Visit here for our full ISC SSCP exam dumps and practice test questions.
QUESTION 141
Which principle requires that no single individual should have complete control over all phases of a critical transaction or process, in order to reduce fraud and errors?
A) Least Privilege
B) Separation of Duties
C) Need to Know
D) Job Rotation
Answer:
B
Explanation:
Separation of duties is the correct answer because it ensures that critical tasks are divided among multiple individuals so that no single person can execute an entire process unilaterally. This principle greatly reduces the risk of fraud, abuse of privileges, and undetected errors. SSCP candidates must understand separation of duties because it is a foundational control in both cybersecurity and operational risk management, used widely in financial systems, administrative processes, and security operations.
The core idea is simple: if one person can initiate, approve, and complete a critical action, they also have the opportunity to commit fraud or hide mistakes without oversight. By splitting responsibilities, organizations introduce checks and balances. For example, in financial operations, one employee may initiate a payment, another may approve it, and a third may reconcile accounts. Any attempt to manipulate funds becomes much harder because it would require collusion between multiple parties.
Separation of duties applies not only to business processes but also to technical security functions. For instance, the person who develops code should not be the same person who approves its deployment to production. The individual managing security logs should not be the one administering user accounts. Likewise, the person responsible for backup creation should not be the only person allowed to restore backups, as this could enable data tampering or cover-ups.
Comparing separation of duties with the incorrect answer choices clarifies its uniqueness. Least privilege limits the level of access a user has but does not necessarily require multiple people to complete a process. Need to know restricts access to information only to those who require it for their job, but again, it does not mandate shared control over process phases. Job rotation involves periodically moving personnel between roles to reduce long-term opportunities for fraud and to improve cross-training, but it does not directly enforce shared responsibility for specific actions.
Separation of duties is also a regulatory requirement in many frameworks such as SOX, PCI DSS, and banking regulations. Auditors frequently examine whether organizations have separated responsibilities for critical processes like financial approvals, system administration, and security monitoring. Failure to apply this principle can result in significant fines, reputational damage, and increased exposure to insider threats.
Technically, separation of duties can be enforced through access controls, workflow systems, and approval processes. For example, an identity management system may require managerial and security administrator approval before granting high-level access. A change management system may require separate individuals for request, approval, implementation, and review.
While separation of duties improves security, it must be balanced against operational efficiency. In small organizations, it may not be feasible to have many people involved in every process. In such cases, compensating controls such as increased monitoring, approvals from senior leadership, or periodic audits may be used.
Because separation of duties specifically ensures that no single individual can complete all steps of a high-risk process, thereby reducing fraud and mistakes, answer B is correct.
QUESTION 142
Which type of malicious software is specifically designed to secretly track user activities, capture keystrokes, or monitor browsing behavior to steal sensitive information?
A) Spyware
B) Worm
C) Logic Bomb
D) Rootkit
Answer:
A
Explanation:
Spyware is the correct answer because it is designed to covertly monitor user behavior, capture data, and transmit that information to an attacker or third party without the user’s informed consent. SSCP candidates must understand spyware because it is commonly used to steal credentials, track browsing habits, harvest financial information, and enable identity theft. Spyware typically operates silently in the background, making it difficult for users to notice that they are being monitored.
Spyware can be installed through deceptive downloads, malicious email attachments, bundled software installers, exploit kits, or drive-by downloads on compromised websites. Once installed, spyware may log keystrokes, capture screenshots, monitor clipboard content, track websites visited, and collect form data such as usernames, passwords, and credit card numbers. Some spyware components may also alter browser settings, redirect web traffic, or inject advertisements, but the primary goal remains surveillance and data theft.
Comparing spyware with the incorrect options highlights its unique purpose. Worms self-replicate and spread across networks by exploiting vulnerabilities, focusing on propagation rather than stealthy surveillance. Logic bombs are malicious code fragments embedded in software that trigger under certain conditions, such as a specific date; they are not designed for long-term monitoring. Rootkits are used to hide malicious activities and grant stealthy privilege, often used in conjunction with other malware, but they are not primarily focused on spying, although they may help hide spyware.
Spyware poses serious risks to both individuals and organizations. On personal devices, spyware can lead to financial fraud, unauthorized access to social media, and compromise of personal email accounts. In corporate environments, spyware may capture VPN credentials, access internal systems, and exfiltrate sensitive intellectual property or customer data. This can lead to regulatory violations, reputational damage, and severe financial losses.
