CISSP · Question #1478
An external attacker has compromised an organization's network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the or
The correct answer is D. Implement logical network segmentation at the switches. Once a sniffer is installed on an internal host, network segmentation limits the broadcast domains and VLANs visible to that compromised machine, reducing the attacker's ability to capture traffic from other network segments.
Question
An external attacker has compromised an organization's network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker's ability to gain further information?
Options
- AImplement packet filtering on the network firewalls
- BInstall Host Based Intrusion Detection Systems (HIDS)
- CRequire strong authentication for administrators
- DImplement logical network segmentation at the switches
How the community answered
(39 responses)- A26% (10)
- B8% (3)
- C10% (4)
- D56% (22)
Why each option
Once a sniffer is installed on an internal host, network segmentation limits the broadcast domains and VLANs visible to that compromised machine, reducing the attacker's ability to capture traffic from other network segments.
Packet filtering on perimeter firewalls controls ingress and egress traffic at the network boundary but does not restrict what an internal sniffer can observe on the local network segment after the perimeter has already been breached.
HIDS monitors activity on individual hosts and can detect suspicious behavior, but it does not prevent a sniffer already installed on a different compromised host from capturing network traffic traversing shared segments.
Strong authentication for administrators protects privileged account access but does not limit the network traffic visible to a sniffer that has already been installed on an internal machine by an attacker who bypassed the perimeter.
Logical network segmentation using VLANs and switch-level controls confines broadcast traffic to specific segments, meaning a sniffer on one compromised host can only capture traffic within its own VLAN or subnet. This directly limits lateral reconnaissance by preventing the attacker from seeing traffic destined for other segments. Without segmentation, a sniffer on a flat network can potentially capture all broadcast and multicast traffic across the entire organization.
Concept tested: Network segmentation to limit sniffing after compromise
Source: https://www.cisecurity.org/controls/network-monitoring-and-defense
Topics
Community Discussion
No community discussion yet for this question.