nerdexam
ExamsCAS-003Questions#883
CompTIA

CAS-003 · Question #883

CAS-003 Question #883: Real Exam Question with Answer & Explanation

The correct answer is A: Implement dedicated SSL decryptors for outbound HTTPS connections.. The breach occurred via a corporate-approved cloud file-sharing service, so controls must address both prevention and early detection: (A) Dedicated SSL/TLS decryptors allow deep inspection of encrypted HTTPS traffic flowing through the on-premises proxies, enabling content visib

Question

A large organization suffers a data breach after one staff member inadvertently shares a document on a corporate-approved, file-sharing, cloud-collaboration service. The security administrator must implement controls to reduce the likelihood of a similar event, via another channel, from occurring again. The controls also must assist with early detection and remediation should the event reoccur. The organization has the following enterprise constraints: 1. On-premises proxies are used to control access to websites. 2. Some staff work remotely from home and connect directly to the Internet without a VPN. 3. Corporate firewalls send logs to a central log aggregator. 4. More than 40,000 staff members are distributed across two core buildings and 100 small branches. Which of the following would BEST meet the requirements? (Select THREE).

Options

  • AImplement dedicated SSL decryptors for outbound HTTPS connections.
  • BMigrate all staff to cloud-based proxy services.
  • CBlock webmail and file-sharing categories on the proxies.
  • DDeploy a CASB solution to monitor and restrict file-sharing cloud services.
  • EDeploy a DLP solution that scans FTP and HTTPS/HTTP content.
  • FInstall an on-premises file-sharing service that can be accessed only when on the corporate
  • GDeploy VPN software and have all remote staff connect to the Internet via the corporate proxies.
  • HConfigure the SIEM to alert on access to all external collaboration sites.

Explanation

The breach occurred via a corporate-approved cloud file-sharing service, so controls must address both prevention and early detection: (A) Dedicated SSL/TLS decryptors allow deep inspection of encrypted HTTPS traffic flowing through the on-premises proxies, enabling content visibility into what is being uploaded to cloud services. (C) Blocking unauthorized webmail and file-sharing categories on proxies reduces the attack surface by limiting channels employees can use, while the approved service remains accessible under policy. (E) A DLP (Data Loss Prevention) solution scanning FTP and HTTPS/HTTP content can detect sensitive data in outbound streams and alert or block transmission. Note: A CASB (Option D) is often considered the most targeted solution for this scenario, as it specifically monitors cloud service usage and can enforce policies on the approved service itself. If the exam intends D and E as the answer, that is also technically defensible. The combination of traffic decryption, channel restriction, and content scanning provides the layered defense the question requires.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice