CompTIA CySA+ (CS0-002) — Question 308

A security analyst observes a large amount of scanning activity coming from an IP address outside the organization's environment. Which of the following should the analyst do to block this activity?

Answer options

• A. Create an IPS rule to block the subnet.
• B. Sinkhole the IP address.
• C. Create a firewall rule to block the IP address.
• D. Close all unnecessary open ports.

Correct answer: C

Explanation

The correct answer is C, as creating a firewall rule specifically targets and blocks the malicious IP address. Option A is incorrect because blocking the subnet may not specifically stop the scanning from that single IP. Option B, sinkholing the IP, is less direct and could create additional complexities. Option D, while potentially reducing vulnerability, does not directly address the scanning activity from the identified IP.