Correct Answer: A

Analysis and Remediation Options for Each IoC:

IoC 1:

Evidence:

Analysis:

Remediation:

IoC 2:

Evidence:

Analysis:

Remediation:

IoC 3:

Evidence:

Analysis:

Remediation:

References:

CompTIA Security+ Study Guide: This guide offers detailed explanations on identifying and mitigating various types of Indicators of Compromise (IoCs) and the corresponding analysis and remediation strategies. CompTIA Security+ Exam

Objectives: These objectives cover key concepts in network security monitoring and incident response, providing guidelines on how to handle different types of security events.

Security Operations Center (SOC) Best Practices: This resource outlines effective strategies for analyzing and responding to anomalous events within a SOC, including the use of blocklists, endpoint controls, and network configuration

changes.

By accurately analyzing the nature of each IoC and applying the appropriate remediation measures, the organization can effectively mitigate potential security threats and maintain a robust security posture.

Correct Answer: C

The event timeline indicates a sequence where a file (hr-reporting.docx) was saved, scanned, executed, and eventually found to contain malware. The critical issue here is that the malware scan completed after the file was already executed.

This suggests a Time-Of- Check to Time-Of-Use (TOCTOU) vulnerability, where the state of the file changed between the time it was checked and the time it was used.

References:

CompTIA SecurityX Study Guide: Discusses TOCTOU vulnerabilities as a timing attack where the state of a resource changes after it has been validated. NIST Special Publication 800-53, "Security and Privacy Controls for Federal

Information Systems and Organizations": Recommends addressing TOCTOU vulnerabilities to ensure the integrity of security operations. "The Art of Software Security Assessment" by Mark Dowd, John McDonald, and Justin Schuh: Covers

logic flaws and timing vulnerabilities, including TOCTOU issues.

Correct Answer: D

Based on the provided authentication logs, we observe that User1's account experienced multiple failed login attempts within a very short time span (at 8:01:23 AM on 12/15). This pattern indicates a potential brute-force attack or an attempt

to gain unauthorized access. Here's a breakdown of why disabling User1's account is the appropriate first step:

Failed Login Attempts: The logs show that User1 had four consecutive failed login attempts:

Security Protocols and Best Practices: According to CompTIA Security+ guidelines, multiple failed login attempts within a short timeframe should trigger an immediate response to prevent further potential unauthorized access attempts. This

typically involves temporarily disabling the account to stop ongoing brute- force attacks.

Account Lockout Policy: Implementing an account lockout policy is a standard practice to thwart brute-force attacks. Disabling User1's account will align with these best practices and prevent further failed attempts, which might lead to

successful unauthorized access if not addressed.

References:

By addressing User1's account first, we effectively mitigate the immediate threat of a brute- force attack, ensuring that further investigation can be conducted without the risk of unauthorized access continuing during the investigation period.

Correct Answer: AE

To mitigate the identified vulnerabilities, the following solutions are most appropriate:

A. Implementing data loss prevention (DLP): DLP solutions help prevent the unauthorized transfer of data outside the organization. This directly addresses the exfiltration of intellectual property by monitoring, detecting, and blocking sensitive

data transfers.

E. Enabling modern authentication that supports Multi-Factor Authentication (MFA): This significantly enhances security by requiring additional verification methods beyond just passwords. It addresses the issue of weak user passwords by

making it much harder for unauthorized users to gain access, even if they obtain the password.

Other options, while useful in specific contexts, do not address all the vulnerabilities mentioned:

B. Deploying file integrity monitoring helps detect changes to files but does not prevent data exfiltration or address weak passwords. C. Restricting access to critical file services improves security but is not comprehensive enough to mitigate

all identified vulnerabilities. D. Deploying directory-based group policies can enforce security policies but might not directly prevent data exfiltration or ensure strong authentication. F. Implementing a version control system helps manage

changes to files but is not a security measure for preventing the identified vulnerabilities. G. Implementing a CMDB platform (Configuration Management Database) helps manage IT assets but does not address the specific security issues

mentioned.

References:

CompTIA Security+ Study Guide

NIST SP 800-53 Rev. 5, "Security and Privacy Controls for Information Systems and Organizations"

CIS Controls, "Control 13: Data Protection" and "Control 16: Account Monitoring and Control"

Correct Answer: AF

The reported issues suggest problems related to network connectivity, remote access, and certificate management:

A. Review VPN throughput: Connectivity issues and the inability to download applications while working remotely may be due to VPN bandwidth or performance issues. Reviewing and optimizing VPN throughput can help resolve these

problems by ensuring that remote users have adequate bandwidth for accessing corporate resources.

F. Validate MDM asset compliance: Mobile Device Management (MDM) systems ensure that mobile endpoints comply with corporate security policies. Validating MDM compliance can help address issues related to the inability to download

applications and certificate errors, as non-compliant devices might be blocked from accessing certain resources.

B. Check IPS rules: While important for security, IPS rules are less likely to directly address the connectivity and certificate issues described. C. Restore static content on the CDN: This action is related to content delivery but does not address

VPN or certificate-related issues. D. Enable secure authentication using NAC: Network Access Control (NAC) enhances security but does not directly address the specific issues described. E. Implement advanced WAF rules: Web Application

Firewalls protect web applications but do not address VPN throughput or mobile device compliance.

References:

CompTIA Security+ Study Guide

NIST SP 800-77, "Guide to IPsec VPNs"

CIS Controls, "Control 11: Secure Configuration for Network Devices"

Correct Answer: BC

To reduce the risk of unauthorized BYOD (Bring Your Own Device) usage, the organization should implement Conditional Access and Network Access Control (NAC).

Why Conditional Access and NAC?

Conditional Access:

Network Access Control (NAC):

Other options, while useful, do not address the specific need to control and secure BYOD devices effectively:

A. Cloud IAM to enforce token-based MFA: Enhances authentication security but does not control device compliance.

D. PAM to enforce local password policies: Focuses on privileged account management, not BYOD control.

E. SD-WAN to enforce web content filtering: Enhances network performance and security but does not enforce BYOD device compliance. F. DLP to enforce data protection capabilities: Protects data but does not control BYOD device access and compliance. References: CompTIA SecurityX Study Guide "Conditional Access Policies," Microsoft Documentation "Network Access Control (NAC)," Cisco Documentation

Correct Answer: DE

Correct Answer: C

While the CA is responsible for issuing the certificates, it relies on the RA (if one is used) to perform the identity validation. If the RA performs its duties correctly, any failed identity validation would be handled at the RA level, and the CA would not issue the certificate.

Correct Answer: A

Deploying the application using a cloud container service aligns well with the specified security and organizational infrastructure requirements. It ensures sessionless, API-based operation, supports ephemeral storage for uploaded documents with PII, enables on-demand scalability across multiple nodes, and facilitates strict restriction of network access except for the TLS port.

Correct Answer: B