Text preview & study summary
(ISC)2 SSCP - Systems Security Certified Practitioner - Access Controls Operations Risk Cryptography Networks Systems
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
An organization implements a vulnerability management program. They use a vulnerability scanner that produces 3,000 vulnerabilities across 500 servers each month. How should the security team PRIORITIZE remediation?
Explanation
Risk-based vulnerability prioritization considers multiple factors: (1) CVSS score (base severity), (2) Asset criticality (internet-facing system vs. isolated dev server), (3) Exploitability (public exploit code available? Weaponized?), (4) Threat intelligence (CISA KEV — Known Exploited Vulnerabilities catalog, active exploitation in the wild), (5) Business context (what data does the system process?). A CVSS 7.5 vulnerability with a weaponized exploit on an internet-facing system is higher priority than a CVSS 9.8 theoretical vulnerability on an isolated, internal dev server. CISA's KEV catalog is the most actionable threat intelligence source for prioritization. 3,000 vulnerabilities/month cannot all be remediated — risk-based prioritization focuses limited resources on real risk reduction.
Question 2
An organization is evaluating network segmentation using VLANs vs. physical network separation for their most sensitive financial systems. What is the SECURITY difference?
Explanation
VLAN security vs. physical separation: VLANs are a Layer 2 logical segmentation implemented in shared switches. VLAN hopping attacks: (1) double-tagging — crafting frames with two 802.1Q tags to traverse trunk ports, (2) switch spoofing — negotiating a trunk link with dynamic trunking protocol (DTP). Mitigations for VLANs: disable DTP, use non-default native VLAN, prune unused VLANs from trunk ports. Physical separation uses dedicated switches/infrastructure with no shared hardware, eliminating VLAN-based attack vectors. For the most sensitive systems (PCI CDE, classified networks), physical or virtual separation with dedicated firewalls is recommended. Well-configured VLANs with additional controls are acceptable for moderate security requirements.
Question 3
A security analyst is reviewing user account access for a financial application. They discover that a user in the accounting department has both the ability to create purchase orders AND approve them. Which security principle is VIOLATED?
Explanation
Separation of duties (SoD) requires that critical transactions requiring multiple steps be divided among different individuals to prevent fraud and error. In financial systems: creating a purchase order (initiation) must be separate from approving it (authorization). If one person controls both, they can create fraudulent POs and approve their own transactions. SoD is a fundamental internal control in financial systems, required by SOX (Sarbanes-Oxley) and PCI DSS. Least privilege (option A) is related but specifically addresses the breadth of permissions, while SoD addresses the combination of conflicting permissions.
Question 4
A security practitioner is implementing security controls for a web application that handles financial transactions. Which HTTP security header MOST directly prevents clickjacking attacks?
Explanation
Clickjacking attacks embed the target site in a transparent iframe on an attacker-controlled page, tricking users into clicking on invisible UI elements (confirming transactions, changing settings). `X-Frame-Options: DENY` prevents the page from being framed by ANY site. `X-Frame-Options: SAMEORIGIN` allows framing only from the same origin. The modern equivalent is `Content-Security-Policy: frame-ancestors 'none'` (more flexible). Other important headers: HSTS enforces HTTPS, CSP prevents XSS, X-Content-Type-Options prevents MIME sniffing, `Referrer-Policy` controls referrer information. All are important for web application security hardening.
Question 5
A security analyst is investigating a compromised system. They find a file named `system32.exe` in `C:\Users\Public\Downloads\`. What makes this suspicious?
Explanation
Path-based anomaly detection is a key endpoint threat hunting technique. Legitimate Windows binaries: (1) Are located in protected system directories (`C:\Windows\System32\`, `C:\Program Files\`), (2) Have valid Microsoft digital signatures, (3) Are not user-writable. Malware often: names itself like legitimate system processes/files (masquerading), places executables in user-writable directories (AppData, Downloads, Temp) to execute without admin privileges, and uses typosquatting (`svchost.exe` vs legitimate `svchost.exe`). Investigation: verify file path, check digital signature (right-click → Properties → Digital Signatures), compare file hash to known-good (VirusTotal), analyze with Process Monitor, review parent/child process relationships.
