Exam CISSP topic 1 question 379 discussion

You have to know you have something before you can mitigate the risk

Confusing. B, C, and D seems all right answers. The question focus on the "first in the process", and seek "prevention". The issue is "vulnerability exploit". ! Option B will definitely prevent this if the vulnerability was patched. Option C is also a specialized solution to protect the web servers. Option D will help to discover the attack surfaces for this web server. I think this is the first in the process, but it is not a preventive solution.

ChatGPT says: The FIRST step in the process that could have prevented the breach through an open source component is: D. Software inventory Maintaining an up-to-date software inventory is crucial for identifying all components and libraries used within applications, including open source components. This inventory allows organizations to track which components are in use, their versions, and their associated vulnerabilities. With a comprehensive software inventory, you can then apply appropriate measures to manage and secure these components effectively.

FIRST step is to get to know what software components are in use in your website (Inventory), then scan/research for vulnerabilities

If a software has an open source vulnerability a WAF will not be adequate protection against attacks such as SQL Injection.

Answer C) Web application firewall One of the most effective ways to prevent zero-day attacks is deploying a web application firewall (WAF) on the network edge. A WAF reviews all incoming traffic and filters out malicious inputs that might target security vulnerabilities.

B. Vulnerability remediation. This step involves identifying and addressing known vulnerabilities in open source components, making it a more direct and proactive measure to prevent such breaches. It encompasses all the other answer choices.

D. The first step in the process preventing exploit the vuln. The logics: you need to know (identify) the vuln first before remediate or put a rule in WAF; in order to identify the vuln you need to security test, generally by vuln scanning the assets; to do a meaningful scanning you need to know what to scan - a.k.a. the software assets. Even though you don't scan the assets, or in a 0-day event, you need to know your assets before you can make a judgement on whether your (software)asset is vulnerable (that requires remediation or a new waf rule).

The first step in preventing a breach involving an open source component is to ensure that the component is up-to-date with the latest security patches. Therefore, the FIRST step in the process that could have prevented this breach is to regularly update and patch all software components, including open source components, used in the website to ensure that they are free of known vulnerabilities. This requires ongoing monitoring of security advisories and patches released by the developers of the open source component, as well as regular testing and verification to ensure that the updates do not introduce new vulnerabilities or break existing functionality. Additionally, it's essential to maintain an inventory of all software components and their dependencies, so any vulnerabilities are identified and addressed promptly.

D. Software inventory is the first step that could have prevented this breach as it involves identifying and tracking all the software components and versions that are used in an organization, including those that are open-source. By keeping an inventory of all the software components, it becomes easier to identify when a vulnerability is present and take the necessary steps to patch or remove the vulnerable component before it can be exploited.

Web application firewall, from website open source component

C Vulnerability scanning and remedial of OSS component should be the FIRST step that could have identified this in an early stage. WAF will protect against certain attacks like DDoS etc, will not offer a full proof solution to open-source vulnerabilities.

Think like a manager "What is the FIRST step" - "D"

Answer C. Thought of D (software inventory which is also a good option, when we have zero day if there is proper inventory then we will know which server have the software installed) . But to prevent zero day WAF is the best option https://resources.infosecinstitute.com/topic/zero-day-attacks-protections-best-practices-and-how-to-implement-them/

"Vulnerability management is an essential part of an organization's IT security strategy. Effective vulnerability management helps IT security teams ensure that critical issues are discovered, analysed, and remediated as fast and efficiently as possible." It's more generic, includes technical answer like WAF

think about log4j

Part of me thinks that ISC2 is going to be looking for D here