ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company hosts a payment-processing web application behind an AWS Application Load Balancer (ALB). A recent penetration test shows the site is vulnerable to the POODLE attack because the listener's security policy still allows SSLv3 and TLS 1.0. Legacy business partners insist on broad browser compatibility, but the security team must eliminate exposure while keeping the site available. Which action best meets security requirements with minimal operational impact?
Attach an AWS WAF rule that blocks ClientHello messages containing the SSLv3 version number while leaving the existing listener policy unchanged.
Update the ALB to use an AWS predefined security policy that disables SSLv3 and TLS 1.0/1.1 and permits only TLS 1.2 or later with strong ciphers.
Enable mutual TLS on the ALB so that only clients presenting a trusted certificate can complete the handshake over SSLv3 or TLS 1.0.
Move TLS termination from the ALB to each EC2 instance and rely on the instances' operating systems to negotiate secure protocols.
The POODLE attack exploits weaknesses in SSLv3 and, in some cases, early TLS implementations that use CBC mode. The most effective way to remove this risk is to prevent any negotiation of these obsolete protocols. AWS ALBs let you attach predefined security policies that disable SSLv3 and TLS 1.0/1.1 while allowing modern, widely supported versions such as TLS 1.2 and TLS 1.3. Doing so immediately closes the vulnerability yet still permits the vast majority of current browsers and partner systems to connect securely. Moving TLS termination to EC2 or adding a WAF rule would not address clients that downgrade to SSLv3/TLS 1.0, and client certificates do not mitigate protocol-level flaws. Therefore, selecting an ALB security policy that supports only TLS 1.2+ is the correct and least disruptive remediation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the POODLE attack?
Open an interactive chat with Bash
What is the role of an AWS Application Load Balancer (ALB) in TLS termination?
Open an interactive chat with Bash
Why does TLS 1.2 provide better security than SSLv3?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .