- Email support@dumps4free.com
A security analyst received a notification from a cloud service provider regarding an attack
detected on a web server The cloud service provider shared the following information about
the attack:
• The attack came from inside the network.
• The attacking source IP was from the internal vulnerability scanners.
• The scanner is not configured to target the cloud servers.
Which of the following actions should the security analyst take first?
A. Create an allow list for the vulnerability scanner IPs m order to avoid false positives
B. Configure the scan policy to avoid targeting an out-of-scope host
C. Set network behavior analysis rules
D. Quarantine the scanner sensor to perform a forensic analysis
Explanation:
When a security analyst receives a notification about an attack that appears
to originate from an internal vulnerability scanner, it suggests that the scanner itself might
have been compromised. This situation is critical because a compromised scanner can
potentially conduct unauthorized scans, leak sensitive information, or execute malicious
actions within the network. The appropriate first action involves containing the threat to
prevent further damage and allow for a thorough investigation.
Here’s why quarantining the scanner sensor is the best immediate action:
Containment and Isolation: Quarantining the scanner will immediately prevent it
from continuing any malicious activity or scans. This containment is crucial to
protect the rest of the network from potential harm.
Forensic Analysis: By isolating the scanner, a forensic analysis can be performed
to understand how it was compromised, what actions it took, and what data or
systems might have been affected. This analysis will provide valuable insights into
the nature of the attack and help in taking appropriate remedial actions.
Preventing Further Attacks: If the scanner is allowed to continue operating, it might
execute more unauthorized actions, leading to greater damage. Quarantine
ensures that the threat is neutralized promptly.
Root Cause Identification: A forensic analysis can help identify vulnerabilities in the
scanner’s configuration, software, or underlying system that allowed the
compromise. This information is essential for preventing future incidents.
Other options, while potentially useful in the long term, are not appropriate as immediate
actions in this scenario:
A. Create an allow list for the vulnerability scanner IPs to avoid false positives:
This action addresses false positives but does not mitigate the immediate threat
posed by the compromised scanner.
B. Configure the scan policy to avoid targeting an out-of-scope host: This step is
preventive for future scans but does not deal with the current incident where the
scanner is already compromised.
C. Set network behavior analysis rules: While useful for ongoing monitoring and
detection, this does not address the immediate need to stop the compromised
scanner’s activities.
In conclusion, the first and most crucial action is to quarantine the scanner sensor to halt
any malicious activity and perform a forensic analysis to understand the scope and nature
of the compromise. This step ensures that the threat is contained and provides a basis for
further remediation efforts.
References:
CompTIA SecurityX Study Guide
NIST Special Publication 800-61 Revision 2, "Computer Security Incident Handling
Guide"
A company isolated its OT systems from other areas of the corporate network These systems are required to report usage information over the internet to the vendor Which oi the following b*st reduces the risk of compromise or sabotage' (Select two).
A. Implementing allow lists
B. Monitoring network behavior
C. Encrypting data at rest
D. Performing boot Integrity checks
E. Executing daily health checks
F. Implementing a site-to-site IPSec VPN
Explanation:
A. Implementing allow lists: Allow lists (whitelisting) restrict network communication
to only authorized devices and applications, significantly reducing the attack
surface by ensuring that only pre-approved traffic is permitted.
F. Implementing a site-to-site IPSec VPN: A site-to-site VPN provides a secure,
encrypted tunnel for data transmission between the OT systems and the vendor,
protecting the data from interception and tampering during transit.
Other options:
B. Monitoring network behavior: While useful for detecting anomalies, it does not
proactively reduce the risk of compromise or sabotage.
C. Encrypting data at rest: Important for protecting data stored on devices, but
does not address network communication risks.
D. Performing boot integrity checks: Ensures the integrity of the system at startup
but does not protect ongoing network communications.
E. Executing daily health checks: Useful for maintaining system health but does
not directly reduce the risk of network-based compromise or sabotage.
