74 SSCP Practice Questions to Dominate the Exam

BCP focuses on keeping the essential parts of the business running, even at a reduced capacity, during an adverse event.

This risk involves the entire lifecycle of a product from manufacturing to delivery, which is the core focus of supply chain security.

A hub is a simple Layer 1 device that receives a signal on one port and regenerates and repeats it out of all other ports. It does not read addresses or make any forwarding decisions.

The 56-bit key of DES became susceptible to brute-force attacks with the advance of computing power. 3DES effectively increases the key length by applying the DES algorithm three times.

If the hash values of the original and the copy match, it provides mathematical proof that the copy is an exact, unaltered duplicate, which is crucial for maintaining the chain of custody.

Multi-factor authentication requires combining at least two different factors (something you know, something you have, something you are). Both a password and a security question answer fall under ‘something you know’.

A logic bomb is designed to execute its payload only when a predefined condition is met, such as the termination of an employee’s account or a specific calendar date.

RAID 5 stripes data and distributes parity information across all disks in the array, offering a balance of performance, storage capacity, and fault tolerance for a single disk failure.

A VM escape is a critical vulnerability where an attacker compromises the isolation between a virtual machine and the underlying hypervisor, potentially giving them control over the entire host system.

RPO represents the maximum targeted period in which data might be lost from an IT service due to a major incident, essentially defining the acceptable age of the last backup.

This canon specifically addresses the professional’s duty to their direct clients or employers (principals), who are the only parties authorized to file a complaint under it.

This creates a digital signature. Bob can verify the signature using Alice’s public key, which proves the message came from her (authenticity, non-repudiation) and has not been altered (integrity).

A VPN encapsulates and encrypts traffic, extending a private network across a public network like the internet, ensuring confidentiality and integrity.

The ALE is calculated by multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO). In this case, $ALE = SLE times ARO = $200,000 times (1/50) = $4,000$.

A standard packet-filtering firewall makes its decisions based on information in the IP header (Layer 3 source/destination addresses) and the TCP/UDP header (Layer 4 source/destination ports).

VLANs allow a single physical switch to be partitioned into multiple logical networks, each functioning as an independent broadcast domain.

A hash function takes an input of any size and produces a fixed-size output (digest). It is computationally infeasible to reverse the process and derive the original input from its hash.

Offboarding is the formal process for when an employee leaves the organization, which must include the timely revocation of all access rights and credentials.

This is the default security stance for firewalls and access control lists, ensuring that only specifically approved traffic or access is permitted, and all other traffic is denied by default.

A standard provides mandatory requirements that specify how policies are to be implemented, often including detailed technical configurations for consistency and security.

WEP, the original encryption protocol for Wi-Fi, was found to have critical flaws that allow its encryption to be broken in minutes and is completely insecure by modern standards.

A TPM is a dedicated microchip designed to provide hardware-based security functions, such as securely storing encryption keys, platform integrity measurements, and authentication.

The hypervisor, or Virtual Machine Monitor (VMM), is the software that separates the physical hardware from the virtual machines, allocating resources and maintaining isolation between them.

A SIEM system is designed specifically to aggregate log data from diverse sources, correlate events, and detect complex security incidents that span multiple systems.

Volatile data is temporary information that exists in memory or transit and will be lost if the system is powered down. It must be collected from a live system in a specific order.

This attack involves secretly intercepting and relaying messages between two parties who believe they are communicating directly with each other.

By purchasing insurance, the company is transferring the financial impact of the risk to the insurance company in exchange for paying a premium.

MAM focuses on managing and securing specific corporate applications within a secure container on the device, allowing for selective wiping of only corporate data without affecting personal data.

MAC is the most stringent model where the system itself, not the resource owner, enforces access control based on security labels (e.g., Confidential, Secret, Top Secret).

White-box testing, also called crystal-box or full-knowledge testing, provides the assessor with complete transparency into the system to perform a deep and thorough analysis.

PaaS provides a platform where customers can develop, run, and manage applications without the complexity of building and maintaining the underlying infrastructure and platform software.

Federation allows a user from one organization (the identity provider) to use their existing credentials to access resources at another organization (the service provider) without needing a separate account.

ABAC is a dynamic model that uses policies combining multiple attributes of the subject, object, and environment (like location and time) to make sophisticated, real-time access decisions.

Creating a security baseline involves defining a standard, secure starting point for a system’s configuration. This baseline is then used for all new deployments and as a reference for configuration monitoring.

A preventive control aims to stop an incident from occurring in the first place. Patching a vulnerability eliminates the weakness, thus preventing it from being exploited.

FRR, or a Type I error, is the measure of the likelihood that the biometric security system will incorrectly reject an access attempt by an authorized user.

Kerberos authenticates a user once and then issues short-lived, encrypted tickets that the user’s system can present to various services to gain access without re-entering a password.

This attack is designed to overwhelm the switch’s memory for storing MAC addresses (the CAM table), forcing it to behave like a hub and broadcast traffic.

This model provides a collaborative environment where infrastructure is shared among several organizations from a specific community with shared concerns.

The first priority after detection is to contain the incident to limit the scope of the damage and prevent it from spreading to other systems.

SAST analyzes an application’s source code, byte code, or binary code for security vulnerabilities without executing the program.

NAT, particularly Port Address Translation (PAT), allows multiple devices on a private network using RFC 1918 addresses to share a single public IP address, conserving the limited IPv4 address space.

An IPS is placed in-line (like a security guard at a gate) and can actively analyze and block malicious traffic before it reaches its target.

Due diligence is the follow-up action to due care, involving the continuous monitoring, auditing, and review of security controls to ensure they are working as intended.

Diffie-Hellman is a key exchange protocol that allows two parties who have no prior knowledge of each other to jointly establish a shared secret key over an insecure network.

A hot site is a duplicate of the primary site, ready to take over with minimal downtime. It is the most expensive option but provides the fastest RTO.

Black-box (or zero knowledge) testing simulates an external attacker who has no internal knowledge of the target system.

Also known as a structured walk-through, this discussion-based test allows participants to review and discuss the plan in a low-stress, no-impact environment.

To ensure confidentiality, the message is encrypted with the recipient’s public key, so that only the recipient, who possesses the corresponding private key, can decrypt it.

This strategy involves making a conscious, informed decision to not take action against a risk and to accept the potential consequences.

A DMZ acts as a buffer network that hosts services accessible from the internet (like web servers) while protecting the secure internal network from direct external access.

XSS attacks involve injecting malicious scripts into trusted websites, which are then executed in the victim’s browser.

Integrity is the property of safeguarding the accuracy and completeness of assets, ensuring data is trustworthy and has not been improperly modified.

This principle prevents a single individual from having the ability to execute a critical function from start to finish, thereby reducing the risk of fraud or error.

The BIA identifies the organization’s most critical functions and determines the impact of a disruption, leading to the definition of metrics like RTO and RPO for each function.

After the immediate threat is removed (eradication), this phase focuses on both restoring services (recovery) and taking steps to fortify defenses to prevent a repeat incident.

This principle aims to limit the potential damage from a compromised account or malicious insider by ensuring no user has more access than is strictly required.

A mantrap is a physical access control system with two interlocking doors designed to allow only one person to pass through at a time, preventing piggybacking.

This is the definition of a transitive trust, where trust is extended through an intermediary domain. It is a common model in Microsoft Active Directory forests.

System hardening is the general term for the process of reducing a system’s attack surface by eliminating potential attack vectors.

While the policy might require encryption for sensitive data, the specific choice of algorithm (e.g., AES-256) is a technical detail more appropriate for a security standard or baseline, not the high-level retention policy.

The backout plan, or rollback plan, is a crucial contingency measure to restore system stability and availability if the implemented change causes unexpected issues.

STRIDE is a mnemonic for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege, used to systematically identify and categorize threats.

This is a classic example of a phishing attack, which uses social engineering through email to trick victims into revealing sensitive information.

This is the classic definition of a SYN flood, a denial-of-service attack that exploits the TCP three-way handshake process.

After a user’s identity is authenticated, authorization is the process that determines what they are allowed to do, such as read, write, or execute a file.

A worm is a standalone piece of malware that is designed to replicate itself and spread to other systems on a network, often by exploiting software vulnerabilities.

Mandatory vacations are a detective control. If an employee has been engaged in ongoing fraud, their absence makes it more likely that anomalies will be discovered by others or during an audit.

This is the recommended best practice. It ensures that the system is completely clean and that data is restored to a state before the infection occurred.

A stateful firewall tracks the state of network connections (e.g., TCP streams) and allows return traffic from an established connection without needing a specific inbound rule.

A CA acts as a trusted third party that verifies the identity of a subject (e.g., a person or a server) and then digitally signs a certificate that contains the subject’s public key.

When a host needs to send a packet to another host on the same local network, it uses ARP to broadcast a request for the MAC address corresponding to the destination IP address.

By adding a unique, random salt to each password before hashing, the resulting hashes will be unique, even for identical passwords. This defeats rainbow table attacks.

The mixture of personal and corporate data on a device not owned by the company creates significant challenges for data protection, patching, and malware prevention.