🏠 Back to Exam Syllabus 📺 RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 17.2 - Implementing Detection & Preventive Measures (Part 5 of 5)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series closes Domain 7, Security Operations, by rounding out the preventive toolkit. It moves from decoys and warning banners to anti-malware, application lists, firewalls, sandboxing, and outside help, showing how these controls weave into one layered defense where an attacker who slips one net lands in another.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

A honeypot is a decoy computer built to lure intruders, and a honeynet is two or more honeypots wired together to fake a whole network; they look real but hold nothing of value, so any access is almost certainly an intruder. The legal line sits between enticement and entrapment. Enticement is legal, leaving a tempting but open system that an attacker chooses to break into, while entrapment is illegal, actively luring someone into an attack they would not otherwise attempt.

Why do warning banners matter?

A warning banner tells users and intruders the ground rules, usually noting that activity is monitored and recorded and reminding people what is off-limits. Its wording carries real legal weight, because it can bind users to acceptable behavior and support prosecution later, and even an unauthorized person who logs in sees it. Think of it as the electronic version of a no-trespassing sign that also reminds legitimate users of the acceptable use policy they already agreed to.

How does anti-malware defend a whole organization?

The core defense against malicious code is up-to-date anti-malware, since attackers constantly tweak malware to dodge detection and modern tools check for new signatures many times a day. Smart organizations layer it, filtering content at the network boundary, scanning on email servers, and running anti-malware on every endpoint. Install just one product per system, because two will fight each other, and pair it with least privilege and user education so a limited user cannot install malicious software.

What are allow lists and deny lists?

These control which applications may run, and were once called whitelists and blacklists. An allow list names the approved applications and blocks everything else, while a deny list names the forbidden applications and blocks only those, and a system uses one approach or the other, never both. Allow lists are stricter and can use file hashes, which conveniently blocks an infected version too, since infection changes the hash.

What do firewalls and sandboxing do?

Firewalls are preventive, technical controls that filter traffic by rules, commonly placed at the network edge, with a rule list that ends in an implicit deny so anything not explicitly allowed is blocked. Sandboxing is a virtualization technique that fences an application inside a security boundary, keeping it from touching other applications or the operating system, which anti-malware uses to test suspicious programs safely and developers use to isolate code from the host and network.

📚 Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 17.2 - Implementing Detection & Preventive Measures (Part 5 of 5).