CERTPREPS - SSCP PRACTICE EXAM 7
QUESTIONS AND ANSWERS
1. During a routine security assessment, you discover that a critical web application is
vulnerable to SQL injection. Which of the following actions would be the most effective
in mitigating this vulnerability?
A. Implementing input validation on the client side.
B. Restricting database access to only trusted IP addresses.
C. Using parameterized queries in the application code.
D. Enabling SSL/TLS for the web application. - Correct Answers -C. Using
parameterized queries in the application code.
The most effective action in mitigating SQL injection vulnerabilities is using
parameterized queries in the application code (C). Parameterized queries ensure that
SQL code is not directly executed based on user input, thus preventing injection
attacks. Input validation on the client side (A) is not effective because it can be
bypassed; server-side validation is required. Restricting database access to trusted IP
addresses (B) does not prevent SQL injection, as it is an attack on the application layer.
Enabling SSL/TLS (D) secures data in transit but does not mitigate SQL injection, which
targets the database directly.
2. During a security impact analysis for a proposed software update, it is identified that
the update may lead to increased network traffic, potentially exposing the network to
denial-of-service (DoS) attacks. What should be the primary focus of the security team
in addressing this issue?
A. The performance improvements expected from the software update.
B. The potential for user dissatisfaction due to network slowdowns.
C. Implementing measures to mitigate the risk of DoS attacks.
D. Reviewing the cost of increased network bandwidth. - Correct Answers -C.
Implementing measures to mitigate the risk of DoS attacks.
Implementing measures to mitigate the risk of DoS attacks (C) should be the primary
focus of the security team. This may involve setting up defenses such as rate limiting,
intrusion detection systems, and redundant pathways to ensure the network remains
resilient to increased traffic. The performance improvements (A) and cost of increased
bandwidth (D) are important but secondary to addressing the security risk. User
dissatisfaction (B) is a consideration, but preventing DoS attacks is more critical.
,3. An organization's network is experiencing unexpected traffic surges that impact
performance. The network is segmented by several switches. What is the most effective
way to identify and manage the source of the traffic?
A. Monitor the network traffic using port mirroring on the switches.
B. Increase the bandwidth of the network links.
C. Configure static IP addresses for all devices.
D. Disable unused ports on the switches. - Correct Answers -A. Monitor the network
traffic using port mirroring on the switches.
Monitoring the network traffic using port mirroring on the switches (A) allows the
identification and analysis of traffic patterns to pinpoint the source of the surges.
Increasing bandwidth (B) may alleviate the symptoms but does not address the root
cause. Configuring static IP addresses (C) does not directly help in identifying traffic
sources. Disabling unused ports (D) is a good security practice but does not aid in traffic
analysis.
4. While troubleshooting a network issue, you notice that a device on your network is
unable to establish a TCP connection with a remote server. After verifying the network
configuration and confirming that there are no firewall blocks, you decide to investigate
further by checking the OSI model layers. Which layer would be the most relevant to
check for potential issues related to the establishment of a TCP connection?
A. Network layer
B. Data link layer
C. Transport layer
D. Application layer - Correct Answers -C. Transport layer
The Transport layer (C) is responsible for establishing, maintaining, and terminating
connections, as well as providing error recovery and flow control. TCP operates at this
layer, making it the most relevant for investigating connection establishment issues. The
Network layer (A) deals with routing and forwarding packets, which is not directly related
to connection establishment. The Data link layer (B) handles the physical addressing
and error detection between directly connected nodes. The Application layer (D) is
responsible for providing network services to applications but does not manage
connection establishment.
5. An employee's system is configured with application whitelisting. The employee
needs to run a new software tool for a critical project. What is the best course of action
to enable the employee to use the tool while maintaining security?
A. Disable the application whitelisting permanently.
B. Add the software tool to the whitelist after verifying its legitimacy.
C. Advise the employee to run the tool on an unprotected system.
D. Instruct the employee to use a similar tool that is already whitelisted. - Correct
Answers -B. Add the software tool to the whitelist after verifying its legitimacy.