References:
CompTIA Security+ Study Guide
NIST SP 800-82, "Guide to Industrial Control Systems (ICS) Security"
"Industrial Network Security" by Eric D. Knapp and Joel Thomas Langill
Company A acquired Company B and needs to determine how the acquisition will impact the attack surface of the organization as a whole. Which of the following is the best way to achieve this goal? (Select two). Implementing DLP controls preventing sensitive data from leaving Company B's network
A. Documenting third-party connections used by Company B
B. Reviewing the privacy policies currently adopted by Company B
C. Requiring data sensitivity labeling tor all files shared with Company B
D. Forcing a password reset requiring more stringent passwords for users on Company B's network
E. Performing an architectural review of Company B's network
Explanation:
To determine how the acquisition of Company B will impact the attack
surface, the following steps are crucial:
A. Documenting third-party connections used by Company B: Understanding all
external connections is essential for assessing potential entry points for attackers and
ensuring that these connections are secure.
E. Performing an architectural review of Company B's network: This review will identify
vulnerabilities and assess the security posture of the acquired company's network,
providing a comprehensive understanding of the new attack surface.
These actions will provide a clear picture of the security implications of the acquisition and
help in developing a plan to mitigate any identified risks.
References:
CompTIA SecurityX Study Guide: Emphasizes the importance of understanding
third-party connections and conducting architectural reviews during acquisitions.
NIST Special Publication 800-37, "Guide for Applying the Risk Management
Framework to Federal Information Systems": Recommends comprehensive
reviews and documentation of third-party connections.
"Mergers, Acquisitions, and Other Restructuring Activities" by Donald DePamphilis:
Discusses the importance of security assessments during acquisitions.
Users must accept the terms presented in a captive petal when connecting to a guest
network. Recently, users have reported that they are unable to access the Internet after
joining the network A network engineer observes the following:
• Users should be redirected to the captive portal.
• The Motive portal runs Tl. S 1 2
• Newer browser versions encounter security errors that cannot be bypassed
• Certain websites cause unexpected re directs
Which of the following mow likely explains this behavior?
A. The TLS ciphers supported by the captive portal ate deprecated
B. Employment of the HSTS setting is proliferating rapidly.
C. Allowed traffic rules are causing the NIPS to drop legitimate traffic
D. An attacker is redirecting supplicants to an evil twin WLAN.
Explanation:
The most likely explanation for the issues encountered with the captive portal
is that the TLS ciphers supported by the captive portal are deprecated. Here’s why:
TLS Cipher Suites: Modern browsers are continuously updated to support the
latest security standards and often drop support for deprecated and insecure
cipher suites. If the captive portal uses outdated TLS ciphers, newer browsers may
refuse to connect, causing security errors.
HSTS and Browser Security: Browsers with HTTP Strict Transport Security
(HSTS) enabled will not allow connections to sites with weak security
configurations. Deprecated TLS ciphers would cause these browsers to block the
connection.
References:
By updating the TLS ciphers to modern, supported ones, the security engineer can ensure
compatibility with newer browser versions and resolve the connectivity issues reported by
users.
A security review revealed that not all of the client proxy traffic is being captured. Which of the following architectural changes best enables the capture of traffic for analysis?
A. Adding an additional proxy server to each segmented VLAN
B. Setting up a reverse proxy for client logging at the gateway
C. Configuring a span port on the perimeter firewall to ingest logs
D. Enabling client device logging and system event auditing
Explanation:
Configuring a span port on the perimeter firewall to ingest logs is the best architectural
change to ensure that all client proxy traffic is captured for analysis. Here’s why:
Comprehensive Traffic Capture: A span port (or mirror port) on the perimeter
firewall can capture all inbound and outbound traffic, including traffic that might
bypass the proxy. This ensures that all network traffic is available for analysis.
Centralized Logging: By capturing logs at the perimeter firewall, the organization
can centralize logging and analysis, making it easier to detect and investigate
anomalies.
Minimal Disruption: Implementing a span port is a non-intrusive method that does
not require significant changes to the network architecture, thus minimizing
disruption to existing services.
| Page 6 out of 21 Pages |
| Previous |