nerdexam
(ISC)2

CISSP · Question #148

Refer to the information below to answer the question. A security practitioner detects client-based attacks on the organization's network. A plan will be necessary to address these concerns. What MUST

The correct answer is D. Employee education. Client-side attacks exploit human behavior and software vulnerabilities on end-user systems, making employee education the foundational control to reduce susceptibility to such threats.

Submitted by kavita_s· Mar 5, 2026Security and Risk Management

Question

Refer to the information below to answer the question. A security practitioner detects client-based attacks on the organization's network. A plan will be necessary to address these concerns. What MUST the plan include in order to reduce client-side exploitation?

Options

  • AApproved web browsers
  • BNetwork firewall procedures
  • CProxy configuration
  • DEmployee education

How the community answered

(37 responses)
  • A
    3% (1)
  • B
    8% (3)
  • C
    16% (6)
  • D
    73% (27)

Why each option

Client-side attacks exploit human behavior and software vulnerabilities on end-user systems, making employee education the foundational control to reduce susceptibility to such threats.

AApproved web browsers

Restricting approved web browsers limits the attack surface of browser-specific vulnerabilities but does not address the broader range of client-side exploitation vectors such as phishing emails or malicious attachments that bypass browser controls.

BNetwork firewall procedures

Network firewall procedures protect the network perimeter and control traffic flow but do not mitigate client-side attacks that originate from user interactions with malicious content already permitted through the firewall.

CProxy configuration

Proxy configuration can filter malicious URLs and enforce content policies, but it is a technical control that can be bypassed and does not address the human behavioral element that client-side attacks fundamentally exploit.

DEmployee educationCorrect

Client-based attacks such as phishing, social engineering, and drive-by downloads primarily exploit user behavior rather than network infrastructure. Employee education trains users to recognize and avoid malicious content, suspicious links, and deceptive tactics, directly reducing the attack surface at the human layer. Security awareness programs are consistently recognized as a must-have control because technical controls alone cannot compensate for uninformed end users.

Concept tested: Mitigating client-side attacks through security awareness

Source: https://www.cisa.gov/resources-tools/resources/security-awareness-training

Topics

#security awareness#employee training#client-side exploitation#user behavior

Community Discussion

No community discussion yet for this question.

Full CISSP Practice