CompTIA CySA+ (CS0-003) — Question 436

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Choose two).

Answer options

• A. Drop the tables on the database server to prevent data exfiltration.
• B. Deploy EDR on the web server and the database server to reduce the adversary’s capabilities.
• C. Stop the httpd service on the web server so that the adversary can not use web exploits.
• D. Use microsegmentation to restrict connectivity to/from the web and database servers.
• E. Comment out the HTTP account in the /etc/passwd file of the web server.
• F. Move the database from the database server to the web server.

Correct answer: B, D

Explanation

Option B is correct as deploying EDR on both the web server and the database server enhances security by monitoring and responding to threats, thus limiting the adversary's capabilities. Option D is also correct because microsegmentation restricts network traffic, which helps contain threats while still allowing necessary communication. The other options either do not effectively contain the adversary or would disrupt essential services.