nerdexam
ExamsCAS-003Questions#800
CompTIA

CAS-003 · Question #800

CAS-003 Question #800: Real Exam Question with Answer & Explanation

The correct answer is B: Implement file integrity monitoring with automated alerts on the servers.. File integrity monitoring with automated alerts would immediately detect unauthorized file changes such as unapproved patches, directly reducing the time between incident occurrence and discovery.

Question

A financial institution has several that currently employ the following controls: * The severs follow a monthly patching cycle. * All changes must go through a change management process. * Developers and systems administrators must log into a jumpbox to access the servers hosting the data using two-factor authentication. * The servers are on an isolated VLAN and cannot be directly accessed from the internal production network. An outage recently occurred and lasted several days due to an upgrade that circumvented the approval process. Once the security team discovered an unauthorized patch was installed, they were able to resume operations within an hour. Which of the following should the security administrator recommend to reduce the time to resolution if a similar incident occurs in the future?

Options

  • ARequire more than one approver for all change management requests.
  • BImplement file integrity monitoring with automated alerts on the servers.
  • CDisable automatic patch update capabilities on the servers
  • DEnhanced audit logging on the jump servers and ship the logs to the SIEM.

Explanation

File integrity monitoring with automated alerts would immediately detect unauthorized file changes such as unapproved patches, directly reducing the time between incident occurrence and discovery.

Common mistakes.

  • A. Requiring additional approvers hardens the change management process for future requests but provides no detection mechanism when that process is bypassed, so it does not reduce time to resolution.
  • C. Disabling automatic patch update capabilities does not prevent a privileged user from manually installing an unauthorized patch, which was the actual method used in this incident.
  • D. Enhanced jump-server audit logging captures authentication and session events but does not alert on file-level changes made on the target servers, so detection would still depend on manual log review.

Concept tested. File integrity monitoring for unauthorized change detection

Reference. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice