A security analyst and the management team are reviewing the organizational performance of a recent phishing campaign. The user click-through rate exceeded the acceptable risk threshold, and the management team wants to reduce the impact when a user clicks on a link in a phishing message. Which of the following should the analyst do?
To reduce the impact when a user clicks on a link in a phishing message, updating the Endpoint Detection and Response (EDR) policies to block automatic execution of downloaded programs is the most effective approach. This technical measure will prevent malicious software from running if a user falls victim to the phishing attempt, thereby directly mitigating the potential negative consequences of such actions. Other options like raising awareness, implementing email filters, and creating additional training are valuable for preventing phishing attempts but do not directly address the impact after a click has occurred.
Updating the Endpoint Detection and Response (EDR) policies to block the automatic execution of downloaded programs helps to mitigate the risk by preventing malicious software from running even if a user clicks on a phishing link. This technical control directly addresses the potential consequences of a phishing attack by stopping harmful actions from taking place after the initial click, thus reducing the overall impact of the phishing campaign. While raising awareness (option A), implementing email security filters (option B), and creating additional training (option D) are all valuable preventive measures, they do not directly reduce the impact after a phishing link is clicked.
If the question is "when the user clicks the link" the only right answer should be C. Everything else would not help after the user already clicked the link.
Additional training is key to lowering risks
Updating the EDR policy will reduce the impact of when a user clicks through, while D tries to prevent the user from clicking in the first place.
Personally I would choose D, however even with training users are still clicking on phishing attempts. We would need an EDR policy to add to our security posture, remembering the idea of Security in Depth. We can't rely on one security strategy. I am going with C on this one.
Options A, B, and D represent proactive measures designed to mitigate the risk of exposure to phishing emails or clicking on their links. However, should a phishing email evade our security measures and be clicked by an employee, it becomes imperative to prevent any downloaded files from executing. Updating Endpoint Detection and Response (EDR) policies to block the automatic execution of downloaded programs would effectively thwart the attack.
Wants to reduce impact AFTER clinking the link. C is the only one that, B is preventive and happens before the user can even click the email
C. Update the EDR policies to block automatic execution of downloaded programs. While raising awareness, implementing email filters, and providing additional training are important measures, updating Endpoint Detection and Response (EDR) policies to block the automatic execution of downloaded programs directly addresses the issue of reducing the impact when a user clicks on a phishing link. This approach helps prevent malicious software from being executed on the user's system, thus mitigating potential harm. Therefore, the correct answer is: C. Update the EDR policies to block automatic execution of downloaded programs.
I think it’s D because end users understanding best security practices is essential to protecting against security threats both old and new.
C is the only one that that can actually be controlled by the analyst.. You can train as much as you want but that doesn't mean people listen... Source: all of us here using an exam dump after watching Messers course :)