312-50V10 · Question #802
A regional bank hires your company to perform a security assessment on their network after a recent data breach. The attacker was able to steal financial data from the bank by compromising only a sing
The correct answer is A. Place a front-end web server in a demilitarized zone that only handles external web traffic. Placing a public-facing web server in a DMZ creates network segmentation so that compromising a single externally accessible server cannot directly expose sensitive internal financial data.
Question
A regional bank hires your company to perform a security assessment on their network after a recent data breach. The attacker was able to steal financial data from the bank by compromising only a single server. Based on this information, what should be one of your key recommendations to the bank?
Options
- APlace a front-end web server in a demilitarized zone that only handles external web traffic
- BRequire all employees to change their anti-virus program with a new one
- CMove the financial data to another server on the same IP subnet
- DIssue new certificates to the web servers from the root certificate authority
How the community answered
(40 responses)- A80% (32)
- B13% (5)
- C3% (1)
- D5% (2)
Why each option
Placing a public-facing web server in a DMZ creates network segmentation so that compromising a single externally accessible server cannot directly expose sensitive internal financial data.
A DMZ (demilitarized zone) is a network segment separated from the internal network by an additional firewall boundary, isolating externally reachable servers from systems holding sensitive data. By placing the front-end web server in the DMZ, an attacker who compromises it is still blocked from the internal financial systems by that boundary, directly addressing the architectural flaw where one server breach exposed all financial data.
Replacing anti-virus software does not address the root cause - the absence of network segmentation - that allowed a single compromised server to reach financial data.
Moving financial data to another server on the same IP subnet provides no additional protection because the attacker already had access to that subnet through the initially compromised server.
Issuing new certificates improves authentication and encryption of communications but does not fix the lack of network segmentation that permitted lateral movement to financial data.
Concept tested: DMZ network segmentation for defense in depth
Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41rev1.pdf
Topics
Community Discussion
No community discussion yet for this question.