ISC Updated CC Exam Questions and Answers by madiha

Non-repudiation is a core security principle that ensures an individual or system cannot deny having performed a specific action. In cybersecurity, this concept is critical for accountability, auditing, and legal enforcement. Non-repudiation provides assurance that an action—such as sending an email, approving a transaction, or signing a document—can be definitively attributed to a specific user.

This principle is commonly enforced using cryptographic techniques such as digital signatures, public key infrastructure (PKI), hashing, and secure logging. For example, when a user digitally signs a document using their private key, anyone can later verify that signature using the corresponding public key. This prevents the signer from denying authorship.

Non-repudiation is particularly important in financial systems, legal documents, and regulated environments where proof of action is required. It differs from authentication, which verifies identity, and authorization, which defines permissions. Non-repudiation focuses on ensuring that actions are traceable and undeniable, supporting forensic investigations and compliance with security and legal requirements.

Non-repudiation requires strong identity verification, message integrity, and tamper resistance, typically implemented using digital signatures and PKI.

Cross-site scripting (XSS) attacks exploitinput validation vulnerabilitiesin web applications. These vulnerabilities occur when an application fails to properly validate, sanitize, or encode user-supplied input before including it in web pages. As a result, attackers can inject malicious scripts that are executed in the browsers of other users.

XSS attacks commonly occur through form fields, URL parameters, cookies, or HTTP headers. Once executed, malicious scripts can steal session cookies, capture keystrokes, redirect users to malicious sites, or perform actions on behalf of the victim.

ARP spoofing and DNS poisoning target network-level trust relationships, not application input validation. Pharming redirects users to fake websites by manipulating DNS or host files, again unrelated to input validation.

Preventing XSS relies heavily on strong input validation, output encoding, content security policies (CSP), and secure coding practices. OWASP and NIST explicitly identify XSS as a validation-related vulnerability and emphasize defensive coding as the primary mitigation.

System security configuration management focuses on ensuring that systems are securely configured, consistently maintained, and properly tracked throughout their lifecycle. Core elements includebaselines,updates, andinventory. Baselines define the approved secure configuration for systems. Updates (such as patches and configuration changes) ensure systems remain secure over time. Inventory tracks hardware and software assets so organizations know what must be configured and maintained.

Audit logs, while extremely important for security monitoring, incident response, and compliance, arenot a core element of configuration management. Instead, audit logs fall under security operations, monitoring, and logging controls. Configuration management is concerned with how systems are built and maintained, not with recording activity after deployment.

Frameworks such as NIST SP 800-128 clearly distinguish configuration management from logging and auditing, even though both contribute to overall system security.