Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Isc Discussions
exam questions

Exam CISSP All Questions

View all questions & answers for the CISSP exam
Go to Exam

Exam CISSP topic 1 question 442 discussion

Actual exam question from ISC's CISSP
Question #: 442
Topic #: 1
[All CISSP Questions]

A senior security engineer has been tasked with ensuring the confidentiality and integrity of the organization’s most valuable personally identifiable information (PII). This data is stored on local file and database servers within the organization’s data center. The following security measures have been implemented to ensure that unauthorized access is detected and logged.

• Network segmentation and enhanced access logging of the database and file servers
• Implemented encryption of data at rest
• Implemented full packet capture of the network traffic in and out of the sensitive network segment
• Ensured all transaction log data and packet captures are backed up to corporate backup appliance within the corporate backup network segment

Which of the following is the MOST likely way to exfiltrate PII while avoiding detection?

  • A. Unauthorized access to the file server via Secure Shell (SSH)
  • B. Unauthorized access to the database server via a compromised web application
  • C. Unauthorized access to the database server via a compromised user account
  • D. Unauthorized access to the backup server via a compromised service account
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by yottabyte at Feb. 3, 2023, 8:38 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
l00t
Highly Voted 1 year, 9 months ago
Selected Answer: B
According to web results, the most likely way to exfiltrate PII while avoiding detection is to use techniques that anonymize connections to servers, tunnel data over DNS, HTTP, or HTTPS, or use fileless attacks and remote code execution. These methods can help bypass network segmentation, encryption, packet capture, and logging measures. Therefore, the best answer among the given options is B. Unauthorized access to the database server via a compromised web application. This could allow the attacker to execute malicious code on the server and send the data over an encrypted or obfuscated channel to a remote server.
upvoted 7 times
jackdryan
1 year, 6 months ago
B is correct
upvoted 1 times
...
...
ch0udhary
Most Recent 3 days, 15 hours ago
Tricky question but I also think it's D. - Only Data at rest is encrypted (The File and the Database) not Data in motion - The engineer has implemented full packet capture - The packet capture and logs are not encrypted and are located on the backup server where they don't mention any access controls like they have on the File and DB server. and because the packet capture is a FULL capture, it's also capturing the contents of the file being accessed within the capture, so If I can get a hold of that I can reassemble the file from that capture.
upvoted 1 times
...
GuardianAngel
9 months, 2 weeks ago
Answer C. Unauthorized access to the database server via a compromised user account both A. and B. get you access to encrypted data so the data is useless. A, B & C would most likely be detected by the current protections. Unauthorized access to the database using a compromised account won't be detected by any of the security measures listed AND because the user account is logging in, the data will be decrypted when accessed.
upvoted 1 times
...
gjimenezf
9 months, 3 weeks ago
Selected Answer: B
Users to direct access to a database server are very limited are password are strong and not shared. Web app vulnerability is more likely, it is not protected by a WAF
upvoted 1 times
...
[Removed]
10 months ago
Selected Answer: D
Judging from the question text, it seems that no countermeasures have been taken for the backup server.
upvoted 3 times
...
629f731
10 months, 1 week ago
Selected Answer: C
Unauthorized access to the database server through a compromised user account could provide a less detectable method, since the compromised account may have valid credentials. This could facilitate the exfiltration of information without raising immediate suspicion, as the compromised account may appear legitimate.
upvoted 1 times
...
YesPlease
11 months ago
Selected Answer: D
Answer D) Unauthorized access to the backup server via a compromised service account 1) This is the only option that addresses the Pii files on both the DB and File servers. 2) Service accounts usually have more rights than end users and the backup is on a different network segment that isn't as protected as where the file and database servers are. 3) Backups usually contain an unencrypted backup of the files that can be easily exported
upvoted 2 times
...
Soleandheel
11 months, 1 week ago
B. Unauthorized access to the database server via a compromised web application
upvoted 1 times
...
InclusiveSTEAM
1 year, 1 month ago
D) Unauthorized access to the backup server via a compromised service account is the most likely way to exfiltrate the PII data while avoiding detection. The key is that the backup server resides on a separate network segment from the servers holding the sensitive PII data. This segment likely has less stringent monitoring and controls. Gaining access via the backup server avoids tripping the enhanced logging and packet capture on the PII storage network. And compromising a service account allows access without setting off unauthorized user alarms. The other methods would be detected: A) SSH unauthorized access would be logged by network monitoring. B) Web app compromise would appear in network logs and captures. C) Unauthorized user activity would also be logged.
upvoted 3 times
...
HughJassole
1 year, 5 months ago
The question asks what is the best way to get PII while avoiding detection. Avoiding detection is key. A is out since you can't just ssh to a server, you need valid credentials. B is out since the scenario doesn't mention web servers, and it sounds like the DB and file servers are on a secure segment. D is out because the backup servers only contain logs, hence the weakest part of any security program: people C. Unauthorized access to the database server via a compromised user account The user account won't be detected because it's a valid login.
upvoted 4 times
...
Tygrond87
1 year, 6 months ago
Selected Answer: C
C All the controls are detective expect the encryption. The back up server only has logs no data, A compremised user will just appear as a user getting data from the system
upvoted 2 times
...
aleXplicitly
1 year, 7 months ago
Selected Answer: B
Chose D at first because there isn't any protection on the backup server other than monitoring. However, only transaction data and logs are stored on the backup server, so compromising that server is useless… But option B seems to be the best because you are accessing the PII data through a web server which means this is data-in-transit and the mechanism for protection isn’t present. So, B seems to be the best answer.
upvoted 2 times
...
[Removed]
1 year, 7 months ago
Selected Answer: D
Enhanced access logging is only applied to the database and file server, not the backup server. This is directly and I think the most relevant for the question.
upvoted 2 times
...
sausageman
1 year, 8 months ago
Only A makes sense since the Backup and database servers are extra protected: "enhanced access logging of the database and file servers"
upvoted 1 times
sausageman
1 year, 8 months ago
Actually I think B would make more sense. Doesn't mention any web app protection and SQL Injection would exfiltrate data from the databases.
upvoted 2 times
...
...
realmjmj
1 year, 9 months ago
while only do encryption of data at rest implies data in transit being captured and logged are not encrypted and sent to the backup server
upvoted 1 times
...
JohnyDal
1 year, 9 months ago
Selected Answer: A
I think its A as SSH is encrypted and DLP systems can only see compressed, encapsulated, or unencryted traffic.
upvoted 1 times
...
yottabyte
1 year, 9 months ago
Selected Answer: D
As capturing of logs for backup appliance is not mentioned.
upvoted 4 times
bherto39
1 year, 2 months ago
no to D.. even thou if you access the backup its encrypted.. "implemented encryption of data at rest
upvoted 1 times
...
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel