ISC2
Intermediate
SSCP
Systems Security Certified Practitioner
The Systems Security Certified Practitioner (SSCP) is an intermediate-level cybersecurity certification that validates technical skills and knowledge required to implement, monitor, and administer IT infrastructure using security best practices. The SSCP is ideal for security practitioners, network administrators, and systems engineers with hands-on technical security experience.
This certification covers five consolidated domains: Security Operations and Administration, Access Controls and Cryptography, Risk Management and Compliance, Network and Communications Security, and Incident Response and Recovery. Candidates must demonstrate practical skills in security operations including log monitoring, vulnerability management, implementing access controls and cryptographic solutions, conducting risk assessments, securing network infrastructure, and responding to security incidents.
The SSCP uses Computerized Adaptive Testing (CAT) which adapts question difficulty based on candidate responses, delivering between 100-125 questions during the 3-hour exam window. One year of paid work experience in one or more of the SSCP domains is required for certification, though candidates can become an Associate of ISC2 by passing the exam and earn the credential once they obtain the required experience.
Updated Jun 2024
Cybersecurity
125
Questions
6
Tests Pratiques
70%
Score de Réussite
35
Vues
0
Tentatives Totales
0%
Score Moyen
0%
Taux de Réussite
0
Discussions
SSCP Practice Exam 1
Comprehensive 50-question practice exam covering all five SSCP domains: Security Operations and Administration, Access Controls and Cryptography, Risk Management and Compliance, Network and Communications Security, and Incident Response and Recovery.
50 Q
90 minutes
70%
SSCP Practice Exam 2
Comprehensive 50-question practice exam covering all five SSCP domains: Security Operations and Administration, Access Controls and Cryptography, Risk Management and Compliance, Network and Communications Security, and Incident Response and Recovery.
50 Q
90 minutes
70%
SSCP Practice Exam 3
Comprehensive 50-question practice exam covering all five SSCP domains: Security Operations and Administration, Access Controls and Cryptography, Risk Management and Compliance, Network and Communications Security, and Incident Response and Recovery.
50 Q
90 minutes
70%
SSCP Practice Exam 4
Comprehensive 50-question practice exam covering all five SSCP domains: Security Operations and Administration, Access Controls and Cryptography, Risk Management and Compliance, Network and Communications Security, and Incident Response and Recovery.
50 Q
90 minutes
70%
SSCP Practice Exam 5
Comprehensive 50-question practice exam covering all five SSCP domains: Security Operations and Administration, Access Controls and Cryptography, Risk Management and Compliance, Network and Communications Security, and Incident Response and Recovery.
50 Q
90 minutes
70%
SSCP Practice Exam 6
Comprehensive 50-question practice exam covering all five SSCP domains: Security Operations and Administration, Access Controls and Cryptography, Risk Management and Compliance, Network and Communications Security, and Incident Response and Recovery.
50 Q
90 minutes
70%
Débloquer Tout le Contenu pour SSCP
6 Test(s) Pratique(s) + Flash Cards — accès de 3 mois
€39.99
€26.99
Économisez 30%
ou inclus avec l'abonnement Mensuel / Pack de Contenu
Aperçu (10 / 120)
What is the principle of least privilege?
Granting users only the minimum access rights needed to perform their job functions. This limits potential damage from accidents or malicious actions.
What does separation of duties prevent?
A single individual from completing a critical task alone. It requires collusion between multiple people to commit fraud or cause harm.
What is job rotation in security operations?
Periodically moving personnel between roles to reduce fraud risk, cross-train staff, and detect unauthorized activities through fresh oversight.
What is mandatory vacation used to detect?
Fraud or policy violations by temporarily removing an employee from duties. A substitute may uncover irregularities during the absence.
What are the three states of data?
Data at rest (stored), data in transit (moving across networks), and data in use (actively processed in memory). Each requires distinct protections.
What does data classification accomplish?
Assigns sensitivity labels to information so appropriate controls are applied. Common levels: public, internal, confidential, and restricted.
What is a security baseline?
A minimum set of security controls required for a system before deployment. It ensures consistent protection across all similar systems in the organization.
What does change management control?
The process of requesting, reviewing, approving, and documenting modifications to systems. It prevents unauthorized changes that could introduce vulnerabilities.
What is configuration management?
Tracking and controlling hardware and software settings to maintain a known secure state. It uses baselines and monitors for unauthorized deviations.
What is the purpose of patch management?
To identify, test, and deploy software updates that fix vulnerabilities. Timely patching reduces the window of exposure to known exploits.
Flash Cards
cartes couvrant les concepts clés de 120 SSCP
ou inclus avec l'abonnement Mensuel / Pack de Contenu
110 cartes supplémentaires disponibles après déblocage
Langues Disponibles
English
Japanese
Korean
Chinese
Sujets de l'Examen
1
25 Q
Security Operations and Administration
Comply with codes of ethics, understand security concepts and operations, identify and analyze malicious code, and implement security controls.
2
25 Q
Access Controls and Cryptography
Implement authentication systems and access controls, understand cryptography fundamentals, and implement public key infrastructure.
3
25 Q
Risk Management and Compliance
Understand security governance principles, identify and analyze risk, manage third-party risk, and implement compliance requirements.
4
25 Q
Network and Communications Security
Implement and operate secure network designs, understand secure communication channels, and manage network security controls.
5
25 Q
Incident Response and Recovery
Support incident lifecycle, understand disaster recovery and business continuity, and manage forensic investigations.
SSCP Cheat Sheet
Guide de référence rapide - 6 sections
ISC2 Systems Security Certified Practitioner (SSCP)
The SSCP certification validates your hands-on technical skills and knowledge required to implement, monitor, and administer IT infrastructure using information security policies and procedures that ensure data confidentiality, integrity, and availability. Offered by ISC2 (International Information System Security Certification Consortium), the SSCP is an ideal credential for IT administrators, network security engineers, systems administrators, security analysts, and database administrators who have operational security responsibilities. Unlike the more strategic CISSP, the SSCP focuses on the operational and tactical aspects of security, making it a practical certification for those who work directly with security systems, tools, and technologies on a daily basis. The SSCP covers seven domains that encompass the full spectrum of operational security, from access controls and cryptography to incident response and network security. Candidates must have at least one year of cumulative paid work experience in one or more of the seven domains, or hold a degree from an ISC2-approved program to satisfy the experience requirement. The SSCP is recognized globally and demonstrates to employers that you possess the foundational technical security skills needed to protect organizational assets against evolving threats. Maintaining the certification requires 60 Continuing Professional Education (CPE) credits over a three-year cycle and payment of an annual maintenance fee.
Exam Details
| Exam Code | SSCP |
| Duration | 180 minutes (3 hours) |
| Number of Questions | 125 questions |
| Passing Score | 700 / 1000 |
| Cost | $249 USD |
| Experience Required | 1 year cumulative paid work experience in one or more of the 7 domains (or ISC2-approved degree) |
| Question Types | Multiple choice (single and multiple select) |
| Certification Maintenance | 60 CPE credits per 3-year cycle + $65 USD annual maintenance fee |
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Security Operations and Administration | 16% |
| Domain 2: Access Controls | 15% |
| Domain 3: Risk Identification, Monitoring, and Analysis | 15% |
| Domain 4: Incident Response and Recovery | 14% |
| Domain 5: Cryptography | 9% |
| Domain 6: Network and Communications Security | 16% |
| Domain 7: Systems and Application Security | 15% |
Study Tips
- Security Operations and Administration (16%) and Network and Communications Security (16%) are the two heaviest domains; ensure you have deep practical understanding of security policies, procedures, and network defense mechanisms
- Access Controls, Risk Identification, and Systems and Application Security each carry 15% weight; collectively they represent nearly half the exam, so balance your study time across these three areas
- Cryptography at 9% is the smallest domain but still critical; focus on understanding algorithm types (symmetric vs asymmetric), key management lifecycles, hashing functions, and digital signatures rather than memorizing mathematical formulas
- The SSCP is an operational certification; expect scenario-based questions that test your ability to apply security concepts in real-world situations rather than simply recalling definitions
- Understand the incident response lifecycle thoroughly including preparation, detection, containment, eradication, recovery, and lessons learned; know when to escalate and how to preserve evidence
- Practice with access control models (MAC, DAC, RBAC, ABAC) and know which model fits specific organizational scenarios; understand the principle of least privilege and separation of duties
- Review the ISC2 Code of Ethics as ethics questions may appear on the exam; the four canons are: protect society, act honorably, provide diligent service, advance the profession
Security Operations and Administration (Domain 1 - 16%)
| Concept | Description |
|---|---|
| Security Policies | Organizational security policy is the highest-level document defining management's intent for security; hierarchy flows from policies (mandatory, high-level) to standards (specific mandatory requirements) to guidelines (recommended practices) to procedures (step-by-step instructions); acceptable use policies (AUP) define permitted use of organizational resources; data classification policies define sensitivity levels (public, internal, confidential, restricted/top secret) and handling requirements for each level |
| Security Awareness Training | Ongoing program to educate employees about security threats and responsibilities; covers phishing recognition, password hygiene, social engineering tactics, clean desk policy, physical security, reporting procedures; role-based training provides specialized content for developers, administrators, and executives; effectiveness measured through phishing simulations, quiz scores, and incident reduction metrics; must be conducted at onboarding and refreshed annually at minimum |
| Asset Management | Maintain inventory of all hardware, software, and data assets; asset classification aligns with data sensitivity (assign classification labels); lifecycle management covers procurement, deployment, maintenance, and disposal; secure disposal methods include degaussing (magnetic media), physical destruction (shredding), and cryptographic erasure (destroying encryption keys); NIST SP 800-88 provides media sanitization guidelines: Clear (logical), Purge (physical/cryptographic), Destroy (physical) |
| Change Management | Formal process to control modifications to IT systems; steps: request, review, approve, test, implement, document; Change Advisory Board (CAB) evaluates and approves changes; emergency changes follow expedited process but must be documented retroactively; prevents unauthorized modifications that could introduce vulnerabilities; configuration management maintains baseline configurations and tracks deviations |
| Data Handling | Data states: at rest (stored on disk), in transit (moving across networks), in use (being processed in memory); each state requires appropriate protection: encryption at rest (AES-256, BitLocker, LUKS), encryption in transit (TLS 1.2+, IPSec VPN), encryption in use (hardware enclaves, homomorphic encryption); data retention policies define how long data is kept; data remanence is residual data remaining after deletion, addressed through secure wiping |
Exam Tip: Know the security document hierarchy: Policy > Standard > Guideline > Procedure. Policies are mandatory and approved by senior management. Standards are mandatory and define specific requirements. Guidelines are recommended but not mandatory. Procedures are mandatory step-by-step instructions. The exam frequently tests your ability to distinguish between these document types in scenario questions.
