CompTIA CASP+ (CAS-004) — Question 170

A network administrator for a completely air-gapped and closed system has noticed that anomalous external files have been uploaded to one of the critical servers. The administrator has reviewed logs in the SIEM that were collected from security appliances, network infrastructure devices, and endpoints. Which of the following processes, if executed, would be MOST likely to expose an attacker?

Answer options

• A. Reviewing video from IP cameras within the facility
• B. Reconfiguring the SIEM connectors to collect data from the perimeter network hosts
• C. Implementing integrity checks on endpoint computing devices
• D. Looking for privileged credential reuse on the network

Correct answer: A

Explanation

Option A is correct because reviewing video footage from IP cameras can provide visual evidence of unauthorized access or suspicious behavior in the facility. The other options, while useful for security, do not directly capture real-time physical evidence of an attack occurring in a closed system.