reasonable expectation of privacy regarding the premises and daily operations.

The Store proprietor owns or controls the business premises and sets rules for access and operation. Ownership and control create the primary interest in confidentiality for inventory, business records, layout, and daily procedures, and that control is what courts and privacy doctrine use to determine who has the strongest reasonable expectation of privacy.

Independent contractor is incorrect because a contractor typically does not own the premises and works under terms set by the proprietor. The contractor’s access and authority are usually limited by contract and oversight, so their expectation of privacy in the store is weaker than the proprietor’s.

Guest on site is incorrect because visitors have a very limited expectation of privacy. Guests are subject to the proprietor’s rules and do not control store operations or business records, so they have little claim to privacy over the premises or daily operations.

Staff member is incorrect because employees have reduced privacy in employer owned spaces. Staff may have access to more areas than guests, but the proprietor retains authority to inspect work areas and records and to set policies, so employee privacy expectations are lower than the proprietor’s.

On reasonable expectation of privacy questions focus on who legally owns or controls the space and who can exclude others. Ownership and operational control usually indicate the strongest expectation.

Perform periodic automated scans of employee workstations to inventory installed applications is correct. This approach directly discovers what is installed on each endpoint and creates an auditable inventory that you can use to spot unauthorized software and reconcile licenses.

Automated workstation scans provide comprehensive visibility because they enumerate installed applications and versions across the estate and they can run on a schedule to catch new or changed installations. The inventory data can feed software asset management processes and license reconciliation tools to reveal overdeployment or unlicensed copies. Scans also support remediation workflows so IT can remove unauthorized applications or adjust licensing to match actual usage.

Enforce diskless thin client workstations is not the best answer because changing endpoint architecture is an operational and cost decision and it does not by itself detect existing license violations on standard desktops. Thin clients can reduce local installs but they are not a detection mechanism for software already present on employee machines.

Cloud Asset Inventory can be useful but it may not capture all locally installed applications unless each workstation reports into the cloud inventory service. Relying only on cloud inventory may miss offline devices or applications that are not integrated with the cloud collector so it is less directly effective than performing automated scans on the endpoints themselves.

Deploy software metering on the corporate network helps monitor usage patterns and can inform license optimization, but metering often tracks execution rather than presence and it may not reveal all unauthorized installed copies. For full detection of license violations you need an inventory of installed applications in addition to usage data.

On exam questions about detecting unauthorized software prioritize answers that provide direct and auditable visibility of installed applications and support automated, repeatable inventory processes.

The correct answer is Object.

An Object in access control is the item that a user or application performs actions on. It is the target of access requests and can be a file, a database record, a device, a service, or other tangible items managed by the system. Access control models make decisions about which subjects may perform which operations on objects under specified conditions.

Actor is incorrect because an actor is the initiator of actions or requests rather than the target. Actors are subjects such as users, processes, or systems and so the term does not name the item being acted upon.

Resource is not the expected answer here because resource is a broader and sometimes interchangeable term. Many formal access control definitions and exam questions use the specific term object to mean the item being acted on and so resource is not the preferred technical term in this context.

Entity is incorrect because entity is a generic term that can refer to either subjects or objects and it does not specifically denote the target of actions in access control terminology.

When a question asks about the item being acted on think of the access control target and remember the specific exam term is object rather than actor or a generic resource.

Inventory and classify data types by sensitivity and applicable regulations is the correct initial action when developing a data retention policy.

Inventory and classify data types is the starting point because retention obligations and permissible retention periods depend on the specific data elements and the laws that cover them. You must know which records are personal data, which are protected health information, and which other categories exist before you can map retention periods and controls to GDPR and HIPAA requirements.

Inventory and classification also enable targeted application of technical and administrative controls such as encryption, access controls, and legal holds. Classifying data across all cloud providers lets the organization implement consistent retention rules, prove compliance during audits, and avoid overretention or premature deletion.