Defending against spyware requires a combination of technical controls and user awareness. Anti-malware software with behavior-based detection can identify unusual activity such as keylogging or attempts to transmit sensitive data. Endpoint protection tools and EDR platforms can detect patterns consistent with spyware, such as persistent unauthorized connections. Patch management, secure browsing practices, and least privilege also play critical roles in reducing the risk of spyware installation.
User education is equally important. Many spyware infections begin with users downloading untrusted software, clicking malicious links, or ignoring browser warnings. Training users to verify software sources, avoid pirated products, and be cautious with email attachments can significantly reduce infection rates.
Because spyware is specifically designed to monitor user activities and steal information through covert surveillance, and because no other option fits that definition as precisely, answer A is correct.
QUESTION 143
Which security process ensures that only authorized individuals receive access privileges, that changes in roles are reflected in access updates, and that access is removed promptly when users leave the organization?
A) Change Management
B) Identity Proofing
C) Account Provisioning and Deprovisioning
D) Cryptographic Key Rotation
Answer:
C
Explanation:
Account provisioning and deprovisioning is the correct answer because it refers to the lifecycle processes by which user accounts and their associated access rights are created, modified, and removed. SSCP candidates must understand this process because improper account management is a leading cause of unauthorized access, privilege abuse, and data breaches. A secure identity and access management (IAM) program must tightly control how accounts are added, updated, and retired.
Provisioning involves creating user accounts when individuals join the organization or assume new roles. This process includes assigning appropriate roles, group memberships, and permissions consistent with the principle of least privilege. For example, when an employee joins the finance department, provisioning should create a unique account with access only to systems and data needed for their job.
As users change roles, are promoted, or move to different departments, their access needs change. The account management process must update permissions accordingly. Failure to adjust access can lead to privilege creep, where users accumulate more rights over time than they should have, increasing the risk of accidental misuse or malicious exploitation.
Deprovisioning occurs when users leave the organization, end a contract, or no longer require access to certain systems. This step is critical. Dormant accounts are prime targets for attackers. If a former employee’s account remains active, it can be exploited without immediate detection. Timely deactivation, revocation of credentials, and removal of access tokens are essential to maintaining a secure environment.
Comparing this process with the incorrect options clarifies its distinct role. Change management manages modifications to systems and infrastructure, not specifically user accounts. Identity proofing verifies a user’s identity before account creation but does not govern their ongoing access lifecycle. Cryptographic key rotation focuses on changing encryption keys, not user account access.
Effective provisioning and deprovisioning require integration between HR systems and IAM platforms. When HR marks an employee as terminated, the IAM system should automatically trigger account deactivation workflows. Periodic access reviews and recertification processes ensure that provisioned rights remain appropriate over time.
Provisioning should enforce unique user IDs to support accountability and auditability. Shared accounts undermine accountability and make incident investigation difficult. Deprovisioning must include revoking physical access badges, VPN credentials, and third-party system access, not just disabling primary directory accounts.
Regulatory frameworks such as PCI DSS, HIPAA, and SOX emphasize strong access control and account lifecycle management. Auditors frequently review provisioning and deprovisioning practices to ensure that organizations minimize the risk of unauthorized access.
Because account provisioning and deprovisioning specifically manage who gets access, how it changes, and when it is removed, answer C is correct.
QUESTION 144
Which network security concept uses multiple layers of controls—such as firewalls, IDS/IPS, endpoint protection, and access controls—to provide redundant protection in case one control fails?
A) Single Point of Defense
B) Defense in Depth
C) Security Through Obscurity
D) Flat Network Design
Answer:
B
Explanation:
Defense in depth is the correct answer because it implements multiple, overlapping layers of security controls to protect systems, networks, and data. SSCP candidates must understand defense in depth because no single control is perfect; vulnerabilities, misconfigurations, or zero-day exploits can bypass individual defenses. Applying multiple layers ensures that if one layer fails, others still stand between the attacker and critical assets.
A typical defense-in-depth strategy might combine perimeter firewalls, internal firewalls, intrusion detection and prevention systems, endpoint protection software, strong authentication mechanisms, network segmentation, encryption, and security monitoring. Each layer addresses different attack vectors. For example, firewalls restrict network access, IPS detects and blocks known attack patterns, endpoint protection combats malware, and security monitoring identifies suspicious behavior through logs and analytics.
