ISC 2 Credentials CISSP Release Date

 Building in appropriate levels of fault tolerance is a secure design principle for a new product. Fault tolerance is the ability of a system or a component to continue functioning correctly and reliably in the event of a failure, error, or disruption, such as a hardware malfunction, a power outage, or a network attack. Building in appropriate levels of fault tolerance can enhance the security, availability, and resilience of a system or a product, by providing mechanisms such as redundancy, backup, recovery, failover, or self-healing. Building in appropriate levels of fault tolerance can also prevent or mitigate the impact of potential threats or vulnerabilities, and ensure the continuity of the business operations and services. The other options are not secure design principles for a new product, as they either do not enhance the security, availability, or resilience of the system or the product, or do not follow the best practices or standards for software development. References: CISSP - Certified Information Systems Security Professional, Domain 3. Security Architecture and Engineering, 3.5 Implement and manage engineering processes using secure design principles, 3.5.1 Understand the fundamental concepts of security models, 3.5.1.1 Fault tolerance; CISSP Exam Outline, Domain 3. Security Architecture and Engineering, 3.5 Implement and manage engineering processes using secure design principles, 3.5.1 Understand the fundamental concepts of security models, 3.5.1.1 Fault tolerance

The main difference between a network-based firewall and a host-based firewall is that a network-based firewall controls traffic passing through the device, while a host-based firewall controls traffic destined for the device. A firewall is a device or a software that filters and regulates the network traffic based on a set of rules or policies, and that blocks or allows the traffic based on the source, destination, protocol, port, or content of the traffic. A network-based firewall is a type of firewall that is deployed at the network perimeter or the network segment, and that controls the traffic that passes through the device, such as the traffic that enters or exits the network, or the traffic that moves between different network zones or subnets. A host-based firewall is a type of firewall that is installed on a specific host or system, such as a server, a workstation, or a mobile device, and that controls the traffic that is destined for the device, such as the traffic that originates from or terminates at the device, or the traffic that is related to the applications or processes running on the device. The other options are not the main difference between a network-based firewall and a host-based firewall, as they either do not describe the characteristics or functions of the firewalls, or do not apply to both types of firewalls. References: CISSP - Certified Information Systems Security Professional, Domain 4. Communication and Network Security, 4.2 Secure network components, 4.2.2 Implement secure communication channels, 4.2.2.1 Network and host-based firewalls; CISSP Exam Outline, Domain 4. Communication and Network Security, 4.2 Secure network components, 4.2.2 Implement secure communication channels, 4.2.2.1 Network and host-based firewalls

The best control to be implemented at a login page in a web application to mitigate the ability to enumerate users is to implement a generic response for a failed login attempt. User enumeration is a technique that allows an attacker to discover the valid usernames or email addresses of the users of a web application, by exploiting the differences in the responses or messages from the login page. For example, if the login page displays a specific message such as "Invalid username" or "Invalid password" when a user enters an incorrect username or password, the attacker can use this information to guess or brute-force the valid usernames or passwords. To prevent user enumeration, the login page should implement a generic response for a failed login attempt, such as "Invalid username or password", regardless of whether the username or password is incorrect. This way, the attacker cannot distinguish between the valid and invalid usernames or passwords, and cannot enumerate the users of the web application. References: CISSP All-in-One Exam Guide, Chapter 8: Software Development Security, Section: Web Application Security, pp. 1066-1067.

 Supplies kept off-site at a remote facility are physical assets that could be defined in an organization’s Business Impact Analysis (BIA). A BIA is a process that involves identifying and evaluating the potential impacts of various disruptions or disasters on the organization’s critical business functions and processes, and determining the recovery priorities and objectives for the organization. A BIA can help the organization plan and prepare for the continuity and the resilience of its business operations in the event of a crisis. A physical asset is a tangible and valuable resource that is owned or controlled by the organization, and that supports its business activities and objectives. A physical asset could be a hardware, a software, a network, a data, a facility, a equipment, a material, or a personnel. Supplies kept off-site at a remote facility are physical assets that could be defined in a BIA, as they are resources that are essential for the organization’s business operations, and that could be affected by a disruption or a disaster. For example, the organization may need to access or use the supplies to resume or restore its business functions and processes, or to mitigate or recover from the impacts of the crisis. Therefore, the organization should include the supplies kept off-site at a remote facility in its BIA, and assess the potential impacts, risks, and dependencies of these assets on its business continuity and recovery. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7: Security Operations, page 387. CISSP Practice Exam – FREE 20 Questions and Answers, Question 16.