CompTIA
CAS-002 · Question #124
CAS-002 Question #124: Real Exam Question with Answer & Explanation
The correct answer is A: Deploy the following ACL to the HIPS: DENY-TCP-ANY-ANY-445.. Deploying a deny ACL on the HIPS blocks TCP 445 at the host level, stopping the worm from spreading laterally inside the network where the perimeter firewall has no visibility.
Question
A morphed worm carrying a 0-day payload has infiltrated the company network and is now spreading across the organization. The security administrator was able to isolate the worm communication and payload distribution channel to TCP port 445. Which of the following can the administrator do in the short term to minimize the attack?
Options
- ADeploy the following ACL to the HIPS: DENY-TCP-ANY-ANY-445.
- BRun a TCP 445 port scan across the organization and patch hosts with open ports.
- CAdd the following ACL to the corporate firewall: DENY-TCP-ANY-ANY-445.
- DForce a signature update and full system scan from the enterprise anti-virus solution.
Explanation
Deploying a deny ACL on the HIPS blocks TCP 445 at the host level, stopping the worm from spreading laterally inside the network where the perimeter firewall has no visibility.
Common mistakes.
- B. Scanning and patching hosts is a valid remediation step but is far too slow during an active, spreading infection and would not contain the worm while the patching process is underway.
- C. A corporate firewall ACL blocks traffic at the network perimeter but cannot prevent the worm from spreading laterally between hosts that are already inside the internal network.
- D. A 0-day payload has no existing antivirus signatures, so forcing a signature update would not detect or remove the worm and provides no effective short-term containment.
Concept tested. Host-based IPS ACL for lateral worm containment
Reference. https://csrc.nist.gov/publications/detail/sp/800-94/final
Community Discussion
No community discussion yet for this question.