CompTIA SecurityX (CAS-005) — Question 251

A security analyst received a notification from a cloud service provider regarding an attack detected on a web server. The cloud service provider shared the following information about the attack:

• The attack came from inside the network.
• The attacking source IP was from the internal vulnerability scanners
• The scanner is not configured to target the cloud servers.

Which of the following actions should the security analyst take first?

Answer options

• A. Create an allow list for the vulnerability scanner IPs in order to avoid false positives
• B. Configure the scan policy to avoid targeting an out-of-scope host
• C. Set network behavior analysis rules.
• D. Quarantine the scanner sensor to perform a forensic analysis

Correct answer: B

Explanation

The correct answer is B because configuring the scan policy to avoid out-of-scope hosts prevents future incidents where the scanner inadvertently targets cloud servers. Option A is incorrect as creating an allow list does not address the misconfiguration. Option C does not directly resolve the source of the problem, and D, while it may provide insights, should not be the first step when a policy adjustment can prevent further issues.