Exam CISSP topic 1 question 59 discussion

The risk of what? The application being dangerous to the corporate network or the application being vulnerable to external exploits? Either way segmentation makes more sense imo.

This is easy to me and the answer is D. Anyone who has configured MS O365 or Entra, etc., knows how unsecure by default these can be. Review best practices and recommendations to harden the COTS products. A.I. - Hardening a COTS application involves configuring it to minimize its attack surface by disabling unnecessary features, removing default accounts, and applying security patches. This approach ensures that the application is set up to operate securely, reducing the likelihood of exploitation by attackers.

A vs D A - it prevent attacker to lateral move to the internal network if the application is compromised D - It reduce the chance for the application to be compromised I think it is better to enhance the first line of defense, so D.

The key is what controls you use when you deploy the application.

I think most confusion comes from the perception of what COTS can be. COTS products can include: motherboards, Windows OS, Microsoft 365, Office, Pfsense, VMware, routers, switches, IoT, etc. So network and endpoint devices, you can segment, but how about productivity suites and application platforms? network segmentation is a common security practice anyway, regardless of COTS. I think the best thing is to research CVE and vendor reputation, and then make sure all DEFAULT configuration, credentials, features, etc. are hardened during implementation.

Even if you put this in a separate network segment it needs to be hardened because it is off the shelf.

I remembered OSG recommended D, harderning config. for COTS. Again, very important, please confine my solution within the context here. A? network segmentation could be an option, but is not the first step I shall do and is out of question context. I choose D.

The question says control . Hardened configuration will mitigate if there is possibility of an attack. I will go with Network segmentation

Answer is D. A COTS application is not necessarily hardened by default. For example, the government uses STIGs to tell admins how to harden some applications.

Refer to CISSP official study guide 9th chapter 20- 20.1.11

I'm saying D. As far as risk from attackers goes, I would lean towards network segmentation, however, general risk includes a lot of other factors like user accessibility, interoperability issues, etc. Segmenting it could introduce a much larger and complex workload and ultimately make it risky in that sense.

Answer D) Hardened configuration This means you remove/change configurations you don't need/want as well as change default usernames/passwords/ports/etc... Segmenting a network won't help as it would still leave the COTS exposed with defaults readily available to be exploited.

A. Network Segmentation - when introducing a new pet into your house, you have to learn the behavior and interaction with other pets before you let him loose. same here, as a security personnel you must know exactly what you introducing before hand and must be on segmented part of the network that shutting an interface can terminate all possible risks on the rest of the network. trust but verify

D. Hardened the system that will host the COTS. Segmenting it will kill the functionality of the solution.

D. Hardening I am hardening security by segmenting and limit access as needed. Segmentation is a part of Hardening.

think like a manager with technical experience and common sense :)

No one knows the configuration of COTS, and it didn't mention, then the best way is the segmentation to lower the exposure.