Google Cloud Data Loss Prevention is not the best initial action because it is a specific tool for discovering and protecting sensitive data rather than the planning step of identifying what data you hold and which regulations apply. Tool selection comes after you complete an inventory and classification.

Apply legal holds to all sensitive datasets is incorrect because legal holds are a preservation measure used for specific litigation or investigations and they should be applied selectively. Applying holds to everything is not a practical or legally appropriate first step and it can conflict with privacy driven deletion requirements.

Encrypt all records before storing them in the cloud is incorrect because encryption is an important safeguard but it does not replace the need to identify and classify data or to set retention schedules. Encryption alone does not satisfy retention, deletion, or documentation obligations under GDPR and HIPAA.

Begin policy questions by thinking about what data you have and which rules apply before you choose tools or enforcement actions.

The correct answer is Confidentiality.

Confidentiality means protecting information from unauthorized access and disclosure. It is one of the three core principles of the CIA model, and it emphasizes that only authorized parties should be able to read or obtain the data.

Configuration is incorrect because that term refers to system settings and setup and not to the C in the CIA triad which stands for the secrecy of information.

Control is incorrect because controls are mechanisms or safeguards used to enforce security but the CIA letters represent security objectives and not the measures used to achieve them.

Compliance is incorrect because compliance concerns meeting laws, regulations, and standards and it is not the concept represented by the C in the CIA model.

Remember the three words Confidentiality, Integrity, and Availability. When you see the letter C on an exam think about protecting secrecy and preventing unauthorized disclosure.

The correct option is Executive leadership has formally approved and authorized the incident response plan.

Formal approval by executive leadership shows that the incident response plan is not just a technical document but a governance instrument that supports commercial goals and leadership priorities. Executive authorization demonstrates that the plan has the necessary decision authority, resources, and visibility to be executed in ways that protect business objectives and meet stakeholder and regulatory expectations.

Access to the plan is limited to a small dedicated incident response group is incorrect because restricting access alone does not prove alignment with leadership priorities. Limiting visibility can hinder leadership engagement and prevent the plan from reflecting business needs and escalation paths.

The plan is maintained by the operations team and undergoes an annual technical review is incorrect because operational maintenance and periodic technical review are necessary but not sufficient. Those activities do not demonstrate executive buy in or that the plan addresses commercial risk decisions and priorities.

The document contains detailed step-by-step procedures for eradicating malware and disinfecting systems is incorrect because detailed technical procedures are useful for responders but they do not show that the plan aligns with business goals or has leadership authorization. Alignment requires governance, defined business objectives, and executive sponsorship as well as technical guidance.

When an item asks about alignment with commercial goals look for evidence of executive sponsorship or formal authorization rather than only technical controls or limited operational access.

All ISC2 questions come from my SSCP Udemy course and certificactionexams.pro

The correct option is UDP.

The IPv4 header contains a Protocol field that holds a numeric value to identify the next layer protocol. The value 17 is assigned to UDP by IANA and it corresponds to the User Datagram Protocol. UDP is a connectionless transport protocol that uses port numbers to deliver datagrams to applications.

TCP is incorrect because the protocol number for TCP is 6 and TCP is a connection oriented transport protocol, so it does not match 17.

IGMP is incorrect because the protocol number for IGMP is 2 and IGMP is used for multicast group management at the IP layer rather than as a transport protocol.

ICMP is incorrect because the protocol number for ICMP is 1 and ICMP is an Internet control and diagnostic protocol rather than a transport protocol for application data.

Memorize the common IPv4 Protocol numbers such as 1 for ICMP, 6 for TCP, and 17 for UDP. When in doubt refer to the IANA protocol numbers list during study.

Black box testing is correct. It evaluates the public facing web applications and APIs from an external perspective and does not rely on any internal knowledge.

Black box testing simulates what an outside attacker can discover and exploit by using external reconnaissance, dynamic testing, and manual penetration techniques. This approach focuses on runtime behavior and the exposed interfaces of web apps and APIs so it will reveal authentication and session issues, input validation flaws, misconfigured endpoints, and API logic problems that an external user could leverage.

