Question 19 of 529
Security OperationsmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is implementing a web application firewall (WAF) as the best compensating control for an unpatched vulnerable web server. A WAF operates at Layer 7 to inspect HTTP/HTTPS traffic and can block known attack patterns, such as remote code execution payloads targeting specific CVEs like CVE-2021-41773, effectively providing virtual patching without altering the server itself. On the CISSP exam, this scenario tests your understanding of compensating controls within the risk management framework—specifically how to reduce risk when a primary control (patching) is temporarily infeasible. A common trap is choosing network segmentation or host-based intrusion prevention, but those lack the application-layer granularity needed to block web-specific exploits. Remember the mnemonic “WAF for Web” to recall that application-layer threats require application-layer defenses.

CISSP Security Operations Practice Question

This CISSP practice question tests your understanding of security operations. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

During a vulnerability scan, a security analyst discovers that a web server is running an outdated version of Apache with known remote code execution vulnerabilities. The server is in production and cannot be patched immediately due to dependency conflicts. What is the best compensating control to reduce risk while a permanent fix is developed?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

  • Clue: "immediately / without restart"

    Why it matters: Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Implement a web application firewall (WAF) to block known attack patterns

A Web Application Firewall (WAF) is the best compensating control because it can inspect HTTP/HTTPS traffic at the application layer (Layer 7) and block known attack patterns targeting the outdated Apache version, such as specific payloads for CVE-2017-9798 or CVE-2021-41773. Unlike other options, a WAF provides virtual patching without modifying the vulnerable server, directly mitigating the remote code execution risk while a permanent fix is developed.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Disable all unnecessary modules and services on the server

    Why it's wrong here

    Reducing attack surface is good practice but does not address the known vulnerability.

  • Implement a web application firewall (WAF) to block known attack patterns

    Why this is correct

    A WAF can detect and block exploit attempts, providing virtual patching until the software is updated.

    Clue confirmation

    The clue words "best", "immediately / without restart" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Enable detailed logging and alerting for the server

    Why it's wrong here

    Logging helps detect attacks but does not prevent them.

  • Isolate the server in a separate VLAN with strict ACLs

    Why it's wrong here

    Segmentation helps but does not prevent exploitation of the vulnerability if the server is still accessible.

Common exam traps

Common exam trap: answer the scenario, not the keyword

ISC2 often tests the distinction between detective controls (logging/alerting) and preventive controls (WAF), leading candidates to choose logging because it seems proactive, but it fails to reduce risk in real time.

Detailed technical explanation

How to think about this question

A WAF operates by analyzing HTTP request headers, parameters, and payloads against a rule set (e.g., OWASP ModSecurity Core Rule Set) to detect and block exploit attempts like path traversal or buffer overflow patterns. In a real-world scenario, a WAF can be configured in reverse proxy mode to terminate TLS and inspect decrypted traffic, ensuring encrypted attacks are also blocked. This approach is often called 'virtual patching' and is widely used in PCI DSS environments to buy time for patch deployment.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security team runs a vulnerability scan on a web application and discovers an unpatched SQL injection flaw. The team prioritises remediation by CVSS score — critical flaws are patched within 24 hours, high within 7 days. Questions like this test whether you understand vulnerability management processes, scanning tools, and remediation prioritisation.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CISSP practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CISSP practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CISSP question test?

Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Implement a web application firewall (WAF) to block known attack patterns — A Web Application Firewall (WAF) is the best compensating control because it can inspect HTTP/HTTPS traffic at the application layer (Layer 7) and block known attack patterns targeting the outdated Apache version, such as specific payloads for CVE-2017-9798 or CVE-2021-41773. Unlike other options, a WAF provides virtual patching without modifying the vulnerable server, directly mitigating the remote code execution risk while a permanent fix is developed.

What should I do if I get this CISSP question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best", "immediately / without restart". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More CISSP practice questions

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CISSP practice question is part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CISSP exam.