Risk Identification, Monitoring, and Analysis for SSCP

Sample Practice Questions

1. Question 1

   A timely review of system access audit records would be an example of which of the basic security functions?
   1. A. avoidance.
   2. B. deterrence.
   3. C. prevention.
   4. D. detection.
   Explanation

   The correct answer is: D. detection..

   A timely review of system access audit records is an example of a detective security function — its purpose is to notice that something has happened, not to stop it from happening. Detective controls work after the event and depend on a vigilant reviewer to convert raw log entries into actionable findings. Avoidance is the choice not to engage in a risky activity at all and is a strategic posture, not a log-review activity. Deterrence works through visible consequences that discourage bad behaviour up front; the existence of audit logs offers some deterrent effect, but the act of reviewing them is detective. Prevention stops actions from succeeding through technical or administrative blocks; reviewing logs cannot prevent what has already happened. Layer detective controls (audit review, SIEM alerting) with preventive and corrective controls for complete coverage.

2. Question 2

   Which of the following is NOT a technique used to perform a penetration test?
   1. A. traffic padding
   2. B. scanning and probing
   3. C. war dialing
   4. D. sniffing
   Explanation

   The correct answer is: A. traffic padding.

   Traffic padding is a defensive technique that inserts dummy traffic into a communication channel to obscure traffic analysis; it has nothing to do with attempting to exploit a target, so it is not a penetration-testing technique. Scanning and probing is a foundational pen-test activity used to enumerate hosts, ports, and services that may be exploitable. War dialling — historically attempting modem connections across a range of phone numbers — is a classic technique on legacy estates and remains a category of remote-access discovery in modern pen-test work (now extended to VoIP and other interfaces). Sniffing captures network traffic to harvest credentials, identify protocols, or characterise traffic patterns and is a standard pen-test tool. Traffic padding belongs to the defender's playbook for foiling traffic analysis, not to the attacker's enumeration toolkit.

3. Question 3

   Which of the following control pairing places emphasis on "soft" mechanisms that support the access control objectives?
   1. A. Preventive/Technical Pairing
   2. B. Preventive/Administrative Pairing
   3. C. Preventive/Physical Pairing
   4. D. Detective/Administrative Pairing
   Explanation

   The correct answer is: B. Preventive/Administrative Pairing.

   The preventive/administrative pairing emphasises soft mechanisms such as policy, training, awareness, background screening, separation of duties, and procedures that influence human behaviour to support access-control objectives. Administrative controls are the people-and-process side of the control catalogue and are characteristically soft compared with locks or firewalls. Preventive/technical pairing emphasises hardware and software controls such as authentication systems, encryption, and firewalls — these are hard, not soft, mechanisms. Preventive/physical pairing covers locks, gates, mantraps, and guards — physical and tangible rather than administrative. Detective/administrative pairing covers oversight mechanisms such as review of access logs or required reporting; it is administrative but detective in timing, so it supports rather than prevents violations. Combine administrative, technical, and physical layers across preventive, detective, and corrective timings for a complete access-control posture.

4. Question 4

   In the context of access control, locks, gates, guards are examples of which of the following?
   1. A. Administrative controls
   2. B. Technical controls
   3. C. Physical controls
   4. D. Logical controls
   Explanation

   The correct answer is: C. Physical controls.

   Locks, gates, and guards are physical controls — they prevent unauthorised people from making physical contact with assets, facilities, and equipment. Physical controls are one of the three traditional control families alongside administrative and technical. Administrative controls govern through policy, procedure, training, and personnel measures; they shape behaviour rather than create tangible barriers. Technical (also called logical) controls operate through hardware and software — access control lists, authentication mechanisms, encryption — and exist inside information systems. Logical controls is another name for technical controls when the focus is on access to information rather than equipment. Stack all three families (administrative direction, physical barriers, technical enforcement) for defence in depth.

5. Question 5

   Detective/Technical measures:
   1. A. include intrusion detection systems and automatically-generated violation reports from audit trail information.
   2. B. do not include intrusion detection systems and automatically-generated violation reports from audit trail information.
   3. C. include intrusion detection systems but do not include automatically-generated violation reports from audit trail information.
   4. D. include intrusion detection systems and customised-generated violation reports from audit trail information.
   Explanation

   The correct answer is: A. include intrusion detection systems and automatically-generated violation reports from audit trail information..

   Detective/technical measures include both intrusion detection systems that look for malicious activity in real time and automatically generated violation reports drawn from audit trail data; together they form the technical layer of detective control and exist to notice when something has gone wrong so corrective action can follow. Saying these measures do not include IDS and audit-violation reporting is simply incorrect — those are the canonical examples. Saying they include IDS but not automated violation reports omits a major part of the detective/technical toolkit. Saying "customised" rather than "automatically generated" violation reports narrows the category artificially; both ad-hoc and automatically generated reports based on audit data are detective/technical. Build the detective/technical layer with SIEM, IDS/IPS, file-integrity monitoring, and automated alert pipelines feeding a 24/7 monitoring function.

Other SSCP domains

• Access Controls (203 questions)
• Cryptography (185 questions)
• Incident Response and Recovery (112 questions)
• Network and Communications Security (252 questions)
• Security Concepts and Practices (237 questions)
• Systems and Application Security (26 questions)