Access Control Models (Domain 2 - 15%)
| Model | Description |
|---|---|
| Mandatory Access Control (MAC) | System-enforced access based on security labels and clearances; subjects have clearance levels, objects have classification labels (Top Secret > Secret > Confidential > Unclassified); access granted only when subject clearance dominates object classification AND subject has need-to-know; implemented in SELinux, Trusted Solaris, and military/government systems; most restrictive model; users cannot change permissions; Bell-LaPadula model enforces confidentiality (no read up, no write down); Biba model enforces integrity (no read down, no write up) |
| Discretionary Access Control (DAC) | Resource owner controls access permissions; most common in commercial operating systems (Windows NTFS, Unix file permissions); owner can grant or revoke access to other users at their discretion; flexible but vulnerable to Trojan horse attacks because malicious programs run with the user's permissions; Access Control Lists (ACLs) are the primary implementation mechanism; identity-based access decisions |
| Role-Based Access Control (RBAC) | Access based on organizational roles rather than individual identity; users are assigned to roles, roles are granted permissions to resources; simplifies administration in large organizations (one role change vs updating hundreds of individual permissions); supports separation of duties (mutually exclusive roles), least privilege (roles limited to required permissions only), and hierarchical roles (senior roles inherit junior role permissions); most widely used model in enterprise environments |
| Attribute-Based Access Control (ABAC) | Access decisions based on attributes of the subject (department, clearance, role), object (classification, type, owner), action (read, write, execute), and environment (time of day, location, device type); most flexible and granular model; policies expressed as rules evaluating attribute combinations; example: "Allow access if user.department=Finance AND object.classification=Confidential AND time.current is within business hours"; XACML is the standard for ABAC policy language |
| Rule-Based Access Control | Access determined by a set of rules defined by the system administrator; rules evaluate conditions and grant or deny access accordingly; commonly used in firewalls (ACL rules matching source/destination IP, port, protocol) and routers; not identity-based but condition-based; rules processed in order, typically first match wins; default deny rule at the end blocks anything not explicitly permitted |
Authentication and Identity Management
| Concept | Description |
|---|---|
| Authentication Factors | Type 1 - Something you know (password, PIN, passphrase); Type 2 - Something you have (smart card, hardware token, mobile phone); Type 3 - Something you are (fingerprint, retina scan, facial recognition, voice pattern); Multi-factor authentication (MFA) requires two or more different factor types; using two passwords is not MFA because both are Type 1; biometrics measured by FAR (false acceptance rate), FRR (false rejection rate), and CER/EER (crossover error rate where FAR equals FRR, lower is better) |
| Single Sign-On (SSO) | Authenticate once to access multiple systems and applications; reduces password fatigue and helpdesk calls; technologies: Kerberos (ticket-based, uses KDC with TGT and service tickets, default in Active Directory), SAML (XML-based, used for web SSO between identity provider and service provider), OAuth 2.0 (authorization framework for delegated access using access tokens), OpenID Connect (authentication layer on top of OAuth 2.0, provides ID tokens); risk: single point of failure if SSO credentials are compromised, attacker gains access to all connected systems |
| Account Management | Provisioning and deprovisioning of user accounts throughout employee lifecycle; onboarding: create account with minimum necessary permissions; role changes: adjust permissions to match new responsibilities (avoid privilege accumulation/creep); offboarding: disable account immediately upon termination, delete after retention period; privileged accounts require additional controls (separate admin accounts, enhanced logging, MFA enforcement); service accounts should use strong passwords with no expiration but regular review |
| Access Control Principles | Least privilege: grant only the minimum permissions needed to perform job functions; Separation of duties: divide critical tasks among multiple people to prevent fraud (no single person controls an entire transaction); Need to know: access granted only when information is required for a specific task; Dual control: two or more people required to complete a sensitive operation (nuclear launch keys, bank vault access); Job rotation: periodically move employees between roles to detect fraud and cross-train staff |
Exam Tip: The SSCP heavily tests access control concepts. Remember that MAC is the most secure and least flexible, DAC is the most flexible but least secure, and RBAC is the most practical for enterprise environments. For Kerberos, know the components: KDC (Key Distribution Center), TGT (Ticket Granting Ticket), TGS (Ticket Granting Service), and that it uses symmetric encryption and operates on port 88. LDAP (port 389/636 for SSL) is the directory protocol, not the authentication protocol.
Risk Management Fundamentals (Domain 3 - 15%)
| Concept | Description |
|---|---|
| Risk Terminology | Threat: potential cause of an unwanted incident (natural disaster, hacker, malware); Vulnerability: weakness that can be exploited by a threat (unpatched software, misconfiguration, weak password); Risk: probability that a threat exploits a vulnerability and the resulting impact; Asset: anything of value to the organization (data, hardware, personnel, reputation); Exposure: extent of loss when a risk materializes; Countermeasure/Control: safeguard implemented to reduce risk; Risk = Threat x Vulnerability x Impact (conceptual formula) |
| Quantitative Risk Analysis | Uses numerical/monetary values to calculate risk; Asset Value (AV) = dollar value of the asset; Exposure Factor (EF) = percentage of asset loss from a single incident (0-100%); Single Loss Expectancy (SLE) = AV x EF; Annualized Rate of Occurrence (ARO) = expected frequency per year; Annualized Loss Expectancy (ALE) = SLE x ARO; cost-benefit analysis: if control cost < ALE reduction, the control is justified; provides objective financial data for management decisions |
| Qualitative Risk Analysis | Uses subjective ratings (High/Medium/Low) rather than exact dollar values; risk matrix plots likelihood against impact on a grid; Delphi technique uses anonymous expert opinions gathered iteratively to reach consensus; faster and less expensive than quantitative analysis; useful when precise financial data is unavailable; typically used for initial risk assessment and prioritization; results expressed in relative terms rather than monetary values |
| Risk Response Strategies | Risk Mitigation/Reduction: implement controls to reduce likelihood or impact (firewalls, encryption, training); Risk Transfer/Sharing: shift financial burden to a third party (insurance, outsourcing, SLAs with penalties); Risk Acceptance: acknowledge the risk and take no action when cost of mitigation exceeds the potential loss; documented in a risk acceptance statement signed by management; Risk Avoidance: eliminate the risk entirely by discontinuing the risky activity or technology; Residual Risk: remaining risk after controls are applied; must be accepted by management |
Exam Tip: Memorize the quantitative formulas: SLE = AV x EF, ALE = SLE x ARO. If a server worth $100,000 (AV) has a 40% exposure factor (EF) for fire, SLE = $40,000. If fire occurs once every 10 years (ARO = 0.1), ALE = $4,000. A fire suppression system costing $3,000/year is justified because $3,000 < $4,000 ALE. The exam will present calculation scenarios requiring these formulas.
