Conventional network segmentation through switch hubs, VLANs, or firewalls improves network performance and administration. However, it cannot provide granular and dynamic security enforcement to meet diversified and dynamic business environments. As a security professional, you are concerned with advanced persistent threats (APTs). Which of the following is least likely to mitigate the threat?
A. Employ Zero Trust infrastructure
B. Micro-segment networks to support lateral movement
C. Enforce and demonstrate compliance, e.g., HIPAA, PCI-DSS, or SOX
D. Use separate software environments, e.g., dev, testing, and stagging
Lateral movement refers to that attacker’s untargeted, stealthy exploration and navigation around networks for high-value assets after gaining initial access. Lateral Movement is an attack tactic defined in the MITRE ATT&CK knowledge base.
Lateral movement refers to the techniques that a cyberattacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. After entering the network, the attacker maintains ongoing access by moving through the compromised environment and obtaining increased privileges using various tools.
Lateral movement is a key tactic that distinguishes today’s advanced persistent threats (APTs) from simplistic cyberattacks of the past.
Your company is planning for migrating the on-premise E-Commerce system to a PaaS. As a security professional, which of the following is the least concern for the selection of cloud service providers?
A. The location of data persistence.
B. The elasticity of backend services.
C. The report on security controls at the user entity.
D. Rules of engagement when conducting pentesting.
1. The Effective CISSP: Security and Risk Management
Security and Risk Management (SRM) is the first book in my “The Effective CISSP (TEC)” series. I wrote this book as a supplement or complement but not a replacement to the well-known study guides, e.g., the Sybex Official Study Guide (OSG) or McGraw-Hill All-In-One (AIO).
This book helps in the preparation of CISSP, CISM, and other security certification exams. Moreover, it’s an excellent reference in practice. It introduces the following core security concepts across domains, but not all the eight domains, with a holistic and integrated approach:
To improve operational transparency and achieve legal and regulatory compliance, your company is implementing the information governance (IG) program. After taking the inventory of assets, you are considering asset classification and protection. As a member of the steering committee, which of the following is not an appropriate treatment?
A. Recipes, as trade secrets, should be classified by the management.
B. Patents, as confidential contents, should be classified by the data owner.
C. Personal data, as private information, can be anonymized by the data processor.
D. Forensic evidence and e-discovery shall be handled by qualified staff.
A life cycle is a collection of predefined stages/phases and processes. The conventional term, SDLC, may refer to the development life cycle of a system or software. Which of the following is not true?
A. An SDLC can be repeated as many times as a project requires.
B. The NIST SDLC is more prescriptive than software-based SDLC.
C. A short iteration as a sprint entails delivering values when an SDLC ends.
D. The acquisition is not a concern of SDLC because development is not procurement.