An organization requires a legacy system to incorporate reference data into a new system. The organization anticipates the legacy system will remain in operation for the next 18 to 24 months. Additionally, the legacy system has multiple critical vulnerabilities with no patches available to resolve them. Which of the following is the BEST design option to optimize security?
The best design option to optimize security for a legacy system with critical vulnerabilities and no patches available is to deploy the legacy application on an air-gapped system. An air-gapped system is physically isolated from other networks, including the internet, which minimizes the risk of external attacks. This approach ensures that even if the legacy system has multiple vulnerabilities, it is protected from network-based threats because it has no direct connectivity to other systems. This level of isolation is the most effective way to secure the system, despite the operational inconvenience of data transfer.
Not sure why this wouldn't be B. You would want to totally isolate and segregate the vulnerable host in efforts to minimize the potential risk that it poses on your network. Any thoughts ?
I asked my self the same question. I would definitely go for B because it the option that makes sense the most
I believe it is B as well. segmenting the networks would give us the ability to apply ACL's to limit what devices have access and to what servcies. the jump box would work if a human was trying to access..in this case we just need the devices to communicate.
This is likely the option I would select in a real-world setting. It's hard telling what CompTIA is wanting for an answer here. I could make an argument for A, B, and C.
Lock down the VLANs to specific ports and ACLs to permit only one-way traffic as absolutely needed to receive the information. Jump box would be ideal, but sounds very manual, unlike what the question is getting after. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
[B]est answer. I had an elaborate case, but it was too long.
1. "legacy system to incorporate reference data into a new system" communication with new systems 2. "anticipates legacy system to remain operational for 18-24mo" indicates the legacy system is temporary 3. "critical vulnerabilities and no patches" separate it logically, physically, or both 4. "best design to optimize security" - see answer [B]
[A.] Bastion host is great for accessing the reference data. This highly hardened host wouldn't (theoretically) allow peripheral connections except for a smart card. How would #1 work? [B.] VLANs isolate traffic and resource communication between network devices, compartmentalizing specific systems and limiting the scope of potential attacks on the vulnerable system. Satisfies #1 with NACLs control traffic between VLANs, ports, and protocols. Satisfies #2 ease of reconfiguring a port. [C.] Migrating a legacy application to another system could be treacherous. CapEx to acquire new hardware and OpEx to maintain the new system goes up. How would #1 work? [D.] CapEx for MFA software and OpEx to operate the MFA are increased, which goes against #2. Doesn't address #1, #3, or #4.
C. Deploy the legacy application on an air-gapped system: This option is the most secure choice in the given context. An air-gapped system is physically isolated from the network, which means it's not connected to any other systems or networks, making it extremely difficult for attackers to access and exploit the vulnerabilities. This isolation helps protect the legacy system while still allowing it to fulfill its function of incorporating reference data into the new system. In the absence of patches for critical vulnerabilities, isolating the legacy system through an air-gapped setup is the best approach to optimize security and protect the organization's data and operations.
Air gapped is not an option guys. It has to be able to communicate with other systems. You're not going to be walking to the system and downloading files to a thumb drive and walking them over to the other systems. That's ridiculous.
its the best to optimize security though which the questions asks
I originally went with B as I have a networking background and have been enjoying BiteSize's explanations and answers, but comparing B and C you have to look at which one offers more security from what the question ask, "BEST". Segmenting from a separate VLAN is great and isolates the traffic, but does not potentially enhance the security. Currently learning about air-gapped system through this question, the characteristics that is offers is way better than just using a VLAN. Physical isolation, Network isolation, and enhanced security. VLANs only logically separate the connection, not physically. So with the side by side comparison I have to go with C
Keyword is "BEST" security optimization is what Comptia is going after here. Air gapping provides the BEST security compared to a vlan. However, a vlan is more practical irl
Air-Gapped System: An air-gapped system is physically isolated from other networks or systems, including the internet or external networks. This isolation significantly reduces the exposure to external threats and unauthorized access because there are no direct network connections to exploit the vulnerabilities. Data transfer into or out of the air-gapped system typically occurs through controlled means, such as manual transfers using physical media (e.g., USB drives) or dedicated secure channels. Limiting access with a jump box (Option A) might enhance access control, but if the legacy system remains vulnerable, unauthorized access could still lead to exploitation of the vulnerabilities. Placing systems on separate VLANs (Option B) is a network segmentation method that provides some isolation, but it might not offer sufficient protection against targeted attacks exploiting known vulnerabilities.
"BEST" is relative. C is the most secure. Would it hamper the teams too much since they couldn't access it without direct access? Probably. But if best is the most secure, this is the right answer. In the real world the best answer would probably end up being A I would think.
You know it does say "optimizing" which makes me lean toward A as the answer they want. It's hard to say without more specifics on what they are lookin for.
C is physically isolating
In a situation where a legacy system needs to be integrated with a new system, and the legacy system has multiple critical vulnerabilities with no available patches, the best design option to optimize security is: C. Deploy the legacy application on an air-gapped system. An air-gapped system is physically isolated from other networks, ensuring that there is no direct connectivity to external networks or systems. This isolation is the most effective way to protect a vulnerable legacy system from potential security threats because it greatly reduces the attack surface. While it may not be the most convenient option, it is the most secure one in cases where security is a top priority. The other options (A, B, and D) can enhance security to some extent but may not provide the same level of security as physically isolating the legacy system through an air-gapped setup.
B Remember a similar question like this on a past dump.
C and D are of no help. A jump box is a secure computer that all admins first connect to before launching any administrative task or use as an origination point to connect to other servers or untrusted environments. Im going B
The BEST design option to optimize security in this scenario would be to deploy the legacy application on an air-gapped system. An air-gapped system is a computer or network that is isolated from the internet and any other unsecured networks. This is a very effective security measure as it significantly reduces the risk of unauthorized access, hacking, and data breaches. Since the legacy system is vulnerable and has no patches available to resolve the vulnerabilities, deploying it on an air-gapped system will help mitigate the risk and protect the data. The other options such as limiting access to the system using a jump box, placing the new system and legacy system on separate VLANs, or implementing MFA to access the legacy system are also good security measures, but they do not provide the same level of protection as an air-gapped system.
This option provides the highest level of security by completely isolating the legacy system from any network threats. Given that there are no patches available for the critical vulnerabilities, an air-gapped system ensures that the legacy system is not accessible over the network, which is a strong measure to prevent exploitation. While it may complicate data transfer, secure methods such as encrypted USB drives or other physical transfer methods can be employed.
All day
B. Place the new system and legacy system on separate VLANs: This would help to contain potential malicious activity. However, this alone does not eliminate the threat to the legacy system with critical vulnerabilities. A. Limit access to the system using a jump box: A jump box is a secure computer that administrators use to connect to other devices in a security zone. It's essentially a controlled access point. This solution would reduce the potential attack surface by limiting which users and systems can directly access the legacy system