nerdexam
EC-Council

312-50V10 · Question #493

If you are to determine the attack surface of an organization, which of the following is the BEST thing to do?

The correct answer is A. Running a network scan to detect network services in the corporate DMZ. Determining an organization's attack surface requires identifying all externally exposed services and entry points, which a network scan of the DMZ directly accomplishes.

Scanning Networks

Question

If you are to determine the attack surface of an organization, which of the following is the BEST thing to do?

Options

  • ARunning a network scan to detect network services in the corporate DMZ
  • BReviewing the need for a security clearance for each employee
  • CUsing configuration management to determine when and where to apply security patches
  • DTraining employees on the security policy regarding social engineering

How the community answered

(39 responses)
  • A
    79% (31)
  • B
    5% (2)
  • C
    13% (5)
  • D
    3% (1)

Why each option

Determining an organization's attack surface requires identifying all externally exposed services and entry points, which a network scan of the DMZ directly accomplishes.

ARunning a network scan to detect network services in the corporate DMZCorrect

A network scan of the DMZ identifies all active services, open ports, and reachable hosts that an attacker could target, which is the definition of an attack surface. The DMZ is specifically the boundary zone most exposed to external threats. This gives a concrete, technical inventory of exploitable entry points.

BReviewing the need for a security clearance for each employee

Security clearance reviews address insider threat and personnel vetting, not the technical attack surface of systems and services.

CUsing configuration management to determine when and where to apply security patches

Configuration management and patch scheduling is a remediation activity performed after vulnerabilities are identified, not an attack surface discovery method.

DTraining employees on the security policy regarding social engineering

Social engineering training is a defensive awareness measure and does not enumerate or map technical attack vectors.

Concept tested: Attack surface identification via network scanning

Source: https://csrc.nist.gov/glossary/term/attack_surface

Topics

#attack surface#network scanning#DMZ#vulnerability assessment

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice