CompTIA Security+ (SY0-601) — Question 495

A security audit has revealed that a process control terminal is vulnerable to malicious users installing and executing software on the system. The terminal is beyond end-of-life support and cannot be upgraded, so it is placed on a protected network segment. Which of the following would be MOST effective to implement to further mitigate the reported vulnerability?

Answer options

• A. DNS sinkholing
• B. DLP rules on the terminal
• C. An IP blacklist
• D. Application whitelisting

Correct answer: D

Explanation

Application whitelisting is the most effective option as it ensures that only approved applications can run on the terminal, thereby preventing unauthorized software execution. DNS sinkholing, DLP rules, and an IP blacklist could provide some level of security, but they do not specifically prevent the execution of potentially harmful applications on the system.