Vulnerability Management
| Process | Description |
|---|---|
| Vulnerability Scanning | Automated process using tools (Nessus, Qualys, OpenVAS, Rapid7 Nexpose) to identify known vulnerabilities in systems, applications, and configurations; credentialed scans (with system login) are more thorough than non-credentialed scans; scan types: network-based (external/internal), host-based (agent-installed), application (web app scanners like OWASP ZAP, Burp Suite); schedule regular scans (weekly/monthly) and after significant changes; prioritize remediation using CVSS scores |
| CVSS Scoring | Common Vulnerability Scoring System provides standardized severity ratings from 0.0 to 10.0; Base score considers attack vector (Network/Adjacent/Local/Physical), attack complexity (Low/High), privileges required (None/Low/High), user interaction (None/Required), and CIA impact; Temporal score adjusts for exploit maturity and remediation availability; Environmental score adjusts for organizational context; severity: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0) |
| Patch Management | Systematic process for identifying, acquiring, testing, and deploying software updates; patch sources: vendor updates (Microsoft Patch Tuesday, Apple security updates), firmware updates, application patches; lifecycle: discover (scan for missing patches), prioritize (based on CVSS and asset criticality), test (verify in non-production environment), deploy (staged rollout), verify (confirm successful installation); emergency patches for critical zero-days may skip testing; maintain rollback procedures for failed patches |
| Penetration Testing | Authorized simulated attack to evaluate security; types: Black box (no prior knowledge, simulates external attacker), White box (full knowledge of architecture and source code), Gray box (partial knowledge, simulates insider or compromised partner); phases: planning/scoping, reconnaissance, scanning/enumeration, exploitation, post-exploitation, reporting; must have written authorization (Rules of Engagement) before testing; differs from vulnerability scanning in that pen testing actively exploits vulnerabilities while scanning only identifies them |
Security Monitoring and Analysis
| Technology | Description |
|---|---|
| SIEM Systems | Security Information and Event Management aggregates and correlates logs from multiple sources (firewalls, IDS/IPS, servers, applications, endpoints) into a central platform; provides real-time alerting, dashboards, and historical analysis; correlation rules detect complex attack patterns spanning multiple systems; examples: Splunk, IBM QRadar, Microsoft Sentinel, LogRhythm, Elastic SIEM; log normalization converts diverse log formats into a common schema for analysis; retention policies define how long logs are stored for compliance and forensic purposes |
| IDS/IPS | Intrusion Detection System (IDS) monitors and alerts on suspicious activity (passive); Intrusion Prevention System (IPS) monitors and actively blocks threats (inline); detection methods: Signature-based (pattern matching against known attack signatures, cannot detect zero-day attacks), Anomaly/Behavior-based (establishes baseline of normal activity, detects deviations, higher false positive rate but catches unknown attacks), Stateful protocol analysis (validates protocol usage against expected behavior); deployment: Network-based (NIDS/NIPS monitors network traffic) and Host-based (HIDS/HIPS monitors individual system activity, file integrity, log files) |
| Log Management | Centralized collection, storage, and analysis of system and security logs; syslog protocol (UDP 514, TCP 514, TLS on 6514) is the standard for log forwarding; Windows Event Log categories: Security (logon/logoff, policy changes), System (service failures, driver issues), Application (application errors); log sources include operating systems, firewalls, routers, web servers, databases, authentication servers; NTP synchronization across all systems is critical for accurate log correlation and forensic timelines |
Exam Tip: Understand the difference between vulnerability scanning (automated, identifies weaknesses, non-invasive) and penetration testing (manual exploitation, proves impact, can be disruptive). Know IDS/IPS alert types: True Positive (correctly identified attack), False Positive (normal activity flagged as attack), True Negative (correctly identified normal traffic), False Negative (missed attack, most dangerous). The exam tests your ability to recommend appropriate monitoring tools for given scenarios.
