Exam CISSP topic 1 question 267 discussion

Think like a manager/consultant. Choose a process over technical implementation.

Going with D

D is a gimme. It's the only thing that's comprehensive. It's not about just picking one technical protection over another.

at first I thought the answer was C, but then there are a couple things to think about. The first is that it says only at the perimeter. Second is it only mentions preventive and detective controls. When properly implementing layered defense it should include a complete control (detective, preventive, and recovery)

multi-layered defense in depth is the best DESIGN

Answer D) Think like a manager. A, B, and C are all technical approaches and may not be the best solution for each network joined to the WAN. D is the only one that will look across all systems and create something that addresses them all.

Depending on the reading, you can fit all the answers. Security recommends a multi-layered defense, so I choose C. By the way, those in the C camp, switch to the voting comments after selecting your answer and then leave a comment. The D camp is doing a solid job of voting, aren't they?

The answer is D Explain: Since high interconnectedness is required, attempting to isolate systems or create separate environments is not feasible. Instead, a unified risk-based approach should be taken to implement layered controls prioritized based on criticality across all systems and tiers. This allows tailoring security to system criticality while still enabling connectivity through integrating compensating controls. Options A and B take an isolation approach that hinders integration. Option C proposes just hardened perimeters rather than alignment across assets.

"Layered" = Defense in Depth. I think that is the point of the question.

This is CISSP, not some technical exams, the answer is D for sure.

C is the best answer - If the organization requires a high degree of interconnectedness, definitely defence in is required for seamless connectivity of all sites.

C. Perimeter FW or Router that can simple ACL will be able to accomplish this very easily. ACL will permit only what is allowed in and prevent what is not. if it is FW, even better. Defense in Depth - will add all the above Router, FW, IDS, Group Policy if part AD.

B is correct

C includes A,B,D

I vote for C. Use layered security such as, IPS, IDS, WAF, FW, AI/MC, etc, at the perimeter level. So this will make sure traffic destined to critical assets will be properly inspected. Firewall at the end is not advanced security solutions.

B should be the correct answer - Place firewalls around critical devices, isolating them from the rest of the environment. Key words is firewall around critical devices and isolation meaning physical/virtual segmentation. Not neccesary just DMZ, it can be multi-layer segment, i.e level 0 that has access to the WAN. From level 0 to level 1 need to pass through an firewall etc. This is typical design for some secure site.

B. Perimeter doesn’t factor need for internal protection