CompTIA CySA+ (CS0-002) — Question 385

An analyst receives an alert from the continuous-monitoring solution about unauthorized changes to the firmware versions on several field devices. The asset owners confirm that no firmware version updates were performed by authorized technicians, and customers have not reported any performance issues or outages.
Which of the following actions would be BEST for the analyst to recommend to the asset owners to secure the devices from further exploitation?

Answer options

• A. Change the passwords on the devices.
• B. Implement BIOS passwords.
• C. Remove the assets from the production network for analysis.
• D. Report the findings to the threat intel community.

Correct answer: C

Explanation

The best recommendation is to remove the assets from the production network for analysis, as it prevents any potential exploitation while allowing for a thorough investigation. Changing passwords or implementing BIOS passwords may not address the underlying issue of unauthorized firmware changes. Reporting findings to the threat intel community may be beneficial but does not provide immediate protection for the affected devices.