Incident Response Lifecycle (Domain 4 - 14%)
| Phase | Description |
|---|---|
| 1. Preparation | Establish incident response team (IRT) with defined roles and responsibilities; create and maintain incident response plan (IRP) with escalation procedures, communication templates, and contact lists; deploy detection and monitoring tools (SIEM, IDS/IPS, EDR); conduct tabletop exercises and simulations to test readiness; establish relationships with external parties (law enforcement, ISACs, forensic firms); maintain jump bags with forensic tools and documentation |
| 2. Detection and Analysis | Identify potential security incidents from alerts, user reports, and automated monitoring; determine if an event is a true incident or false positive; classify incident severity and impact (Critical, High, Medium, Low); document initial findings including indicators of compromise (IoCs): malicious IP addresses, file hashes, domain names, registry changes; notification to appropriate stakeholders based on severity level; begin evidence collection and chain of custody documentation |
| 3. Containment | Short-term containment: immediate actions to stop the incident from spreading (isolate affected system from network, disable compromised account, block malicious IP); Long-term containment: temporary fixes allowing business operations while preparing for eradication (apply temporary patches, redirect DNS, deploy clean system while keeping compromised system for forensics); critical to preserve evidence during containment; document all actions taken with timestamps |
| 4. Eradication | Remove the root cause of the incident from the environment; actions include removing malware, closing exploited vulnerabilities, patching systems, resetting compromised credentials, rebuilding systems from clean images if necessary; identify all affected systems to prevent reinfection; update IDS/IPS signatures and firewall rules to detect and block the specific attack vector; verify eradication through scanning and monitoring |
| 5. Recovery | Restore affected systems to normal operations; restore from known-good backups; rebuild systems from trusted media; gradually return systems to production with increased monitoring; validate system functionality and security controls; monitor for signs of re-compromise for an extended period; confirm business operations are fully restored; follow change management procedures for all recovery actions |
| 6. Lessons Learned | Post-incident review meeting with all stakeholders within 1-2 weeks; document what happened, when it was detected, how it was contained and eradicated, what worked well and what needs improvement; update incident response plan, detection rules, and procedures based on findings; create or update runbooks for similar future incidents; report metrics (time to detect, time to contain, total impact); feed findings into risk assessment and security awareness training |
Business Continuity and Disaster Recovery
| Concept | Description |
|---|---|
| Recovery Objectives | Recovery Time Objective (RTO): maximum acceptable downtime before business impact becomes unacceptable; Recovery Point Objective (RPO): maximum acceptable data loss measured in time (if RPO is 4 hours, backups must occur at least every 4 hours); Maximum Tolerable Downtime (MTD)/Maximum Tolerable Period of Disruption (MTPD): absolute maximum time a business function can be unavailable before the organization fails; RTO must be less than MTD; lower RTO/RPO values require more expensive solutions |
| Backup Strategies | Full backup: complete copy of all data (longest backup time, fastest restore); Incremental backup: only data changed since last backup of any type (fastest backup, slowest restore as all incrementals must be applied); Differential backup: all data changed since last full backup (moderate backup time, faster restore than incremental as only full + latest differential needed); 3-2-1 rule: 3 copies of data, on 2 different media types, with 1 copy offsite; test restores regularly to verify backup integrity |
| DR Site Types | Hot site: fully equipped and operational, data replicated in real-time, failover in minutes to hours (most expensive); Warm site: hardware and networking in place but requires data restoration and configuration, failover in hours to days; Cold site: basic facility with power and connectivity only, all hardware and data must be provisioned, failover in days to weeks (least expensive); Mobile site: transportable facility (trailer/container) with pre-configured equipment; Cloud-based DR (DRaaS) offers scalable, pay-as-you-go recovery infrastructure |
Exam Tip: Know the NIST SP 800-61 incident response lifecycle phases in order. For forensics, remember the order of volatility (most volatile first): CPU registers/cache, RAM, network state, running processes, disk, remote logging, physical configuration, archival media. Evidence must maintain chain of custody (who collected it, when, where stored, who accessed it) to be admissible. A forensic image is a bit-for-bit copy of the original media, verified with a hash (MD5 or SHA-256).
Cryptography Fundamentals (Domain 5 - 9%)
| Algorithm Type | Details |
|---|---|
| Symmetric Encryption | Same key used for encryption and decryption; fast and efficient for bulk data encryption; key distribution is the primary challenge (both parties must securely share the key); AES (Advanced Encryption Standard): 128, 192, or 256-bit keys, NIST standard, most widely used; 3DES (Triple DES): applies DES three times with 2 or 3 different keys, legacy but still found in financial systems; Blowfish/Twofish: variable-length keys up to 448 bits; block ciphers (AES, DES) process fixed-size blocks, stream ciphers (RC4, ChaCha20) process one bit/byte at a time; key count formula for n users: n(n-1)/2 keys needed |
| Asymmetric Encryption | Key pair: public key (shared freely) and private key (kept secret); encrypt with recipient's public key, decrypt with recipient's private key (confidentiality); sign with sender's private key, verify with sender's public key (authentication, integrity, non-repudiation); RSA: most common, key sizes 2048-4096 bits, based on factoring large primes; Diffie-Hellman: key exchange protocol, establishes shared secret over insecure channel, does not encrypt or authenticate; ECC (Elliptic Curve Cryptography): smaller key sizes with equivalent security (256-bit ECC equals 3072-bit RSA); slower than symmetric, typically used for key exchange, digital signatures, and small data |