,Adding the software tool to the whitelist after verifying its legitimacy (B) allows the
employee to use the necessary tool while ensuring that only trusted software is run on
the system. Disabling whitelisting (A) permanently compromises security. Advising to
use an unprotected system (C) is not secure and does not solve the problem.
Instructing to use a similar tool (D) might not meet the specific needs of the critical
project.
6. An organization is operating a new software application that requires regular updates.
What is the best practice to ensure the software remains secure and functional?
A. Schedule updates during peak business hours for minimal disruption.
B. Implement automatic updates without user intervention.
C. Perform manual updates only when a major issue is reported.
D. Test updates in a staging environment before applying them to production. - Correct
Answers -D. Test updates in a staging environment before applying them to production.
Testing updates in a staging environment before applying them to production (D) is the
best practice to ensure the software remains secure and functional. It allows for
identification and resolution of any issues that might arise from the updates without
affecting the live environment. Scheduling updates during peak business hours (A) can
disrupt business operations. Implementing automatic updates (B) without user
intervention can be convenient but may introduce issues if not tested beforehand.
Performing manual updates only when major issues are reported (C) can leave the
software vulnerable to security threats and other problems that could have been
prevented.
7. During a routine audit, it is discovered that HIPS on several servers is not logging any
events. The HIPS was configured by a junior administrator. What is the best course of
action to ensure proper HIPS functionality?
A. Reinstall the HIPS software on the affected servers.
B. Review and correct the HIPS configuration to ensure proper logging.
C. Increase the verbosity of the server logs to capture more data.
D. Disable and then re-enable the HIPS software. - Correct Answers -B. Review and
correct the HIPS configuration to ensure proper logging.
Reviewing and correcting the HIPS configuration (B) ensures that the system is properly
set up to log events, which is crucial for monitoring and incident response. Reinstalling
the software (A) might fix the issue but does not address the root cause, which is
configuration. Increasing log verbosity (C) without correcting HIPS configuration might
capture more data but not necessarily HIPS-specific events. Simply toggling the HIPS
(D) might not resolve configuration issues.
, 8. During a security incident, an event correlation tool has identified a series of failed
login attempts followed by a successful login from an unusual location. What action
should the security team take next?
A. Notify the user of the unusual login and request verification
B. Temporarily disable the user account and investigate
C. Update the event correlation rules to prevent similar incidents
D. Increase the logging level to capture more detailed information - Correct Answers -B.
Temporarily disable the user account and investigate
The security team should temporarily disable the user account and investigate (B) to
prevent any further potential unauthorized access while the incident is being reviewed.
This action ensures that the account is secured while the team analyzes the logs and
determines the legitimacy of the login. Notifying the user of the unusual login and
requesting verification (A) may be necessary but is secondary to securing the account.
Updating the event correlation rules (C) is a long-term action to improve detection but
does not address the immediate threat. Increasing the logging level (D) may help in
future analysis but is not an immediate response to the detected incident.
9. A laptop with TPM is undergoing maintenance. The technician wants to ensure that
no unauthorized software can be installed during this period. What TPM feature can
assist in this scenario?
A. TPM locking the device during maintenance.
B. TPM verifying the integrity of the software installation process.
C. TPM enabling multi-factor authentication for software installations.
D. TPM creating backups of the existing software. - Correct Answers -B. TPM verifying
the integrity of the software installation process.
TPM can verify the integrity of the software installation process (B), ensuring that only
authorized and untampered software is installed on the device. Locking the device (A)
or enabling multi-factor authentication (C) may help control access but do not directly
verify software integrity. Creating backups (D) is not a function of TPM and does not
prevent unauthorized software installations.
10. During a scheduled disaster recovery drill, a company simulates a complete data
center failure. Which of the following is the most critical outcome of this exercise?
A. Verifying that all employees know the evacuation routes.
B. Ensuring that the disaster recovery team can restore critical systems within the
defined RTO.
C. Confirming that all backup data is encrypted and stored securely.
D. Testing the effectiveness of communication protocols with external stakeholders. -
Correct Answers -B. Ensuring that the disaster recovery team can restore critical
systems within the defined RTO.
QUESTIONS AND ANSWERS
1. During a routine security assessment, you discover that a critical web application is
vulnerable to SQL injection. Which of the following actions would be the most effective
in mitigating this vulnerability?
A. Implementing input validation on the client side.
B. Restricting database access to only trusted IP addresses.
C. Using parameterized queries in the application code.
D. Enabling SSL/TLS for the web application. - Correct Answers -C. Using
parameterized queries in the application code.
The most effective action in mitigating SQL injection vulnerabilities is using
parameterized queries in the application code (C). Parameterized queries ensure that
SQL code is not directly executed based on user input, thus preventing injection
attacks. Input validation on the client side (A) is not effective because it can be
bypassed; server-side validation is required. Restricting database access to trusted IP
addresses (B) does not prevent SQL injection, as it is an attack on the application layer.
Enabling SSL/TLS (D) secures data in transit but does not mitigate SQL injection, which
targets the database directly.
2. During a security impact analysis for a proposed software update, it is identified that
the update may lead to increased network traffic, potentially exposing the network to
denial-of-service (DoS) attacks. What should be the primary focus of the security team
in addressing this issue?
A. The performance improvements expected from the software update.
B. The potential for user dissatisfaction due to network slowdowns.
C. Implementing measures to mitigate the risk of DoS attacks.
D. Reviewing the cost of increased network bandwidth. - Correct Answers -C.
Implementing measures to mitigate the risk of DoS attacks.
Implementing measures to mitigate the risk of DoS attacks (C) should be the primary
focus of the security team. This may involve setting up defenses such as rate limiting,
intrusion detection systems, and redundant pathways to ensure the network remains
resilient to increased traffic. The performance improvements (A) and cost of increased
bandwidth (D) are important but secondary to addressing the security risk. User
dissatisfaction (B) is a consideration, but preventing DoS attacks is more critical.
,3. An organization's network is experiencing unexpected traffic surges that impact
performance. The network is segmented by several switches. What is the most effective
way to identify and manage the source of the traffic?
A. Monitor the network traffic using port mirroring on the switches.
B. Increase the bandwidth of the network links.
C. Configure static IP addresses for all devices.
D. Disable unused ports on the switches. - Correct Answers -A. Monitor the network
traffic using port mirroring on the switches.
Monitoring the network traffic using port mirroring on the switches (A) allows the
identification and analysis of traffic patterns to pinpoint the source of the surges.
Increasing bandwidth (B) may alleviate the symptoms but does not address the root
cause. Configuring static IP addresses (C) does not directly help in identifying traffic
sources. Disabling unused ports (D) is a good security practice but does not aid in traffic
analysis.
4. While troubleshooting a network issue, you notice that a device on your network is
unable to establish a TCP connection with a remote server. After verifying the network
configuration and confirming that there are no firewall blocks, you decide to investigate
further by checking the OSI model layers. Which layer would be the most relevant to
check for potential issues related to the establishment of a TCP connection?
A. Network layer
B. Data link layer
C. Transport layer
D. Application layer - Correct Answers -C. Transport layer
The Transport layer (C) is responsible for establishing, maintaining, and terminating
connections, as well as providing error recovery and flow control. TCP operates at this
layer, making it the most relevant for investigating connection establishment issues. The
Network layer (A) deals with routing and forwarding packets, which is not directly related
to connection establishment. The Data link layer (B) handles the physical addressing
and error detection between directly connected nodes. The Application layer (D) is
responsible for providing network services to applications but does not manage
connection establishment.
5. An employee's system is configured with application whitelisting. The employee
needs to run a new software tool for a critical project. What is the best course of action
to enable the employee to use the tool while maintaining security?
A. Disable the application whitelisting permanently.
B. Add the software tool to the whitelist after verifying its legitimacy.
C. Advise the employee to run the tool on an unprotected system.
D. Instruct the employee to use a similar tool that is already whitelisted. - Correct
Answers -B. Add the software tool to the whitelist after verifying its legitimacy.
