CompTIA SecurityX (CAS-005) — Question 31

An incident response team completed recovery from offline backup for several workstations. The workstations were subjected to a ransomware attack after users fell victim to a spear-phishing campaign, despite a robust training program. Which of the following questions should be considered during the lessons-learned phase to most likely reduce the risk of reoccurrence? (Choose two.)

Answer options

• A. Are there opportunities for legal recourse against the originators of the spear-phishing campaign?
• B. What internal and external stakeholders need to be notified of the breach?
• C. Which methods can be implemented to increase speed of offline backup recovery?
• D. What measurable user behaviors were exhibited that contributed to the compromise?
• E. Which technical controls, if implemented, would provide defense when user training fails?
• F. Which user roles are most often targeted by spear phishing attacks?

Correct answer: D, E

Explanation

The correct answers are D and E because understanding user behaviors that led to the compromise (D) can help in developing targeted training or policies, while identifying technical controls (E) that can support users when training fails is crucial for building a resilient security posture. Options A, B, and C, while relevant, do not directly address reducing the risk of future incidents stemming from user actions or training gaps.