| Hashing Functions | One-way function producing fixed-length output (digest/hash) from variable-length input; properties: deterministic (same input always produces same hash), irreversible (cannot derive input from hash), collision-resistant (computationally infeasible to find two inputs with same hash), avalanche effect (small input change produces drastically different hash); MD5: 128-bit digest, broken (collision attacks), avoid for security purposes; SHA-1: 160-bit digest, deprecated due to collision vulnerabilities; SHA-256/SHA-384/SHA-512: current standards (SHA-2 family); SHA-3: latest NIST standard based on Keccak sponge construction; HMAC: keyed hash combining a hash function with a secret key for message authentication |
| Digital Signatures | Provides authentication (verify sender identity), integrity (detect modifications), and non-repudiation (sender cannot deny signing); process: sender hashes the message, encrypts the hash with their private key (creating the signature), sends message plus signature; recipient decrypts signature with sender's public key to get the original hash, hashes the received message independently, compares both hashes; if they match, the message is authentic and unmodified; DSA (Digital Signature Algorithm): NIST standard, signature only (no encryption); RSA can be used for both encryption and signatures |
PKI and Key Management
- Public Key Infrastructure (PKI): Framework for managing digital certificates and public-key encryption; components include Certificate Authority (CA) that issues and signs certificates, Registration Authority (RA) that verifies identity before certificate issuance, Certificate Revocation List (CRL) listing revoked certificates, and Online Certificate Status Protocol (OCSP) for real-time certificate validation; X.509 is the standard format for digital certificates containing subject name, public key, issuer, validity period, and serial number
- Certificate Types: Domain Validation (DV) verifies domain ownership only (lowest assurance); Organization Validation (OV) verifies organization identity; Extended Validation (EV) provides highest assurance with thorough vetting (green bar in older browsers); Wildcard certificates cover all subdomains of a domain (*.example.com); Subject Alternative Name (SAN) certificates cover multiple specific domains in a single certificate
- Key Management Lifecycle: Generation (use cryptographically secure random number generators), Distribution (secure key exchange using asymmetric encryption or out-of-band methods), Storage (protect keys in hardware security modules (HSMs), key vaults, or encrypted keystores), Rotation (periodically replace keys to limit exposure), Revocation (invalidate compromised or expired keys), Destruction (securely overwrite/destroy keys when no longer needed using zeroization); key escrow stores a copy of encryption keys with a trusted third party for recovery purposes
Exam Tip: Remember that symmetric encryption provides confidentiality only, while asymmetric encryption can provide confidentiality, authentication, integrity, and non-repudiation. Hashing provides integrity only; HMAC adds authentication to hashing. In practice, hybrid encryption is used: asymmetric encryption secures the symmetric key exchange, then symmetric encryption handles the bulk data (this is how TLS works). Know that AES is the current NIST symmetric standard and SHA-256 is the current NIST hashing standard.
Network Security Fundamentals (Domain 6 - 16%)
| Technology | Description |
|---|---|
| Firewalls | Packet filtering: examines headers (source/destination IP, port, protocol) and applies rules; operates at Layer 3-4 of the OSI model; stateless (each packet evaluated independently) or stateful (tracks connection state, allows return traffic for established sessions); Application-layer/proxy firewall: operates at Layer 7, inspects packet contents, can filter by application protocol (HTTP, FTP, SMTP); Next-Generation Firewall (NGFW): combines traditional firewall with IPS, application awareness, deep packet inspection, SSL/TLS inspection, and threat intelligence; Web Application Firewall (WAF): specialized for HTTP/HTTPS traffic, protects against SQL injection, XSS, CSRF |
| Network Segmentation | Dividing a network into isolated segments to limit lateral movement and contain breaches; VLANs (Virtual LANs): logical segmentation at Layer 2, separate broadcast domains on the same physical switch; DMZ (Demilitarized Zone): network segment between the internet and internal network for public-facing servers (web, email, DNS); air gap: physical isolation with no network connectivity, used for highly sensitive systems (SCADA, classified networks); micro-segmentation: granular segmentation at the workload level using software-defined policies; subnetting: dividing IP address space into smaller networks for management and security |
| VPN Technologies | Creates encrypted tunnel over untrusted networks; IPSec VPN: operates at Layer 3, two modes: Transport (encrypts payload only, original IP header intact, used for host-to-host) and Tunnel (encrypts entire original packet, adds new IP header, used for site-to-site); IPSec protocols: AH (Authentication Header, integrity and authentication only, protocol 51) and ESP (Encapsulating Security Payload, confidentiality + integrity + authentication, protocol 50); IKE (Internet Key Exchange) negotiates security associations (SAs) for key exchange; SSL/TLS VPN: operates at Layer 4-7, uses standard HTTPS port 443, easier for remote access through firewalls; Split tunneling: only corporate traffic goes through VPN, internet traffic goes directly (less secure); Full tunneling: all traffic goes through VPN (more secure, higher bandwidth usage) |
| Network Access Control (NAC) | Enforces security policy compliance before granting network access; pre-admission: evaluates device health (OS patches, antivirus status, firewall enabled) before allowing network connection; post-admission: continuously monitors connected devices and can quarantine non-compliant systems; IEEE 802.1X: port-based authentication standard using EAP (Extensible Authentication Protocol) between supplicant (client), authenticator (switch/AP), and authentication server (RADIUS); agents can be persistent (installed software) or dissolvable (temporary web-based); quarantine VLAN isolates non-compliant devices for remediation |
Exam Tip: Know the OSI model layers and which security devices operate at each: packet filtering firewall (Layer 3-4), stateful firewall (Layer 3-4), proxy/application firewall (Layer 7), IDS/IPS (Layer 3-7), switch (Layer 2), router (Layer 3). For IPSec, remember that ESP provides confidentiality + integrity + authentication while AH provides only integrity + authentication (no encryption). The exam expects you to recommend the appropriate VPN type for given scenarios: IPSec for site-to-site, SSL/TLS for remote access.