By using layered defenses, organizations increase the cost, complexity, and effort required for a successful attack. An attacker who evades a firewall still must bypass internal segmentation, host-based controls, application security mechanisms, and monitoring. This architecture gives defenders more time to detect and respond.
Comparing defense in depth with the incorrect options clarifies its unique value. A single point of defense is a dangerous concept in security, as it creates a single point of failure. Security through obscurity relies on hiding system details instead of implementing robust controls. Flat network design eliminates segmentation, making lateral movement for attackers easier.
Defense in depth also applies beyond technical controls. It includes policies, awareness training, physical security, incident response procedures, and governance. For example, user training helps prevent phishing attacks, while technical controls filter malicious emails.
Regulatory frameworks and best practice guidelines consistently recommend defense-in-depth strategies. NIST, ISO 27001, and other standards stress that multiple safeguards are necessary to address diverse threats.
Because defense in depth explicitly describes employing multiple layers of security so that one control’s failure does not expose the organization entirely, answer B is correct.
QUESTION 145
Which security principle requires that users and processes be given only the minimum level of access necessary to perform their job functions, and no more?
A) Need to Know
B) Least Privilege
C) Ownership Control
D) Aggregate Privilege
Answer:
B
Explanation:
Least privilege is the correct answer because it dictates that users, applications, and processes should only have the minimum permissions required to perform their tasks. SSCP candidates must fully understand least privilege because it is a cornerstone of secure access control. Applying this principle reduces the potential damage from accidents, errors, and malicious actions.
Under least privilege, no account should have broader access than necessary. For example, a help desk technician might need permission to reset user passwords but should not have full administrative rights to domain controllers. A web application should have database permissions only to read and write necessary tables, not to drop entire databases. System services should not run under full administrator accounts when more limited service accounts will suffice.
The principle applies to both human users and machine identities. It also extends to network-level permissions, such as firewall rules that allow only required ports and IP addresses.
Comparing least privilege with the other options clarifies why it is correct. Need to know focuses specifically on access to information based on job requirements but is primarily about data confidentiality. Ownership control describes models where resource owners define permissions. Aggregate privilege would imply accumulating broad rights, which is the opposite of least privilege.
Implementing least privilege involves careful role design, access reviews, separation of administrative accounts from normal user accounts, and use of just-in-time access elevation when needed. Privileged access management tools can broker administrative access, grant temporary rights, and record privileged sessions for accountability.
By restricting privileges, organizations reduce the impact of malware or compromised accounts. If an account is compromised but has limited rights, the attacker’s ability to cause harm is also limited.
Because least privilege specifically ensures that access does not exceed job requirements, answer B is correct
QUESTION 146
Which type of control is designed to discourage security violations by increasing the perceived risk or consequences of performing malicious actions, such as warning banners or visible cameras?
A) Preventive Control
B) Detective Control
C) Deterrent Control
D) Corrective Control
Answer:
C
Explanation:
Deterrent control is the correct answer because it aims to discourage individuals from attempting malicious or unauthorized actions by creating a perception of increased risk, visibility, or consequences. SSCP candidates must understand deterrent controls because they complement technical and procedural measures, influencing human behavior and reducing the likelihood of security incidents.
Deterrent controls include warning banners on login screens, prominently displayed security policies, visible surveillance cameras, uniformed security guards, and signs indicating monitoring or prosecution. These measures do not directly prevent or detect specific actions, but they psychologically influence potential offenders by reminding them that misconduct will likely be noticed and punished.
Comparing deterrent controls with other control types highlights the distinction. Preventive controls directly block unwanted actions, such as firewalls or locked doors. Detective controls, like intrusion detection systems and audit logs, identify violations after they occur. Corrective controls restore systems after an incident, such as backups or reconfiguration. Deterrent controls operate before incidents by modifying behavior.
Effective deterrent controls can be particularly powerful in environments with many users, such as corporate offices, shared workspaces, or public networks. Even simple login banners stating that activity may be monitored and prosecuted can dissuade some users from misusing systems. Visible cameras can reduce theft and physical tampering, even if they are not actively monitored.
Deterrence is also important in insider threat programs. Employees who know that access is logged, unusual activity is monitored, and violations are enforced are less likely to abuse privileges. This reduces both intentional misconduct and negligent behavior.
