ExamTopics Logo
Mail Us[email protected]
Menu
Isc Discussions
exam questions

Exam CISSP All Questions

View all questions & answers for the CISSP exam
Go to Exam

Exam CISSP topic 1 question 442 discussion

Actual exam question from ISC's CISSP
Question #: 442
Topic #: 1
[All CISSP Questions]

A senior security engineer has been tasked with ensuring the confidentiality and integrity of the organization’s most valuable personally identifiable information (PII). This data is stored on local file and database servers within the organization’s data center. The following security measures have been implemented to ensure that unauthorized access is detected and logged.

• Network segmentation and enhanced access logging of the database and file servers
• Implemented encryption of data at rest
• Implemented full packet capture of the network traffic in and out of the sensitive network segment
• Ensured all transaction log data and packet captures are backed up to corporate backup appliance within the corporate backup network segment

Which of the following is the MOST likely way to exfiltrate PII while avoiding detection?

  • A. Unauthorized access to the file server via Secure Shell (SSH)
  • B. Unauthorized access to the database server via a compromised web application
  • C. Unauthorized access to the database server via a compromised user account
  • D. Unauthorized access to the backup server via a compromised service account
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by yottabyte at Feb. 3, 2023, 8:38 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
l00t
Highly Voted 2 years ago
Selected Answer: B
According to web results, the most likely way to exfiltrate PII while avoiding detection is to use techniques that anonymize connections to servers, tunnel data over DNS, HTTP, or HTTPS, or use fileless attacks and remote code execution. These methods can help bypass network segmentation, encryption, packet capture, and logging measures. Therefore, the best answer among the given options is B. Unauthorized access to the database server via a compromised web application. This could allow the attacker to execute malicious code on the server and send the data over an encrypted or obfuscated channel to a remote server.
upvoted 8 times
jackdryan
1 year, 9 months ago
B is correct
upvoted 1 times
...
...
ayadmawla
Most Recent 3 weeks, 5 days ago
Selected Answer: B
I understand why people are choosing D as it is more of a real life scenario except there are no information in the question body that make any reference to the backup method or a service account. That leaves B as a compromised web account will escape the logging activity which will be picked up on the other remaining two options. So B
upvoted 1 times
...
ch0udhary
3 months ago
Tricky question but I also think it's D. - Only Data at rest is encrypted (The File and the Database) not Data in motion - The engineer has implemented full packet capture - The packet capture and logs are not encrypted and are located on the backup server where they don't mention any access controls like they have on the File and DB server. and because the packet capture is a FULL capture, it's also capturing the contents of the file being accessed within the capture, so If I can get a hold of that I can reassemble the file from that capture.
upvoted 1 times
...
GuardianAngel
1 year ago
Answer C. Unauthorized access to the database server via a compromised user account both A. and B. get you access to encrypted data so the data is useless. A, B & C would most likely be detected by the current protections. Unauthorized access to the database using a compromised account won't be detected by any of the security measures listed AND because the user account is logging in, the data will be decrypted when accessed.
upvoted 1 times
...
gjimenezf
1 year ago
Selected Answer: B
Users to direct access to a database server are very limited are password are strong and not shared. Web app vulnerability is more likely, it is not protected by a WAF
upvoted 1 times
...
[Removed]
1 year, 1 month ago
Selected Answer: D
Judging from the question text, it seems that no countermeasures have been taken for the backup server.
upvoted 3 times
...
629f731
1 year, 1 month ago
Selected Answer: C
Unauthorized access to the database server through a compromised user account could provide a less detectable method, since the compromised account may have valid credentials. This could facilitate the exfiltration of information without raising immediate suspicion, as the compromised account may appear legitimate.
upvoted 1 times
...
YesPlease
1 year, 2 months ago
Selected Answer: D
Answer D) Unauthorized access to the backup server via a compromised service account 1) This is the only option that addresses the Pii files on both the DB and File servers. 2) Service accounts usually have more rights than end users and the backup is on a different network segment that isn't as protected as where the file and database servers are. 3) Backups usually contain an unencrypted backup of the files that can be easily exported
upvoted 2 times
...
Soleandheel
1 year, 2 months ago
B. Unauthorized access to the database server via a compromised web application
upvoted 1 times
...
InclusiveSTEAM
1 year, 4 months ago
D) Unauthorized access to the backup server via a compromised service account is the most likely way to exfiltrate the PII data while avoiding detection. The key is that the backup server resides on a separate network segment from the servers holding the sensitive PII data. This segment likely has less stringent monitoring and controls. Gaining access via the backup server avoids tripping the enhanced logging and packet capture on the PII storage network. And compromising a service account allows access without setting off unauthorized user alarms. The other methods would be detected: A) SSH unauthorized access would be logged by network monitoring. B) Web app compromise would appear in network logs and captures. C) Unauthorized user activity would also be logged.
upvoted 3 times
...
HughJassole
1 year, 8 months ago
The question asks what is the best way to get PII while avoiding detection. Avoiding detection is key. A is out since you can't just ssh to a server, you need valid credentials. B is out since the scenario doesn't mention web servers, and it sounds like the DB and file servers are on a secure segment. D is out because the backup servers only contain logs, hence the weakest part of any security program: people C. Unauthorized access to the database server via a compromised user account The user account won't be detected because it's a valid login.
upvoted 4 times
...
Tygrond87
1 year, 9 months ago
Selected Answer: C
C All the controls are detective expect the encryption. The back up server only has logs no data, A compremised user will just appear as a user getting data from the system
upvoted 2 times
...
aleXplicitly
1 year, 10 months ago
Selected Answer: B
Chose D at first because there isn't any protection on the backup server other than monitoring. However, only transaction data and logs are stored on the backup server, so compromising that server is useless… But option B seems to be the best because you are accessing the PII data through a web server which means this is data-in-transit and the mechanism for protection isn’t present. So, B seems to be the best answer.
upvoted 2 times
...
[Removed]
1 year, 10 months ago
Selected Answer: D
Enhanced access logging is only applied to the database and file server, not the backup server. This is directly and I think the most relevant for the question.
upvoted 2 times
...
sausageman
1 year, 11 months ago
Only A makes sense since the Backup and database servers are extra protected: "enhanced access logging of the database and file servers"
upvoted 1 times
sausageman
1 year, 11 months ago
Actually I think B would make more sense. Doesn't mention any web app protection and SQL Injection would exfiltrate data from the databases.
upvoted 2 times
...
...
realmjmj
1 year, 12 months ago
while only do encryption of data at rest implies data in transit being captured and logged are not encrypted and sent to the backup server
upvoted 1 times
...
JohnyDal
2 years ago
Selected Answer: A
I think its A as SSH is encrypted and DLP systems can only see compressed, encapsulated, or unencryted traffic.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago