CompTIA Security+ (SY0-601) — Question 99

During a recent incident, an external attacker was able to exploit an SMB vulnerability over the internet. Which of the following action items should a security analyst perform FIRST to prevent this from occurring again?

Answer options

• A. Check for any recent SMB CVEs.
• B. Install AV on the affected server.
• C. Block unneeded TCP 445 connections.
• D. Deploy a NIDS in the affected subnet.

Correct answer: C

Explanation

The correct action is to block unneeded TCP 445 connections, as this will immediately cut off the attack vector used by the attacker. Checking for recent SMB CVEs and installing AV are important but are not immediate preventive measures. Deploying a NIDS can help in detection but does not stop the exploitation directly.