ISC2 CISSP Practice Test

The correct answer is to prevent configuration drift and unauthorized changes. Immutable infrastructure improves security by preventing configuration drift and unauthorized changes to production systems. Rather than modifying existing systems (which can lead to inconsistencies and security issues), immutable infrastructure requires replacing entire systems when changes are needed, ensuring systems always match their known secure baseline. This approach ensures that all systems are in a known, verified state and reduces the risk of unauthorized or undocumented changes compromising security.

To ensure consistent security controls across all environments is incorrect because while immutable infrastructure can contribute to consistency, its primary purpose is specifically about preventing changes to deployed systems rather than ensuring identical controls across different environments. Environment consistency is typically addressed through infrastructure as code and deployment pipelines rather than immutability itself.

To establish verifiable deployment artifacts for compliance audits is incorrect because while immutable infrastructure can create better auditability as a side benefit, this is not its primary purpose. The primary security benefit comes from preventing unauthorized runtime changes rather than creating verifiable artifacts. Audit requirements are typically addressed through separate logging, monitoring, and documentation processes.

To implement zero-trust architecture principles in cloud environments is incorrect because while immutable infrastructure can support zero-trust models, they are distinct security concepts. Zero-trust focuses on eliminating implicit trust and requiring verification for all access, while immutability focuses on preventing changes to deployed systems. Immutable infrastructure is not required for implementing zero-trust architecture, nor does it inherently create a zero-trust environment.

Implementing security measures to correct the identified vulnerabilities is the core of the remediation phase and is essential for preventing future incidents. This directly addresses the root cause. While notifying stakeholders and reporting are crucial parts of the overall incident response process, they do not fix the technical cause of the breach. Likewise, increasing monitoring is a valuable detection and verification activity but does not remediate the known vulnerability. Conducting a broader audit might be part of the 'lessons learned' phase but does not address the immediate need to fix the exploited weakness.

Implementing role-based access controls ensures that individuals are granted access based on their specific job responsibilities, minimizing the risk of unauthorized access to sensitive information. In contrast, requiring users to create complex passwords might enhance security, but it does not restrict access based on roles. Restricting access solely to the IT department does not address the need for appropriate access control for other authorized personnel, and merely conducting access reviews annually may lead to time gaps where unauthorized access could occur.

The correct answer is Patent. Patents are specifically designed to protect novel inventions, processes, methods, and technical solutions for a limited period (typically 20 years). Patents give the holder exclusive rights to prevent others from making, using, selling, or importing the protected innovation without permission. When properly filed and granted, patents provide the strongest legal standing in cases of unauthorized use of technical innovations, as they don't require proving how the competitor acquired the technology.

While Copyright protects the expression of ideas (like specific code implementations or documentation), it doesn't protect the underlying technical concepts or functionality. Trademarks protect brands, names, and logos that identify products or services, not technical solutions. Trade Secret protection requires maintaining confidentiality and is difficult to enforce once the information is independently discovered or reverse-engineered by others, as the company would need to prove the competitor improperly acquired the protected information rather than developing it independently.

Opportunistic attacks are cybercrimes where attackers exploit vulnerabilities they happen to find rather than specifically targeting an organization. In the scenario described, the attacker discovered the vulnerability during a wide-scale internet sweep rather than specifically targeting the company, which is the hallmark of an opportunistic attack. Advanced Persistent Threats involve targeted, sophisticated attacks against specific organizations with long-term objectives. Social engineering attacks focus on manipulating people rather than technical vulnerabilities. Zero-day exploits involve previously unknown vulnerabilities but don't specify the targeting approach.

Just-in-time access control with automated revocation is the correct answer because it provides temporary access that is automatically terminated after a predetermined period or when the maintenance task is complete. This approach minimizes the security risk window by ensuring vendors can only access systems when necessary and for the minimum required duration. It also creates comprehensive audit trails and eliminates the risks associated with persistent access privileges.

The other options are inadequate:

• Dedicated VPN connections with pre-shared keys don't address access duration limits and create ongoing access paths.
• Network segmentation with role-based firewalls limits scope but doesn't address the temporal aspect of access control.
• Proxied connections with session recording provide visibility but don't inherently restrict when or for how long access is granted.

The correct answer is nonrepudiation. Nonrepudiation is the security pillar that provides assurance that someone cannot deny the validity of something. In the context of financial transactions, nonrepudiation mechanisms ensure that the sender of a message cannot later deny having sent it. This is typically accomplished through digital signatures, timestamps, audit trails, and other cryptographic techniques that bind an action to the identity who performed it.

Authenticity primarily indicates verification that something is genuine or from the purported source, not preventing denial of sending. Confidentiality focuses on protecting data from unauthorized access. Integrity ensures data remains unchanged in transit or storage. Availability ensures systems and data are accessible when needed. None of these other pillars directly address preventing the sender from denying their actions.

A sandbox is an isolated environment used to execute suspicious or untrusted code and applications without risking harm to the host device or network. By providing this controlled environment, security professionals can observe the behavior of potentially malicious software and analyze its actions without exposing production systems to risk. Sandboxes are particularly valuable for testing unknown files, suspicious email attachments, or applications from untrusted sources before allowing them into the production environment.

Parameterized queries (also known as prepared statements) are the correct solution because they separate SQL code from data by using placeholders for parameters. This ensures that user input is always treated as data rather than executable code, effectively preventing SQL injection attacks regardless of the input content.

Input sanitization involves filtering or cleaning user input to remove potentially malicious characters. While this can help reduce the risk of SQL injection, it is not as reliable as parameterized queries because sanitization filters can often be bypassed by sophisticated attacks and may not address all possible injection vectors.

Error handling focuses on managing application responses when errors occur. While proper error handling is important for security (preventing information leakage that could aid an attacker), it does not prevent SQL injection attacks from occurring in the first place. It might hide error details from attackers but does not fix the underlying vulnerability.

Secure logging is the practice of properly recording application events without exposing sensitive information. While logging is crucial for security monitoring and incident response, it does not prevent SQL injection attacks. Logging would only record that an attack happened but would not stop it from succeeding.

The most effective approach involves establishing a baseline of normal user behavior variation over time. This baseline allows organizations to detect significant deviations that may indicate abnormal or potentially malicious activities. Meanwhile, relying on historical data or monitoring user actions without context limits the ability to detect emerging threats.

The correct option highlights the benefit of streamlining user interactions by decreasing the frequency of login requirements, which enhances user experience and productivity. The other options incorrectly represent password management practices and authentication processes that do not accurately reflect the functionality of SSO.

The correct answer emphasizes a systematic approach involving thorough documentation and regular audits for varied asset types. The other options address parts of the process but do not provide a comprehensive strategy for accurate inventory management.

The most appropriate method is an out-of-band, cloud-based group messaging channel. Since the primary data center and its services (like email) are simulated to be offline, an independent, pre-configured channel is essential for real-time coordination. Such platforms allow for immediate, multi-directional communication, file sharing, and status tracking among the technical team. A continuous conference call can be fatiguing and is inefficient for sharing text-based information like logs or commands. Individual SMS messages create information silos and are not suitable for group coordination. A public social media group is inappropriate due to security and privacy risks.

Data classification is the systematic approach used to categorize data by its level of sensitivity. This process helps organizations apply appropriate security measures based on potential risk. In contrast, terms like 'data mapping' or 'data encoding' do not encapsulate this concept, as they pertain to organizing or translating data rather than assessing sensitivity levels.

The correct answer is replacing the software with a supported alternative. End-of-life software that no longer receives security updates represents an increasing security risk over time as new vulnerabilities are discovered but not patched. Replacing it with supported software is the most comprehensive solution that addresses the root cause of the risk.

Continuing to use the software without changes is the highest-risk option, as the software will become increasingly vulnerable over time with no way to address new security issues.

Implementing additional security controls to isolate and protect the vulnerable software can be a temporary mitigation but is generally less effective than replacement. These controls may be complex, costly, and still leave residual risk, especially for direct attacks against the vulnerable software.

Hiring developers to create custom patches for the software is typically impractical, expensive, and risky. Without access to the original source code and design documentation, custom patches may introduce new vulnerabilities or cause compatibility problems.

The correct answer is using a private repository manager with vulnerability scanning and version control. This approach provides a controlled, secure source for third-party components with validation before use. It enables scanning for known vulnerabilities, enforces version control, ensures availability, and provides an audit trail of what components are being used.

**Downloading libraries directly from vendor repositories to a private developer repository ** creates risk because vendor repositories can be compromised, and there's no validation of the libraries before use.

Copying all required libraries from the vendor repository into the project's source code repository before beginning a new build provides version control, but it bloats the repository size and complicates vulnerability management. It does not explicitly validate the libraries or ensure that the libraries are scanned for vulnerabilities or compromise.

**Allowing developers to manually download and commit libraries to the project **introduces inconsistency and risk. Different developers might use different versions or sources, and there's no systematic validation process for security vulnerabilities.

A Security Information and Event Management (SIEM) solution is the correct answer because it specifically addresses the key requirements mentioned in the scenario. SIEM platforms are designed to collect, aggregate, and correlate log data and security events from diverse sources across the enterprise network. They provide real-time analysis of security alerts, automated correlation of events, and centralized management of log data.

The other options would not fully address the organization's needs:

• An Intrusion Detection System (IDS) would detect suspicious activities but lacks comprehensive log aggregation and correlation features across diverse systems.

• Log Management tools focus primarily on collecting and storing logs but typically lack advanced correlation and real-time analysis capabilities.

• User and Entity Behavior Analytics (UEBA) specifically focuses on identifying anomalous user behaviors using machine learning algorithms, but does not provide the comprehensive event correlation and centralized security monitoring capabilities required in this scenario.

The correct answer is implementing a software composition analysis process with ongoing vulnerability monitoring. This approach inventories the open-source components in use, maps them to known vulnerabilities, and continuously tracks new CVE disclosures so patches or upgrades can be applied promptly.

Avoiding the use of all open-source software is unrealistic; more than 95 percent of commercial codebases already contain open-source components, and these can be used safely with proper controls.

Using only extensively peer-reviewed libraries improves initial selection but does not address newly discovered flaws; continuous monitoring is still required.

Forking all open-source components and maintaining them internally imposes a significant maintenance burden-teams must back-port every security fix themselves-making it unsustainable for most organizations.

Utilizing encryption for data in transit is crucial because it protects the information from unauthorized access while it is being sent over networks. While access controls are important, they do not inherently secure the data itself during transmission. Data masking is a method used for protecting data, but it is generally applied when the data is at rest rather than while in transit. Therefore, encryption stands out as the best choice to ensure confidentiality and integrity.

The most serious flaw is hard-coded credentials in the application source code because credentials embedded in source code can be discovered through code repository access, decompilation, or if the code is leaked. This provides attackers with privileged access that is difficult to rotate or revoke, especially if the credentials are distributed with the application. Additionally, hard-coded credentials often represent a violation of the principle of least privilege and can persist across multiple environments.

Insufficient input validation is a serious issue that can lead to various attacks like SQL injection or XSS, but it typically requires an active exploitation attempt and can be mitigated through proper validation implementation. It's less severe than exposing credentials directly in the code.

**Lack of proper error handling **may leak sensitive information but typically doesn't directly grant access to the attacker. While important to fix, it generally presents less immediate risk than exposed credentials.

Using HTTP instead of HTTPS for an admin portal is a significant issue that could expose credentials during transmission, but it still requires an attacker to intercept the traffic in a man-in-the-middle scenario. Hard-coded credentials are more readily accessible to anyone who can view the source code.