Because deterrent controls are specifically intended to discourage or dissuade violations by increasing perceived consequences and visibility, answer C is correct.
QUESTION 147
Which cryptographic service ensures that a sender cannot later deny having sent a message, typically by using digital signatures tied to their private key?
A) Confidentiality
B) Integrity
C) Non-Repudiation
D) Obfuscation
Answer:
C
Explanation:
Non-repudiation is the correct answer because it provides assurance that a specific party performed an action—such as sending a message or approving a transaction—and prevents them from later denying it. SSCP candidates must understand non-repudiation because it is critical for accountability, legal compliance, and trust in digital communications.
Non-repudiation is usually implemented through digital signatures. When a sender signs a message using their private key, and the recipient verifies the signature with the sender’s public key, it provides strong evidence that the message originated from the holder of that private key and has not been altered. The use of public key infrastructure (PKI), certificate authorities, and secure key management are essential to this process.
Confidentiality focuses on keeping data secret from unauthorized parties. Integrity ensures that data has not been altered. Obfuscation hides the form or meaning of data but does not guarantee origin or authenticity. Only non-repudiation addresses the issue of preventing a sender from denying an action.
Non-repudiation is especially important in financial systems, legal agreements, electronic contracts, and audit trails. Digital signature laws in many countries recognize properly implemented electronic signatures as legally binding.
Because non-repudiation specifically ensures that actions cannot be credibly denied, and digital signatures provide this service, answer C is correct.
QUESTION 148
Which type of malicious software modifies the operating system or kernel to hide its presence and the presence of other malware from detection tools?
A) Virus
B) Worm
C) Rootkit
D) Adware
Answer:
C
Explanation:
A rootkit is the correct answer because it is specifically designed to hide malicious activities by modifying the operating system, kernel, or low-level components so that security tools cannot detect the presence of malware. SSCP candidates must understand rootkits because they are used to maintain stealthy, persistent access to compromised systems.
Rootkits can hook into system calls, alter kernel modules, replace system binaries, and manipulate process listings. As a result, infected files, processes, registry entries, or network connections may not appear in normal tools like task managers or file explorers. Rootkits often accompany other malware such as Trojans or keyloggers, providing a stealth layer that allows them to operate undetected for long periods.
Viruses and worms focus on replication and spreading; they do not inherently hide themselves at the kernel level. Adware displays unwanted advertisements and may track behavior but is more visible and less sophisticated.
Detecting rootkits is challenging. It often requires specialized tools, offline scanning, or comparison between known-good system states and current states. In many cases, the safest remediation is to rebuild the system from trusted media.
Because rootkits are uniquely designed to hide malware by altering low-level system components, answer C is correct.
QUESTION 149
Which wireless attack involves sending repeated deauthentication frames to disconnect a victim from a legitimate access point, often as a precursor to capturing credentials or forcing connection to a rogue AP?
A) Jamming Attack
B) Evil Twin Attack
C) Deauthentication Attack
D) Bluejacking
Answer:
C
Explanation:
A deauthentication attack is the correct answer because it exploits the 802.11 management frames used to disconnect clients from access points. Attackers send forged deauthentication frames to the victim’s device, causing it to disconnect from the legitimate network. SSCP candidates must understand this attack because it is commonly used to disrupt wireless connectivity, capture handshakes for password cracking, or force users to connect to rogue access points.
Deauthentication frames are typically unauthenticated in older Wi-Fi standards, making it easy for attackers to spoof them. By repeatedly sending these frames, the attacker can prevent a client from maintaining a stable connection. Once disconnected, the client may attempt to reconnect, during which the attacker can capture the WPA/WPA2 handshake. This handshake can then be used in offline dictionary or brute-force attacks to recover the pre-shared key.
In more advanced scenarios, attackers combine deauthentication attacks with evil twin attacks. By disconnecting users from the legitimate AP and simultaneously broadcasting a stronger rogue AP with the same SSID, attackers can trick users into connecting to the malicious AP instead. This allows interception, manipulation, or redirection of traffic.
Comparing this attack with the incorrect options clarifies why it is distinct. A jamming attack floods the RF spectrum with noise to disrupt communications but does not rely on protocol-specific frames. An evil twin attack sets up a rogue AP to impersonate a legitimate network but does not necessarily involve deauthentication frames. Bluejacking involves sending unsolicited messages over Bluetooth, not Wi-Fi.
