Examice

Exam SY0-601 All QuestionsBrowse all questions from this exam

Question 298

A research company discovered that an unauthorized piece of software has been detected on a small number of machines in its lab. The researchers collaborate with other machines using port 445 and on the Internet using port 443. The unauthorized software is starting to be seen on additional machines outside of the lab and is making outbound communications using HTTPS and SMB. The security team has been instructed to resolve the problem as quickly as possible while causing minimal disruption to the researchers. Which of the following contains the BEST course of action in this scenario?

Update the host firewalls to block outbound SMB.

Place the machines with the unapproved software in containment.

Place the unauthorized application in a blocklist.

Implement a content filter to block the unauthorized software communication.

Correct Answer: B

The best course of action to resolve the problem quickly and with minimal disruption is to place the machines with the unapproved software in containment. Containment helps isolate the affected machines from the network, preventing the unauthorized software from making outbound communications and spreading to additional machines. Although other remedies like blocking the application or updating firewall rules may eventually be necessary, the immediate priority should be to contain the threat to prevent further spread and impact.

Discussion

HL2020Option: C

I'm guessing C. A isn't correct since we're asked not to disrupt researchers who are using SMB. B would again disrupt and D doesn't really make sense.

osdoodsiosdio2

what do you mean D doesn't make sense how is it different from C

okay123Option: C

C makes the most sense

DChildsOption: B

In line with the incident response process, the breach has been identified, the next step is containment. All other remedies require an emergency change to be logged but the first step should be containment.

eddy72Option: B

B. Place the machines with the unapproved software in containment. In this scenario, the best course of action is to quickly contain the machines with the unauthorized software to prevent further spread and minimize disruption. Placing the affected machines in containment helps isolate them from the network, preventing the unauthorized software from making outbound communications and spreading to additional machines. While options such as updating host firewalls, implementing a content filter, or placing the unauthorized application in a blocklist may be part of a comprehensive security strategy, containment is the most immediate and targeted response to prevent the unauthorized software from causing further impact and spreading throughout the network.

BD69

a blocklist would work immediately and cause the least disruption. Containment would take time and cause the most disruption.

jerseydudeOption: B

B for me "seen on additional machines outside of the lab" - you would need to contain first then block links etc.

BD69Option: C

placing machines in containment would be highly disruptive! if the software is unauthorized, the least disruptive thing to do is block it via a block list. the problem with a content filter is that it filters content, not ports - we don't know what that content is. there may be situations (though I can't think of any) where SMB may be required

dsfdgOption: B

According to the Incident responce answer should be B.

Cloudninja117Option: B

The correct answer is B it’s in the text book by Jason dion and it’s a question that was previously on the last security plus exam

MALEKMALAHIOption: C

Blacklisting the unauthorized application is the most targeted approach that minimizes disruption. Researchers can continue using ports 445 and 443 for legitimate communications as long as the unauthorized software is blocked. Placing the machines in containment would completely halt work on those machines, causing significant disruption.

AbdullahMohammad251Option: B

Option A is incorrect because the researchers are using SMB to communicate and we can't block it. Since the researchers are using the same ports used by the unauthorized software to communicate, the researchers are likely using the unauthorized software to communicate making option C incorrect. Option D is also invalid and irrelevant to our scenario, content filters are used to block certain websites.

memodrumsOption: C

I would go with C. This is why, as you see more workstations with the unauthorized software, you need to keep putting them into containment. With blocking the software all together, you wont have that issue making more efficient.

johnabayotOption: B

B. place the machines with the unapproved software in containment. This option would prevent the unauthorized software from spreading to other machines and communicating with external servers, while allowing the researchers to continue their work on unaffected machines.

shaneo007Option: B

Answer B. Place the machines with the unapproved software in containment. This would allow the investigation of the infected machine without disrupting the work of researchers

Teleco0997Option: B

reasons for C to be incorrect: Outbound Communications: Blocking the unauthorized application from running on the machine may not automatically prevent its outbound communications. If the application has already established connections or is designed to communicate over the network, those communications might still occur. Preventing Spread: Placing the application in a blocklist on one machine doesn't prevent it from spreading to other machines. If the unauthorized software is propagating through the network, merely blocking it on one machine may not stop its lateral movement. Holistic Solution: Security incidents often require a more comprehensive and holistic solution. Blocking the application is a reactive measure, but containment measures (such as isolating affected machines) and addressing the root cause are proactive steps to mitigate the impact and prevent further spread.

Teleco0997Option: B

my 5c here: Option C suggests placing the unauthorized application in a blocklist, this approach might prevent the unauthorized application from running on the affected machines, but it might not be as effective in stopping its outbound communications or preventing its spread to other machines. In scenarios where the unauthorized software is making outbound communications using HTTPS and SMB and is spreading to other machines, a more comprehensive solution like containment (Option B) is necessary to quickly isolate and address the problem at its source.

MuttleyB

The keyword here is "minimal disruption." Device containment will disrupt affect user devices. Since we've got to work within the parameters of least downtime, C will have to do.

goodmateOption: D

The key part is "causing minimal disruption to the researchers" so option D is the more appropriate one. content filter, allows the security team to address the issue without such disruption, aligning with the goal of minimizing disruption to the researchers while quickly mitigating the threat.

datadineOption: A

the answer is A only outbound traffic from researchers is HTTPS everything else is internal so minimal impact