A new mandate by the corporate security team requires that all endpoints must meet a security baseline before accessing the corporate network. All servers and desktop computers are scanned by the dedicated internal scanner appliance installed in each subnet. However, remote worker laptops do not access the network regularly. Which of the following is the BEST option for the security team to ensure remote worker laptops are scanned before being granted access to the corporate network?
The best option to ensure remote worker laptops are scanned and meet the security baseline before accessing the corporate network is to implement network access control (NAC) to perform host validation of installed patches. NAC can enforce policy and baseline compliance by checking whether endpoints meet the necessary security requirements and denying access to noncompliant devices. This approach ensures that the devices are evaluated for security compliance prior to being granted network access, making it a suitable solution for remote laptops that do not regularly connect to the corporate network.
D. Install a vulnerability scanning agent on each remote laptop to submit scan data. Since remote worker laptops do not access the network regularly, installing a vulnerability scanning agent on each remote laptop to submit scan data would be the best option for the security team to ensure that remote worker laptops are scanned before being granted access to the corporate network. This way, each laptop will be scanned and evaluated for compliance with the security baseline before it is allowed to access the corporate network, regardless of its location. Network access control, 802.1X implementation, and a vulnerability scanning subnet are all viable solutions, but they would require remote workers to be connected to the corporate network, which may not always be possible or practical.
Not only is this a great use case for NAC but how is the vulnerability scanner getting the latest plugins if the machine is offline for a long period of time?
I gotta agree with the others that say this is what NAC was made for and is the best answer.
D. Install a vulnerability scanning agent on each remote laptop to submit scan data is the BEST option for the security team to ensure remote worker laptops are scanned before being granted access to the corporate network. Since the remote worker laptops do not access the network regularly, options A, B, and C would not be effective as they rely on network access and connectivity to perform scanning or validation. Option D, on the other hand, involves installing a scanning agent on each remote laptop, which would allow the security team to collect vulnerability data and validate if the endpoint meets the security baseline before granting network access. This solution provides a comprehensive approach to ensure the security of remote laptops before accessing the corporate network.
This seems to describe NAC...
Falling back on reading comprehension here: Question asks: [...BEST option...to ensure...scanned BEFORE...access to...network?] Translation: scan first, connect second A. INCORRECT [connect first] B. INCORRECT [connect first] C. INCORRECT [connect first] D. CORRECT [scan first]
It worries me that so many people voted for anything other than A.
its cause they blindly go for chatpgt replies.
A NAC is there to inspect a device before it is allowed to connect to the corporate network. If the device does not pass inspection, it is not allowed access. Submitting a scan sounds good, but what are the criteria for submitting the results? Within 24 hours? 72 hours? 1 week? How does the vuln scanner get on the device, does it have to connect to the corporate network for the security team to install it? If so, access to the corporate network has already began before the vuln scanner has had the opportunity to produce results. What about allowed configurations, versions of software, etc? With these variables, a NAC is something I'm more comfortable with. Vuln scanner is awesome, but I'd say thats 1 step different from what the question is asking.
The question is not talking about vulnerability scanning but whether endpoints meet a particular baseline. Option A
I agree with last_resort on this one. The vulnerability scanning agent sounds like a good idea, but that solution doesn't provide any controls for granting or preventing access. However, NAC enforces policy and baselines and can check for the installed patches and deny or grant access to noncompliant devices as described in A. https://www.cisco.com/c/en/us/products/security/what-is-network-access-control-nac.html
Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
D okay
A. NAC
Answer is (D) according to ChatGPT
Reasoning in previous comment
Vulnerability Scanning Agent: Installing a vulnerability scanning agent on each remote laptop allows for remote scanning of these devices. This approach ensures that the laptops are scanned for compliance with the security baseline before they connect to the corporate network. The agent can periodically conduct scans and report the results to a centralized system for assessment. It's a proactive way to ensure that remote devices meet security requirements.
The correct answer is A. This is what NAC is meant to do.