Text preview & study summary

(ISC)2 SSCP - Systems Security Certified Practitioner - Access Controls Operations Risk Cryptography Networks Systems

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

An organization implements a vulnerability management program. They use a vulnerability scanner that produces 3,000 vulnerabilities across 500 servers each month. How should the security team PRIORITIZE remediation?

Answer choices

  • A. Remediate all vulnerabilities in alphabetical order by CVE number

  • B. Prioritize based on: risk-based scoring combining CVSS severity + asset criticality + exploitability (public exploit available) + threat intelligence (is it being actively exploited in the wild?) — focus first on critical/high CVEs with public exploits on internet-facing or critical business systems (Correct)

  • C. Remediate in the order the scanner reports vulnerabilities

  • D. Focus only on CVSS 10.0 vulnerabilities since lower scores are not significant risks

Explanation

Risk-based vulnerability prioritization considers multiple factors: (1) CVSS score (base severity), (2) Asset criticality (internet-facing system vs. isolated dev server), (3) Exploitability (public exploit code available? Weaponized?), (4) Threat intelligence (CISA KEV — Known Exploited Vulnerabilities catalog, active exploitation in the wild), (5) Business context (what data does the system process?). A CVSS 7.5 vulnerability with a weaponized exploit on an internet-facing system is higher priority than a CVSS 9.8 theoretical vulnerability on an isolated, internal dev server. CISA's KEV catalog is the most actionable threat intelligence source for prioritization. 3,000 vulnerabilities/month cannot all be remediated — risk-based prioritization focuses limited resources on real risk reduction.

Question 2

An organization is evaluating network segmentation using VLANs vs. physical network separation for their most sensitive financial systems. What is the SECURITY difference?

Answer choices

  • A. VLANs and physical separation provide identical security

  • B. Physical separation provides stronger isolation — VLAN hopping attacks (double-tagging, switch spoofing) can potentially bypass VLAN segmentation; physical air gaps or dedicated switches eliminate shared-infrastructure attacks (Correct)

  • C. VLANs are stronger than physical separation because they support encryption

  • D. Physical separation is less secure because it requires manual management

Explanation

VLAN security vs. physical separation: VLANs are a Layer 2 logical segmentation implemented in shared switches. VLAN hopping attacks: (1) double-tagging — crafting frames with two 802.1Q tags to traverse trunk ports, (2) switch spoofing — negotiating a trunk link with dynamic trunking protocol (DTP). Mitigations for VLANs: disable DTP, use non-default native VLAN, prune unused VLANs from trunk ports. Physical separation uses dedicated switches/infrastructure with no shared hardware, eliminating VLAN-based attack vectors. For the most sensitive systems (PCI CDE, classified networks), physical or virtual separation with dedicated firewalls is recommended. Well-configured VLANs with additional controls are acceptable for moderate security requirements.

Question 3

A security analyst is reviewing user account access for a financial application. They discover that a user in the accounting department has both the ability to create purchase orders AND approve them. Which security principle is VIOLATED?

Answer choices

  • A. Least privilege — the user has too many permissions

  • B. Separation of duties (SoD) — the same user should not be able to both initiate and approve financial transactions, as this enables fraud without detection (Correct)

  • C. Need-to-know — the user doesn't need purchase order access for their role

  • D. Defense in depth — multiple controls should be applied

Explanation

Separation of duties (SoD) requires that critical transactions requiring multiple steps be divided among different individuals to prevent fraud and error. In financial systems: creating a purchase order (initiation) must be separate from approving it (authorization). If one person controls both, they can create fraudulent POs and approve their own transactions. SoD is a fundamental internal control in financial systems, required by SOX (Sarbanes-Oxley) and PCI DSS. Least privilege (option A) is related but specifically addresses the breadth of permissions, while SoD addresses the combination of conflicting permissions.

Question 4

A security practitioner is implementing security controls for a web application that handles financial transactions. Which HTTP security header MOST directly prevents clickjacking attacks?

Answer choices

  • A. `Content-Security-Policy` (CSP) — restricts resource loading

  • B. `X-Frame-Options: DENY` or `Content-Security-Policy: frame-ancestors 'none'` — prevents the page from being embedded in iframes on other sites, blocking clickjacking (Correct)

  • C. `Strict-Transport-Security` (HSTS) — forces HTTPS connections

  • D. `X-Content-Type-Options: nosniff` — prevents MIME type sniffing

Explanation

Clickjacking attacks embed the target site in a transparent iframe on an attacker-controlled page, tricking users into clicking on invisible UI elements (confirming transactions, changing settings). `X-Frame-Options: DENY` prevents the page from being framed by ANY site. `X-Frame-Options: SAMEORIGIN` allows framing only from the same origin. The modern equivalent is `Content-Security-Policy: frame-ancestors 'none'` (more flexible). Other important headers: HSTS enforces HTTPS, CSP prevents XSS, X-Content-Type-Options prevents MIME sniffing, `Referrer-Policy` controls referrer information. All are important for web application security hardening.

Question 5

A security analyst is investigating a compromised system. They find a file named `system32.exe` in `C:\Users\Public\Downloads\`. What makes this suspicious?

Answer choices

  • A. The `.exe` extension is unusual for a system file

  • B. Legitimate Windows system files are located in `C:\Windows\System32\`, not in user directories — a file with a system-sounding name in a user-writable directory is a classic malware indicator (DLL hijacking or dropper) (Correct)

  • C. The file size is unusually large

  • D. The file has a valid Microsoft digital signature

Explanation

Path-based anomaly detection is a key endpoint threat hunting technique. Legitimate Windows binaries: (1) Are located in protected system directories (`C:\Windows\System32\`, `C:\Program Files\`), (2) Have valid Microsoft digital signatures, (3) Are not user-writable. Malware often: names itself like legitimate system processes/files (masquerading), places executables in user-writable directories (AppData, Downloads, Temp) to execute without admin privileges, and uses typosquatting (`svchost.exe` vs legitimate `svchost.exe`). Investigation: verify file path, check digital signature (right-click → Properties → Digital Signatures), compare file hash to known-good (VirusTotal), analyze with Process Monitor, review parent/child process relationships.