Modern standards like WPA3 and management frame protection can mitigate deauthentication attacks by authenticating management frames. However, many deployed networks still lack these protections, making them vulnerable.
Because deauthentication attacks specifically use forged deauth frames to repeatedly disconnect clients, answer C is correct.
QUESTION 150
Which security practice involves regularly reviewing user accounts and access rights to ensure they remain appropriate and revoking any unnecessary privileges?
A) Access Recertification
B) Incident Containment
C) Business Impact Analysis
D) Risk Avoidance
Answer:
A
Explanation:
Access recertification is the correct answer because it refers to the periodic review and revalidation of user accounts and their associated permissions. SSCP candidates must understand this practice because access rights tend to drift over time as employees change roles, receive temporary access, or switch projects. Without regular review, privilege creep occurs, increasing the risk of unauthorized access and compliance violations.
During access recertification, managers and system owners evaluate whether each user still requires the access they have. They confirm that rights are aligned with current job responsibilities and least privilege principles. Unnecessary accounts, such as those belonging to former employees or contractors, are identified and disabled. Excess permissions are revoked. This process is often supported by identity governance tools that generate reports and track approvals.
Comparing access recertification with the incorrect options clarifies its specific role. Incident containment deals with limiting damage during active security incidents. Business impact analysis evaluates the potential consequences of disruptions to business processes. Risk avoidance means eliminating activities that generate risk. None of these focus directly on periodic access review.
Access recertification is a requirement in many compliance frameworks, including SOX, PCI DSS, HIPAA, and ISO 27001. Auditors frequently request evidence that organizations are reviewing access regularly and that managers attest to the appropriateness of permissions for their staff.
Effective recertification relies on accurate role definitions, clear ownership of systems, and well-documented access policies. Automated identity governance solutions can simplify the process by presenting managers with lists of users and their privileges, along with workflows for approval or revocation.
Because access recertification specifically ensures that access remains appropriate over time and helps prevent privilege creep, answer A is correct.
QUESTION 151
Which term describes the process of identifying potential hazards and analyzing their possible impact on an organization’s operations?
A) Threat Hunting
B) Risk Assessment
C) Configuration Auditing
D) Security Hardening
Answer:
B
Explanation:
Risk assessment is the correct answer because it involves identifying threats, vulnerabilities, and potential impacts to determine the level of risk an organization faces. SSCP candidates must thoroughly understand risk assessment because it is the foundation of most security planning, policy development, control implementation, and resource allocation.
Risk assessment typically begins by identifying assets that need protection. These assets may include data, systems, personnel, facilities, intellectual property, or network infrastructure. Each asset has a value to the organization based on its importance to operations, legal requirements, proprietary nature, or contribution to revenue. Once assets are identified, potential threats must be analyzed. Threats may be natural, such as earthquakes or floods; human, such as attackers or insider threats; or technical, such as system failures or malware.
After identifying threats, vulnerabilities are evaluated. A vulnerability is a weakness that could be exploited by a threat. For example, an unpatched system is vulnerable to malware, and a lack of physical security controls is vulnerable to theft. Risk is ultimately measured by considering the likelihood of a threat exploiting a vulnerability and the potential impact of that event.
Comparing risk assessment to the incorrect answer choices highlights its relevance. Threat hunting is a proactive operational activity where analysts search for signs of compromise; it does not analyze strategic risks or evaluate potential impacts. Configuration auditing checks system configurations to verify compliance but does not examine threats and impacts. Security hardening strengthens systems and reduces attack surfaces but does not evaluate risk in a holistic manner.
A complete risk assessment may use qualitative or quantitative methods. Qualitative assessments categorize risks using labels like high, medium, or low. Quantitative assessments assign numerical values to likelihood and impact, often expressed in monetary terms. Many organizations use hybrid methods to balance accuracy and practicality.
Risk assessment also feeds into broader processes such as risk management, business continuity planning, and disaster recovery planning. It helps determine which controls should be implemented, where to allocate budgets, and how to prioritize security efforts. Without proper assessment, organizations may under-protect critical assets or overspend on low-impact risks.
Regulatory frameworks such as NIST, ISO 27005, PCI DSS, and HIPAA all require formal risk assessments. Auditors commonly review risk assessment documentation to ensure that organizations understand their threats and have implemented appropriate controls. A failure to conduct thorough risk assessments can leave organizations exposed to avoidable incidents.
