CompTIA Security+ (SY0-501) — Question 766

A security analyst is determining the point of compromise after a company was hacked. The analyst checks the server logs and sees that a user account was logged in at night, and several large compressed files were exfiltrated. The analyst then discovers the user last logged in four years ago and was terminated.
Which of the following should the security analyst recommend to prevent this type of attack in the future? (Choose two.)

Answer options

• A. Review and update the firewall settings
• B. Restrict the compromised user account
• C. Disable all user accounts that are not logged in to for 180 days
• D. Enable a login banner prohibiting unauthorized use
• E. Perform an audit of all company user accounts
• F. Create a honeypot to catch the hacker

Correct answer: B, E

Explanation

The correct answers are B and E. Restricting the compromised user account prevents unauthorized access and limits potential damage. Performing an audit of all company user accounts helps identify any other inactive or potentially compromised accounts, enhancing overall security. The other options, while helpful in certain contexts, do not directly address the issue of dormant accounts being exploited.