CompTIA CySA+ (CS0-001) — Question 219

An organization subscribes to multiple third-party security intelligence feeds. It receives a notification from one of these feeds indicating a zero-day malware attack is impacting the SQL server prior to SP 2. The notification also indicates that infected systems attempt to communicate to external IP addresses on port 2718 to download additional payload. After consulting with the organization's database administrator, it is determined that there are several SQL servers that are still on
SP 1, and none of the SQL servers would normally communicate over port 2718. Which of the following is the BEST mitigation step to implement until the SQL servers can be upgraded to SP 2 with minimal impact to the network?

Answer options

• A. Create alert rules on the IDS for all outbound traffic on port 2718 from the IP addresses if the SQL servers running SQL SP 1
• B. On the organization's firewalls, create a new rule that blocks outbound traffic on port 2718 from the IP addresses of the servers running SQL SP 1
• C. Place all the SQL servers running SP 1 on a separate subnet On the firewalls, create a new rule blocking connections to destination addresses external to the organization's network
• D. On the SQL servers running SP 1, install vulnerability scanning software

Correct answer: B

Explanation

The most effective mitigation step is to block outbound traffic on port 2718 from the servers running SP 1, as this directly prevents any potential malware communication. Creating alert rules (Option A) does not actively stop the traffic, isolating servers (Option C) complicates network management without immediate benefit, and installing scanning software (Option D) does not prevent the communication or infection from occurring.