CompTIA SecurityX (CAS-005) — Question 151

During a recent security event, access from the non-production environment to the production environment enabled unauthorized users to install unapproved software and make unplanned configuration changes. During an investigation, the following findings are identified:

• Several new users were added in bulk by the IAM team.
• Additional firewall and routers were recently added to the network
• Vulnerability assessments have been disabled for all devices for more than 30 days.
• The application allow list has not been modified in more than two weeks.
• Logs were unavailable for various types of traffic
• Endpoints have not been patched in more than ten days.

Which of the following actions would most likely need to be taken to ensure proper monitoring is in place within the organization? (Choose two.)

Answer options

• A. Disable bulk user creations by the IAM team.
• B. Extend log retention for all security and network devices for 180 days for all traffic.
• C. Review the application allow list on a daily basis to make sure it is properly configured.
• D. Routinely update all endpoints and network devices as soon as new patches/hot fixes are available.
• E. Ensure all network and security devices are sending relevant data to the SIEM
• F. Configure rules on all firewalls to only allow traffic from the production environment to the non-production environment.

Correct answer: B, E

Explanation

Option B is correct as extending log retention is crucial for analyzing past events and identifying unauthorized activities. Option E is also correct because ensuring that all devices send relevant data to the SIEM is essential for effective monitoring and incident response. The other options, while beneficial for security, do not directly address the immediate need for enhanced monitoring capabilities.