Because risk assessment specifically identifies hazards, evaluates vulnerabilities, and analyzes impacts to guide security decisions, answer B is correct.
QUESTION 152
Which backup type stores only the files that have changed since the last full backup, regardless of any intermediate incremental backups?
A) Differential Backup
B) Incremental Backup
C) Mirror Backup
D) Image Backup
Answer:
A
Explanation:
A differential backup is the correct answer because it captures data that has changed since the most recent full backup, not since the last incremental backup. SSCP candidates must clearly understand the distinctions between backup types because they impact recovery time, storage requirements, and backup strategies.
Differential backups work by continually referencing the last full backup as their baseline. Each new differential backup includes all changes since that full backup. Over time, differential backups grow larger because they accumulate more changes each day until the next full backup is performed. For example, if a full backup is taken on Sunday, a differential backup on Monday includes Monday’s changes; on Tuesday, it includes both Monday and Tuesday’s changes; and so on.
Comparing differential backups with incremental backups clarifies their differences. Incremental backups store only data changed since the last backup of any type—either full or incremental. Incremental backups are typically smaller and faster to create because they include only new changes each time. However, restoring from incremental backups requires multiple backup sets: the last full backup and every incremental backup up to the point of recovery. Differential backups, by contrast, require only the latest full backup plus the most recent differential backup to restore data.
Choosing between differential and incremental strategies depends on organizational needs. Differential backups allow faster restore times, making them ideal for systems where recovery speed is critical. Incremental backups conserve storage and reduce backup time, making them suitable for large datasets or frequent backups.
Mirror backups create real-time replicas but provide no historical versions. Image backups store entire system snapshots, including OS and configuration data, but do not follow the changed-since-full model.
Differential backups are widely used in enterprise environments, often in combination with weekly full backups. This hybrid approach balances performance, storage efficiency, and restoration speed. Backup software and disaster recovery solutions frequently support differential backups due to their reliability and ease of recovery.
Because differential backups specifically store all changes since the last full backup, making them distinct from incremental, answer A is correct.
QUESTION 153
Which wireless security protocol introduced the use of Temporal Key Integrity Protocol (TKIP) as an improvement over WEP to address its weaknesses?
A) WPA
B) WPA2
C) WPA3
D) WPS
Answer:
A
Explanation:
WPA, or Wi-Fi Protected Access, is the correct answer because it was introduced as an interim improvement over WEP and used the Temporal Key Integrity Protocol (TKIP) to strengthen wireless encryption. SSCP candidates must understand WPA because it represents an important evolution in wireless security, bridging the gap between the fundamentally insecure WEP and the more robust WPA2 and WPA3 standards.
WEP suffered from severe cryptographic weaknesses due to its use of RC4 and predictable initialization vectors, making it easy for attackers to break the encryption key with freely available tools. To address these issues quickly—before more advanced standards could be finalized—the Wi-Fi Alliance created WPA as a stopgap solution. WPA’s major enhancement was TKIP, which dynamically generated new encryption keys for each packet, making it far more difficult for attackers to decrypt traffic using statistical attacks.
Comparing WPA with WPA2 and WPA3 clarifies why WPA is the correct answer. WPA2 replaced TKIP with AES-based CCMP, providing stronger, more modern encryption. WPA3 introduced even more advanced protections, including individualized data encryption and resistance to offline dictionary attacks. Neither WPA2 nor WPA3 uses TKIP as a primary encryption method. WPS, meanwhile, is a configuration protocol that uses PIN-based pairing and does not relate to TKIP or WEP improvements.
While WPA was a significant advancement over WEP, it is now considered obsolete. TKIP is vulnerable to modern attacks and no longer meets current security standards. However, understanding WPA’s history is important for SSCP candidates because legacy networks may still use WPA or TKIP-based encryption, exposing them to avoidable risks.
Modern best practices require disabling WPA and TKIP entirely, enforcing WPA2 or WPA3 with AES encryption. Organizations using older hardware that supports only WPA/TKIP should upgrade as soon as possible.
Because WPA specifically introduced TKIP as a replacement for WEP’s weak encryption practices, answer A is correct.
QUESTION 154
Which type of physical security control is designed to prevent unauthorized vehicles from accessing restricted areas, often using barriers, bollards, or reinforced gates?
A) Environmental Control
B) Perimeter Control
C) Access Audit
D) Motion Detection
Answer:
B
Explanation:
Perimeter control is the correct answer because it involves physical barriers and security mechanisms that protect the outermost boundary of a facility or site. SSCP candidates must understand perimeter control because it is a foundational element of physical security, preventing unauthorized entry and providing early detection of intrusions. Vehicle barriers, bollards, reinforced gates, and security fences are all components of perimeter control designed to regulate and restrict access to sensitive areas.
Perimeter controls serve multiple purposes. They protect against unauthorized vehicles attempting to breach the facility, whether intentionally or accidentally. They establish clear boundaries between public spaces and secured areas. They also create defined choke points where access can be monitored more effectively, such as guard stations or controlled gates.
Environmental controls manage temperature, humidity, or air quality and do not prevent vehicle entry. Access audits review logs and access records. Motion detection identifies movement but does not physically block vehicles. Only perimeter control directly addresses the need to physically restrict vehicles from entering.
Perimeter security often integrates active and passive mechanisms. Passive mechanisms include structural barriers like bollards, ditches, and reinforced gates that physically prevent entry. Active mechanisms include guards, badge checks, CCTV coverage, and automated gate systems. These layers help deter intruders, detect attempts to breach the perimeter, and delay attackers long enough for security teams to respond.
Perimeter control is especially important in facilities such as data centers, military bases, government buildings, utility plants, and corporate campuses. Vehicles pose unique risks because they can be used for forced entry, explosives, or unauthorized dumping of equipment. Vehicle barriers are designed to meet specific crash ratings, ensuring they can withstand high-speed impacts.
Because perimeter control specifically involves physical barriers and mechanisms designed to prevent unauthorized vehicles from crossing into restricted areas, answer B is correct.
QUESTION 155
Which security policy defines how long logs must be retained, how they should be stored, and who is responsible for managing them?
A) Logging Policy
B) Data Classification Policy
C) Acceptable Use Policy
D) Privacy Policy
Answer:
A
Explanation:
A logging policy is the correct answer because it governs how logs are created, stored, retained, protected, and reviewed within an organization. SSCP candidates must understand logging policies because logs are vital for security monitoring, forensic investigations, compliance requirements, and incident response.
A logging policy specifies which systems must generate logs, what types of events must be recorded, and the format of the logs. It defines retention periods based on legal, regulatory, or business needs. For example, certain financial institutions may be required to keep logs for seven years. The policy also outlines storage requirements such as encryption, centralized logging, or integrity protections to ensure logs cannot be tampered with.
Data classification policies categorize data based on sensitivity but do not define log retention. Acceptable use policies govern user behavior on systems. Privacy policies explain how personal data is collected and used but do not manage logging operations.
Logging policies also assign responsibilities. Security teams may oversee log monitoring, system administrators may manage log configuration, and compliance teams may verify retention requirements. The policy may specify access controls to ensure that only authorized individuals can view sensitive logs.
Logs are critical for identifying unauthorized access, unusual activity, malware infections, configuration changes, and failed authentication attempts. Without proper retention and storage practices, organizations may lack the necessary information to investigate incidents or meet compliance obligations such as PCI DSS, HIPAA, and SOX.
Because a logging policy specifically defines how logs are retained, stored, protected, and managed, answer A is correct.
QUESTION 156
Which term describes the process of restoring operations and returning systems to normal after a disruption has occurred?
A) Containment
B) Recovery
C) Identification
D) Eradication
Answer:
B
Explanation:
Recovery is the correct answer because it refers to the process of bringing systems, services, and operations back to normal after an incident or disruption. SSCP candidates must understand recovery because it is a crucial phase of both incident response and disaster recovery planning. Recovery does not merely fix the issue—it ensures that the organization resumes functionality safely and effectively.
Recovery follows earlier response phases such as identification, containment, and eradication. Identification discovers an incident, containment limits damage, and eradication removes the cause of the incident. Recovery then restores systems, verifies their integrity, and ensures they are operational without residual threats. This includes reinstalling systems, restoring data from backups, validating configurations, and ensuring security controls are functioning.
Containment stops the spread of damage but does not restore full operations. Eradication eliminates the threat but does not recover normal service levels. Identification simply detects the problem.
Recovery may involve activating alternate sites, restoring databases, rebuilding servers, or reconfiguring networks. The success of recovery depends heavily on planning, including backup strategies, disaster recovery sites, and documented procedures.