Network Attacks and Countermeasures
| Attack | Description and Countermeasures |
|---|---|
| Man-in-the-Middle (MitM) | Attacker intercepts and potentially alters communications between two parties; ARP spoofing/poisoning: attacker sends forged ARP replies to associate their MAC address with a legitimate IP, redirecting traffic through their machine; DNS spoofing/cache poisoning: corrupts DNS cache to redirect users to malicious sites; countermeasures: use encrypted protocols (HTTPS, SSH), implement certificate pinning, deploy Dynamic ARP Inspection (DAI), use DNSSEC for DNS integrity, enable 802.1X port security |
| Denial of Service (DoS/DDoS) | Overwhelms target resources to deny legitimate access; volumetric attacks flood bandwidth (UDP flood, ICMP flood, DNS amplification); protocol attacks exhaust server resources (SYN flood, Ping of Death, Smurf attack); application-layer attacks target specific services (HTTP GET/POST flood, Slowloris); DDoS uses multiple compromised systems (botnet) for amplified attack; countermeasures: rate limiting, traffic scrubbing services (Cloudflare, AWS Shield), SYN cookies, ingress/egress filtering, anti-DDoS appliances, over-provisioning, CDN distribution |
| Wireless Attacks | Evil twin: rogue access point mimicking a legitimate network to capture credentials; War driving: scanning for wireless networks from a moving vehicle; Deauthentication attack: sending forged deauth frames to disconnect clients from a legitimate AP, forcing reconnection to evil twin; WPA2 KRACK: key reinstallation attack exploiting the four-way handshake; countermeasures: use WPA3 (SAE replaces PSK, provides forward secrecy), implement 802.1X enterprise authentication with RADIUS, enable wireless IDS/IPS (WIDS/WIPS), disable SSID broadcast for sensitive networks, conduct regular rogue AP detection scans |
| Social Engineering | Manipulates human psychology to bypass security controls; Phishing: fraudulent emails impersonating trusted entities to steal credentials or deploy malware; Spear phishing: targeted phishing aimed at specific individuals; Whaling: phishing targeting executives; Vishing: voice-based phishing over phone; Smishing: SMS-based phishing; Pretexting: creating a fabricated scenario to extract information; Tailgating/Piggybacking: following an authorized person through a secured entrance; countermeasures: security awareness training, phishing simulations, email filtering (DMARC, DKIM, SPF), multi-factor authentication, physical access controls (mantrap/security vestibule) |
Secure Network Protocols
| Insecure Protocol | Secure Alternative | Purpose |
|---|---|---|
| HTTP (80) | HTTPS (443) | Web traffic encrypted with TLS |
| FTP (20/21) | SFTP (22) / FTPS (990) | Secure file transfer (SSH-based or TLS-based) |
| Telnet (23) | SSH (22) | Encrypted remote administration |
| SNMP v1/v2c (161) | SNMPv3 (161) | Network management with encryption and authentication |
| DNS (53) | DNSSEC / DoH (443) / DoT (853) | DNS integrity (DNSSEC) or encryption (DoH/DoT) |
| SMTP (25) | SMTPS (465) / STARTTLS (587) | Encrypted email transmission |
| LDAP (389) | LDAPS (636) | Encrypted directory services |
System Hardening (Domain 7 - 15%)
| Practice | Description |
|---|---|
| Operating System Hardening | Remove unnecessary services, applications, and protocols to reduce attack surface; disable default accounts and rename administrator accounts; enforce strong password policies (minimum length, complexity, history, lockout thresholds); apply security baselines from CIS Benchmarks, DISA STIGs, or vendor guides; configure host-based firewalls to allow only required traffic; enable audit logging for security events; disable autorun/autoplay to prevent removable media attacks; implement application whitelisting to allow only approved software; configure secure boot and UEFI settings to prevent firmware-level attacks |
| Endpoint Security | Antivirus/Antimalware: signature-based detection (known malware), heuristic analysis (suspicious behavior patterns), sandboxing (execute suspicious files in isolated environment); Endpoint Detection and Response (EDR): continuous monitoring, behavioral analysis, threat hunting, automated response, forensic investigation capabilities; Data Loss Prevention (DLP): prevent unauthorized transmission of sensitive data via email, USB, cloud upload, or print; Host-based IPS (HIPS): monitors system calls and application behavior for malicious activity; full-disk encryption (BitLocker, FileVault, LUKS) protects data at rest if device is lost or stolen |
| Virtualization Security | Hypervisor security: Type 1 (bare-metal, VMware ESXi, Microsoft Hyper-V) is more secure than Type 2 (hosted, VirtualBox, VMware Workstation); VM escape: attack where malicious code breaks out of a VM to access the hypervisor or other VMs (critical vulnerability); VM sprawl: uncontrolled proliferation of VMs creating unmanaged, unpatched systems; countermeasures: patch hypervisor regularly, isolate management network, use VM templates with hardened configurations, implement resource controls to prevent denial-of-service between VMs, encrypt VM images at rest |
| Cloud Security | Shared responsibility model: IaaS (customer manages OS, applications, data; provider manages infrastructure), PaaS (customer manages applications and data; provider manages OS and infrastructure), SaaS (customer manages data and access; provider manages everything else); key concerns: data sovereignty (geographic location of data), vendor lock-in, multi-tenancy risks, API security, identity federation; Cloud Access Security Broker (CASB): intermediary enforcing security policies between users and cloud services, providing visibility, compliance, threat protection, and data security; security controls: encryption, access management, network segmentation, monitoring, incident response adapted for cloud |
Exam Tip: The shared responsibility model is critical for the SSCP exam. In IaaS, the customer is responsible for patching the OS and securing applications. In PaaS, the provider handles OS patching but the customer secures the application code and data. In SaaS, the customer is primarily responsible for data classification, access control, and user management. Always apply the principle of least functionality: disable or remove all unnecessary services, ports, protocols, and applications.
