CompTIA CySA+ (CS0-001) — Question 59

In reviewing firewall logs, a security analyst has discovered the following IP address, which several employees are using frequently:
152.100.57.18
The organization's servers use IP addresses in the 192.168.0.1/24 CIDR. Additionally, the analyst has noticed that corporate data is being stored at this new location. A few of these employees are on the management and executive management teams. The analyst has also discovered that there is no record of this IP address or service in reviewing the known locations of managing system assets. Which of the following is occurring in this scenario?

Answer options

• A. Malicious process
• B. Unauthorized change
• C. Data exfiltration
• D. Unauthorized access

Correct answer: C

Explanation

The correct answer is C, Data exfiltration, because the employees are storing corporate data at an unknown IP address that is not part of the organization's established assets, suggesting that sensitive information is being moved without authorization. Option A, Malicious process, is not accurate as it does not specifically indicate the movement of data. Option B, Unauthorized change, does not apply here since the focus is on data storage at an unrecognized location rather than changes to existing systems. Option D, Unauthorized access, could be a concern but does not directly address the act of data being stored elsewhere.