Gray box testing is not ideal because it assumes the tester has some internal knowledge or credentials. That mixed-knowledge approach is useful for certain assessments but it does not represent a purely external, unauthenticated attacker.

Automated vulnerability scanning can quickly find many known issues on public endpoints, but scanners often miss complex authentication bypasses and business logic flaws. Scanning is a helpful supplement but it does not replace a full external black box evaluation.

White box testing involves full access to source code, design, and internal architecture and it focuses on code level defects. That makes it less appropriate when the primary goal is to measure external exposure from the perspective of an outsider.

When a question mentions public facing or external systems look for phrases that imply no internal knowledge and pick the testing method that emulates an outside attacker.

One time pad is the correct option because it is the only technique that can provide information theoretic or theoretical unbreakability when used under strict conditions.

One time pad achieves this level of security only when the key is truly random, the key is at least as long as the plaintext, the key is kept completely secret, and the key is never reused.

One time pad is impractical for most real world systems because key generation and secure distribution are difficult for long messages, and this practical limitation is why it is not commonly used despite its theoretical strength.

Elliptic curve cryptography is based on hard mathematical problems and offers very strong practical security, but it is not information theoretically unbreakable because its security depends on computational assumptions and on the current limits of algorithms and computing power.

Single DES is insecure because its 56 bit key size is too small and it is vulnerable to brute force attacks, and the algorithm has been deprecated and replaced by stronger standards so it is not considered unbreakable and it is less likely to be correct on newer exams.

Symmetric ciphers as a class include many algorithms that are secure in practice when keys are well managed, but they are not universally unbreakable because their security is based on computational hardness and not on information theoretic proofs except for the one time pad.

When a question asks about theoretical unbreakability look for the phrase one time pad or requirements that the key is truly random and never reused.

The correct option is Transmitting authentication and authorization assertions between identity providers and service providers.

SAML is an XML based standard that defines how an identity provider sends signed assertions about a user to a service provider so the service provider can make authentication and authorization decisions and enable single sign on across domains. The protocol specifies the format of the assertions and the exchange patterns used by browsers and services to carry those assertions so credentials do not need to be shared with the service provider.

Cloud Identity Aware Proxy is incorrect because that name refers to a specific Google Cloud product that controls access to web applications and resources and not to the general protocol function of exchanging identity assertions.

Holding user passwords in a single directory is incorrect because SAML does not prescribe where credentials are stored. An identity provider may authenticate against a directory but SAML itself transmits assertions rather than acting as a password store.

Encrypting authentication traffic between clients and servers is incorrect because transport layer security such as TLS handles encryption of client server traffic. SAML can sign and encrypt assertions as part of message security but its primary role is to assert identity and authorization information between providers.

When an option mentions assertions and both an identity provider and a service provider it is very likely describing a federation protocol such as SAML. Focus on the role described rather than implementation details.

The correct answer is Inadequate executive sponsorship and ongoing oversight.

Inadequate executive sponsorship and ongoing oversight is the most common root cause because without clear executive ownership the disaster recovery program lacks priority funding and an accountable owner to keep the plan current.

Inadequate executive sponsorship and ongoing oversight also prevents sustained governance of testing training and change integration so technical fixes or single exercises will not produce a reliable recovery posture on their own.

Insufficient rehearsal and testing is often a visible failure point but it is usually a symptom of poor sponsorship or scheduling rather than the underlying root cause.

Technology component failures can interrupt recovery efforts but they tend to be addressed by design choices such as redundancy and vendor management and they do not explain why the overall plan governance failed.

Shortfalls in employee training and preparedness degrade execution but they frequently result from lack of investment and prioritization driven by weak executive oversight.

When deciding on the root cause look for answers that point to governance and accountability rather than to single technical failures or isolated symptoms.