312-50V11 · Question #802
312-50V11 Question #802: Real Exam Question with Answer & Explanation
The correct answer is A: Place a front-end web server in a demilitarized zone that only handles external web traffic. Because a single compromised server exposed all financial data, the bank lacks proper network segmentation. Placing externally-facing servers in a DMZ isolates them from sensitive internal resources.
Question
Options
- APlace a front-end web server in a demilitarized zone that only handles external web traffic
- BRequire all employees to change their anti-virus program with a new one
- CMove the financial data to another server on the same IP subnet
- DIssue new certificates to the web servers from the root certificate authority
Explanation
Because a single compromised server exposed all financial data, the bank lacks proper network segmentation. Placing externally-facing servers in a DMZ isolates them from sensitive internal resources.
Common mistakes.
- B. Replacing anti-virus software does not address the architectural weakness of a flat network and would not prevent lateral movement after an initial server compromise.
- C. Moving financial data to another server on the same IP subnet provides no additional isolation, as an attacker who compromised the original server would have the same level of access to any host in the same subnet.
- D. Issuing new certificates addresses transport-layer authentication and encryption but does not segment the network or prevent an attacker from accessing other servers after an initial compromise.
Concept tested. DMZ network segmentation for data breach prevention
Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf
Community Discussion
No community discussion yet for this question.