CISSP Reviews Questions

A company-wide penetration test result shows customers could access and read files through a web browser. This indicates that the web server is not configured properly to prevent unauthorized access to the file system. One of the ways to mitigate this vulnerability is to enforce the control of file directory listings, which means disabling the option that allows the web server to display the contents of a directory when there is no index file (such as index.html or index.php) present. This way, customers cannot browse or download the files that are not intended to be served by the web server. Enforcing the chmod of files to 755 is not a sufficient solution, as it only changes the permissions of the files to allow the owner to read, write, and execute, the group to read and execute, and others to read and execute. This does not prevent the web server from listing the files or serving them to the customers. Implementing access control on the web server is a good practice, but it may not be enough to prevent customers from accessing and reading files through a web browser, as some files may be accessible to anyone by default. Implementing Secure Sockets Layer (SSL) certificates throughout the web server is also a good practice, but it does not address the issue of unauthorized access to the file system, as it only encrypts the communication between the web server and the web browser. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 4: Communication and Network Security, page 163. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Network and Internet Security, page 287.

The concept that software developers should consider when using open-source software libraries is that open source libraries contain known vulnerabilities, and adversaries regularly exploit those vulnerabilities in the wild. Open source software libraries are collections of reusable code or functions that are publicly available and free to use or modify by anyone. Open source software libraries can reduce the development time of a software product, as they provide ready-made solutions or features that the software developers can integrate into their own code. However, open source software libraries also pose security risks, as they may contain known vulnerabilities that are publicly disclosed and documented, and that adversaries can easily exploit to compromise the software product or the system. Software developers should consider this concept when using open source software libraries, and they should perform due diligence, such as checking the reputation, quality, and security of the open source software libraries, updating them regularly, and testing them for vulnerabilities or compatibility issues. Open source software libraries cannot be used by everyone, and there is no common understanding that the vulnerabilities in these libraries will not be exploited, as this is a false and naive assumption that ignores the reality and the nature of the cyberthreat landscape. Open source software libraries are not constantly updated, making it unlikely that a vulnerability exists for an adversary to exploit, as this is also a false and optimistic assumption that overlooks the fact that some open source software libraries may be outdated, abandoned, or poorly maintained by their developers or communities. Open source software libraries do not contain unknown vulnerabilities, so they should not be used, as this is a false and pessimistic assumption that disregards the benefits and the potential of the open source software libraries, and that implies that proprietary or closed source software libraries are free of vulnerabilities, which is not true. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 21: Software Development Security, page 2016.

The most comprehensive Business Continuity (BC) test is the full interruption test. A full interruption test is a type of BC test that involves shutting down the primary site or system and activating the alternate site or system, as if a real disaster has occurred. A full interruption test is the most realistic and effective way to evaluate the BC plan, as it tests the actual recovery capabilities and performance of the organization under a simulated disaster scenario. A full interruption test can measure the recovery time objective (RTO), recovery point objective (RPO), and other metrics of the BC plan, as well as identify any gaps, issues, or weaknesses in the plan. A full interruption test can also test the communication, coordination, and documentation of the BC team, as well as the awareness, readiness, and resilience of the organization. However, a full interruption test is also the most risky and costly type of BC test, as it can disrupt the normal operations and services of the organization, cause potential loss of revenue or reputation, and expose the organization to legal or regulatory liabilities. Therefore, a full interruption test should be carefully planned, approved, and executed, with proper backup, contingency, and rollback measures in place. A full functional drill, a full table top, and a full simulation are not the most comprehensive BC tests. A full functional drill is a type of BC test that involves performing the actual recovery procedures and tasks at the alternate site or system, without shutting down the primary site or system. A full functional drill is less realistic and effective than a full interruption test, as it does not test the actual switch-over and switch-back processes of the BC plan. A full table top is a type of BC test that involves discussing and reviewing the BC plan and procedures with the BC team and stakeholders, using a simulated disaster scenario. A full table top is less realistic and effective than a full interruption test, as it does not test the actual execution and performance of the BC plan. A full simulation is a type of BC test that involves simulating the recovery environment and activities at the alternate site or system, using a computer model or a virtual machine, without shutting down the primary site or system. A full simulation is less realistic and effective than a full interruption test, as it does not test the actual recovery capabilities and performance of the organization under a simulated disaster scenario. References: Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 7, Security Operations, page 736. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 697.

Configuration is the process of setting up and maintaining the parameters, settings, and options of a system or network to ensure its optimal performance and security. Configuration management is the process of controlling and documenting the changes made to the configuration of a system or network. Configuration management can help to allot only those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates. These actions can help to enhance the security, functionality, and efficiency of the system or network, as well as to prevent unauthorized or unnecessary access or use of the system or network resources. Compliance, identity, or patch are not the best management processes to allot only those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates, as they are more related to the audit, access control, or vulnerability management aspects of security. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 11: Security Operations, page 665; CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 7: Security Operations, Question 7.9, page 273.