Because recovery specifically focuses on returning systems to normal operations after disruption, answer B is correct.
QUESTION 157
Which term refers to a legally binding document that defines the responsibilities and obligations between two organizations when sharing data or resources?
A) Memorandum of Understanding
B) Service-Level Agreement
C) Non-Disclosure Agreement
D) Business Partnership Contract
Answer:
A
Explanation:
A memorandum of understanding (MOU) is the correct answer because it outlines the terms, responsibilities, and expectations between two organizations engaged in cooperation or resource sharing. SSCP candidates must understand MOUs because they often appear in inter-organizational security arrangements, data sharing agreements, and joint operations.
An MOU is less formal than a contract but more formal than a verbal agreement. It clarifies roles and establishes mutual responsibilities, which is essential when organizations share sensitive data, collaborate on projects, or depend on each other for operational functions.
An SLA, while also binding, focuses specifically on performance expectations such as uptime or service quality, not broader cooperation. An NDA protects confidential information but does not define shared responsibilities. A business partnership contract creates legal business relationships beyond just cooperation.
An MOU may specify data protection requirements, incident reporting procedures, resource obligations, confidentiality boundaries, and operational responsibilities. It helps prevent misunderstandings and provides a foundation for accountability.
Because an MOU defines shared responsibilities and obligations in a formal yet flexible manner, answer A is correct.
QUESTION 158
Which concept ensures that data remains accurate, consistent, and unaltered unless modified by authorized individuals or processes?
A) Availability
B) Integrity
C) Confidentiality
D) Resilience
Answer:
B
Explanation:
Integrity is the correct answer because it ensures that data remains accurate, consistent, and trustworthy. SSCP candidates must understand integrity because it is one of the core principles of the CIA triad. Integrity ensures that information has not been altered maliciously or accidentally and that authorized changes can be tracked and validated.
Confidentiality focuses on preventing unauthorized access. Availability ensures data is accessible when needed. Resilience refers to a system’s ability to withstand disruption but does not focus specifically on data accuracy.
Integrity can be enforced through hashing, checksums, digital signatures, version control, access controls, and auditing. When integrity is compromised, data can no longer be trusted, which may lead to operational errors, financial losses, or safety risks.
Because integrity specifically ensures accurate and unaltered data, answer B is correct.
QUESTION 159
Which type of attack attempts to overwhelm system resources by flooding them with excessive traffic or requests, causing legitimate services to become unavailable?
A) Spoofing Attack
B) Denial-of-Service Attack
C) Replay Attack
D) Phishing Attack
Answer:
B
Explanation:
A denial-of-service (DoS) attack is the correct answer because it aims to exhaust system resources, bandwidth, or processing capacity so that legitimate requests cannot be processed. SSCP candidates must understand DoS attacks because they target availability, one of the pillars of information security.
Spoofing involves impersonation. Replay attacks repeat captured messages. Phishing targets users through deception. Only DoS attacks specifically overwhelm resources.
DoS attacks can target web servers, DNS servers, firewalls, or entire networks. Distributed DoS (DDoS) attacks amplify the impact by using large networks of compromised devices (botnets). Mitigations include rate limiting, load balancing, redundant systems, and traffic filtering.
Because DoS attacks intentionally overload systems to disrupt service availability, answer B is correct.
QUESTION 160
Which type of monitoring analyzes system activities, network traffic, or logs in real time to detect suspicious behavior or signs of compromise?
A) Preventive Monitoring
B) Real-Time Security Monitoring
C) Static Analysis
D) Passive Documentation
Answer:
B
Explanation:
Real-time security monitoring is the correct answer because it involves actively observing logs, network flows, system behavior, and security events as they occur. SSCP candidates must understand real-time monitoring because it is essential for early detection of intrusions, malware activity, insider threats, and policy violations.
Real-time monitoring is conducted through SIEM systems, intrusion detection systems, endpoint monitoring, and behavioral analytics tools. It allows security teams to identify threats quickly and respond before major damage occurs.
Static analysis examines software without executing it. Preventive monitoring is not a standard term in security. Passive documentation records information but does not analyze activity.
Real-time monitoring supports incident response, threat detection, compliance auditing, and operational visibility. Without it, organizations may overlook early indicators of attacks.
Because real-time security monitoring specifically examines activity as it occurs to identify suspicious behavior, answer B is correct.