Malware Types and Countermeasures
| Malware Type | Characteristics |
|---|---|
| Virus | Requires a host file to attach to and user action to spread; types: boot sector virus (infects MBR/boot sector, loads before OS), file infector (attaches to executable files), macro virus (embeds in documents using macro languages like VBA), polymorphic virus (changes its code with each infection to evade signature detection), metamorphic virus (completely rewrites itself each generation); propagates when infected file is shared or executed |
| Worm | Self-replicating malware that spreads independently without requiring a host file or user action; exploits network vulnerabilities to propagate automatically; consumes network bandwidth and system resources; notable examples: WannaCry (EternalBlue SMB exploit), Conficker, Code Red, SQL Slammer; containment requires network segmentation and rapid patching of exploited vulnerability |
| Trojan Horse | Disguises itself as legitimate software to trick users into installing it; does not self-replicate; types: Remote Access Trojan (RAT) provides backdoor access to the attacker, Banking Trojan steals financial credentials, Dropper Trojan downloads and installs additional malware; commonly distributed through phishing emails, malicious websites, and pirated software |
| Ransomware | Encrypts victim's files and demands payment (usually cryptocurrency) for decryption key; types: crypto-ransomware (encrypts files), locker ransomware (locks the system), double extortion (encrypts data AND threatens to publish stolen data); spreads via phishing, RDP brute force, exploit kits, and supply chain attacks; countermeasures: regular offline backups (3-2-1 rule), network segmentation, email filtering, disable macros by default, patch management, endpoint detection, user awareness training, incident response plan with ransomware playbook |
| Rootkit | Hides its presence and provides persistent privileged access; operates at various levels: user-mode rootkit (modifies system utilities and libraries), kernel-mode rootkit (modifies kernel code or data structures, extremely difficult to detect), firmware/BIOS rootkit (persists across OS reinstalls, resides in hardware firmware); detection: boot from trusted media and scan, use rootkit-specific scanners, integrity checking against known-good baselines; prevention: Secure Boot, UEFI with Trusted Platform Module (TPM), host-based integrity monitoring |
Application Security
| Vulnerability | Description and Mitigation |
|---|---|
| SQL Injection | Attacker inserts malicious SQL statements into application input fields to manipulate database queries; types: in-band (error-based, UNION-based), blind (Boolean-based, time-based), out-of-band (DNS/HTTP exfiltration); impact: data theft, data modification, authentication bypass, command execution; mitigation: parameterized queries (prepared statements), input validation and sanitization, stored procedures, least-privilege database accounts, Web Application Firewall (WAF) rules |
| Cross-Site Scripting (XSS) | Injects malicious scripts into web pages viewed by other users; Reflected XSS: payload in the URL parameter, executed when victim clicks a crafted link; Stored/Persistent XSS: payload saved in the database (comments, profiles) and executed for every user who views the page; DOM-based XSS: client-side JavaScript modifies the DOM with unsanitized user input; impact: session hijacking, cookie theft, defacement, keylogging; mitigation: output encoding/escaping, Content Security Policy (CSP) headers, input validation, HTTPOnly cookie flag, use modern frameworks with automatic escaping |
| Cross-Site Request Forgery (CSRF) | Forces authenticated user's browser to send unwanted requests to a vulnerable application; attacker crafts a malicious page that submits forms or makes API calls using the victim's authenticated session; victim must be logged into the target site when visiting the attacker's page; mitigation: anti-CSRF tokens (unique per session, included in forms), SameSite cookie attribute, verify Origin/Referer headers, require re-authentication for sensitive actions |
| Buffer Overflow | Writing data beyond allocated memory buffer boundaries; stack-based overflow: overwrites return address on the call stack to redirect execution to attacker-controlled code; heap-based overflow: corrupts heap memory management structures; impact: arbitrary code execution, denial of service, privilege escalation; mitigation: input validation (bound checking), use memory-safe languages (Rust, Go, Java), ASLR (Address Space Layout Randomization), DEP/NX (Data Execution Prevention/No Execute), stack canaries, code review and static analysis |
- Secure SDLC: Integrate security into every phase of the software development lifecycle; Requirements (define security requirements and abuse cases), Design (threat modeling using STRIDE or DREAD, security architecture review), Implementation (secure coding standards, peer code review), Testing (SAST - static analysis of source code, DAST - dynamic testing of running application, penetration testing, fuzz testing with random/malformed inputs), Deployment (hardened configuration, secure deployment pipeline), Maintenance (patch management, vulnerability monitoring, incident response)
- OWASP Top 10: Industry-standard awareness document for the most critical web application security risks; current top risks include Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, and Server-Side Request Forgery (SSRF); use as a baseline checklist for application security testing and development standards
- DevSecOps: Integrating security practices into DevOps workflows; shift security left (earlier in the pipeline); automate security testing in CI/CD pipelines (SAST, DAST, SCA for dependency scanning, container image scanning); infrastructure as code (IaC) security scanning (Terraform, CloudFormation templates); secrets management in code repositories (no hardcoded credentials, use vaults); security champions in development teams bridge the gap between security and development
Exam Tip: The SSCP exam expects you to identify common vulnerabilities and recommend appropriate mitigations. For SQL injection, the best answer is always parameterized queries (prepared statements), not input filtering alone. For XSS, output encoding is the primary defense. Know the OWASP Top 10 categories at a high level. Understand that security testing should occur throughout the SDLC, not just at the end. The exam may present scenarios where you need to choose between SAST (white-box, analyzes source code) and DAST (black-box, tests running application).