Exam CISSP topic 1 question 88 discussion

Terrible question - my choice would be B and not really sure any of them are relevant.

Why not A? The question is asking which application THREAT is being mitigated.. Session hijacking is the only threat listed.. Security misconfiguration is a vulnerability Broken access control is a vulnerability Sensitive data exposure is a risk..

Answer B) Security Misconfigurations https://www.balbix.com/insights/security-misconfiguration-impact-examples-and-prevention/

C. Broken Access Controls is the correct answer. Broken access controls pertain to issues related to improper authorization and access permissions, which are often a key aspect of mitigating threats by disabling unnecessary services. However, B. Security misconfiguration in itself will not be an appropriate answer for the question. I see a lot of people selecting answer B. because they are looking at Chatgpt. Please don't blindly accept chatgpt answers, many of them are wrong and this is one of them.

The web application threat being mitigated by disabling unnecessary services is: B. Security misconfiguration. Disabling unnecessary services helps reduce the attack surface of a web application by eliminating potential entry points for attackers. It helps ensure that only essential services are running, reducing the chances of security vulnerabilities arising from misconfigured or unpatched services. By disabling unnecessary services, the web developer minimizes the risk of security misconfigurations that could be exploited by attackers.

B. 8 Examples of Security Misconfigurations 1- Sample Applications Vulnerability. ... 2- Directory Listing Vulnerability. ... 3- Error Message Vulnerability. ... 4- Default Privileges Vulnerability. ... 5- Unnecessary Features Vulnerability. ... 6- Improper Data Validation Vulnerability. ... 7- Unpublished URLs Vulnerability. ... 8- Out-of-date Software Vulnerability.

the purpose of "disabling unnecessary services" is to avoid vertical privilege escalation.

not completly clear for me but after googleing cissp security missconfiguration all the articles refere to functions that should be disabled if not needed (no default config on). so B

This is application hardening..... so check for that human error of misconfiguring stuff.

A & D can be eliminated as session hijacking and data breach still going to happen after hardening/ disabling unnecessary services I chose Broken Authentication, but it's not true. I read some articles. Example of broken authentication (https://avatao.com/blog-broken-access-control/) - it can still happen B seems right - if we don't disable configuration for directory listing, attacker can list the directory (https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration)

B is correct, key word is 'disabling'.