,Adding the software tool to the whitelist after verifying its legitimacy (B) allows the
employee to use the necessary tool while ensuring that only trusted software is run on
the system. Disabling whitelisting (A) permanently compromises security. Advising to
use an unprotected system (C) is not secure and does not solve the problem.
Instructing to use a similar tool (D) might not meet the specific needs of the critical
project.
6. An organization is operating a new software application that requires regular updates.
What is the best practice to ensure the software remains secure and functional?
A. Schedule updates during peak business hours for minimal disruption.
B. Implement automatic updates without user intervention.
C. Perform manual updates only when a major issue is reported.
D. Test updates in a staging environment before applying them to production. - Correct
Answers -D. Test updates in a staging environment before applying them to production.
Testing updates in a staging environment before applying them to production (D) is the
best practice to ensure the software remains secure and functional. It allows for
identification and resolution of any issues that might arise from the updates without
affecting the live environment. Scheduling updates during peak business hours (A) can
disrupt business operations. Implementing automatic updates (B) without user
intervention can be convenient but may introduce issues if not tested beforehand.
Performing manual updates only when major issues are reported (C) can leave the
software vulnerable to security threats and other problems that could have been
prevented.
7. During a routine audit, it is discovered that HIPS on several servers is not logging any
events. The HIPS was configured by a junior administrator. What is the best course of
action to ensure proper HIPS functionality?
A. Reinstall the HIPS software on the affected servers.
B. Review and correct the HIPS configuration to ensure proper logging.
C. Increase the verbosity of the server logs to capture more data.
D. Disable and then re-enable the HIPS software. - Correct Answers -B. Review and
correct the HIPS configuration to ensure proper logging.
Reviewing and correcting the HIPS configuration (B) ensures that the system is properly
set up to log events, which is crucial for monitoring and incident response. Reinstalling
the software (A) might fix the issue but does not address the root cause, which is
configuration. Increasing log verbosity (C) without correcting HIPS configuration might
capture more data but not necessarily HIPS-specific events. Simply toggling the HIPS
(D) might not resolve configuration issues.
, 8. During a security incident, an event correlation tool has identified a series of failed
login attempts followed by a successful login from an unusual location. What action
should the security team take next?
A. Notify the user of the unusual login and request verification
B. Temporarily disable the user account and investigate
C. Update the event correlation rules to prevent similar incidents
D. Increase the logging level to capture more detailed information - Correct Answers -B.
Temporarily disable the user account and investigate
The security team should temporarily disable the user account and investigate (B) to
prevent any further potential unauthorized access while the incident is being reviewed.
This action ensures that the account is secured while the team analyzes the logs and
determines the legitimacy of the login. Notifying the user of the unusual login and
requesting verification (A) may be necessary but is secondary to securing the account.
Updating the event correlation rules (C) is a long-term action to improve detection but
does not address the immediate threat. Increasing the logging level (D) may help in
future analysis but is not an immediate response to the detected incident.
9. A laptop with TPM is undergoing maintenance. The technician wants to ensure that
no unauthorized software can be installed during this period. What TPM feature can
assist in this scenario?
A. TPM locking the device during maintenance.
B. TPM verifying the integrity of the software installation process.
C. TPM enabling multi-factor authentication for software installations.
D. TPM creating backups of the existing software. - Correct Answers -B. TPM verifying
the integrity of the software installation process.
TPM can verify the integrity of the software installation process (B), ensuring that only
authorized and untampered software is installed on the device. Locking the device (A)
or enabling multi-factor authentication (C) may help control access but do not directly
verify software integrity. Creating backups (D) is not a function of TPM and does not
prevent unauthorized software installations.
10. During a scheduled disaster recovery drill, a company simulates a complete data
center failure. Which of the following is the most critical outcome of this exercise?
A. Verifying that all employees know the evacuation routes.
B. Ensuring that the disaster recovery team can restore critical systems within the
defined RTO.
C. Confirming that all backup data is encrypted and stored securely.
D. Testing the effectiveness of communication protocols with external stakeholders. -
Correct Answers -B. Ensuring that the disaster recovery team can restore critical
systems within the defined RTO.
