Exam CAS-004 topic 1 question 265 discussion

D. Install a vulnerability scanning agent on each remote laptop to submit scan data. Since remote worker laptops do not access the network regularly, installing a vulnerability scanning agent on each remote laptop to submit scan data would be the best option for the security team to ensure that remote worker laptops are scanned before being granted access to the corporate network. This way, each laptop will be scanned and evaluated for compliance with the security baseline before it is allowed to access the corporate network, regardless of its location. Network access control, 802.1X implementation, and a vulnerability scanning subnet are all viable solutions, but they would require remote workers to be connected to the corporate network, which may not always be possible or practical.

D. Install a vulnerability scanning agent on each remote laptop to submit scan data is the BEST option for the security team to ensure remote worker laptops are scanned before being granted access to the corporate network. Since the remote worker laptops do not access the network regularly, options A, B, and C would not be effective as they rely on network access and connectivity to perform scanning or validation. Option D, on the other hand, involves installing a scanning agent on each remote laptop, which would allow the security team to collect vulnerability data and validate if the endpoint meets the security baseline before granting network access. This solution provides a comprehensive approach to ensure the security of remote laptops before accessing the corporate network.

Ans is D Here is why Install a Vulnerability Scanning Agent on Each Remote Laptop: By deploying a vulnerability scanning agent on each remote laptop, you can ensure that these devices are regularly scanned for compliance with security baselines, even when they are not connected to the corporate network. The agent can perform scans locally and then submit the results to the corporate security infrastructure when the laptop connects to the network. This method ensures that security baselines are checked regardless of the device's location. A. Implement network access control to perform host validation of installed patches: Network access control (NAC) is excellent for enforcing security policies but generally requires the device to be connected to the corporate network. For remote workers who may not connect frequently, this approach would not be as effective.

Network Access Control (NAC) is the most effective solution to ensure that remote worker laptops are scanned and compliant with the security baseline before accessing the corporate network. While vulnerability scanner agent ensures visibility into device compliance, it does not enforce restrictions on non-compliant devices when accessing corporate network.

Part 1. A new mandate by the corporate security team requires that all endpoints must meet a security baseline before accessing the corporate network. Mandate states you gota be up to a level to join. NAC... Part 2. Of question wants the best method in relation to Part one. NAC The vulnerable scan would just say yep the pc isn't up to snuff and leave you there. NAC would deny entry as mandated or also offer remediation

Ans is D Here is why Install a Vulnerability Scanning Agent on Each Remote Laptop: By deploying a vulnerability scanning agent on each remote laptop, you can ensure that these devices are regularly scanned for compliance with security baselines, even when they are not connected to the corporate network. The agent can perform scans locally and then submit the results to the corporate security infrastructure when the laptop connects to the network. This method ensures that security baselines are checked regardless of the device's location. A. Implement network access control to perform host validation of installed patches: Network access control (NAC) is excellent for enforcing security policies but generally requires the device to be connected to the corporate network. For remote workers who may not connect frequently, this approach would not be as effective.

A. NAC

Answer is (D) according to ChatGPT

Falling back on reading comprehension here: Question asks: [...BEST option...to ensure...scanned BEFORE...access to...network?] Translation: scan first, connect second A. INCORRECT [connect first] B. INCORRECT [connect first] C. INCORRECT [connect first] D. CORRECT [scan first]

It worries me that so many people voted for anything other than A.

Not only is this a great use case for NAC but how is the vulnerability scanner getting the latest plugins if the machine is offline for a long period of time?

I gotta agree with the others that say this is what NAC was made for and is the best answer.

Reasoning in previous comment

A NAC is there to inspect a device before it is allowed to connect to the corporate network. If the device does not pass inspection, it is not allowed access. Submitting a scan sounds good, but what are the criteria for submitting the results? Within 24 hours? 72 hours? 1 week? How does the vuln scanner get on the device, does it have to connect to the corporate network for the security team to install it? If so, access to the corporate network has already began before the vuln scanner has had the opportunity to produce results. What about allowed configurations, versions of software, etc? With these variables, a NAC is something I'm more comfortable with. Vuln scanner is awesome, but I'd say thats 1 step different from what the question is asking.

Vulnerability Scanning Agent: Installing a vulnerability scanning agent on each remote laptop allows for remote scanning of these devices. This approach ensures that the laptops are scanned for compliance with the security baseline before they connect to the corporate network. The agent can periodically conduct scans and report the results to a centralized system for assessment. It's a proactive way to ensure that remote devices meet security requirements.

The correct answer is A. This is what NAC is meant to do.

The question is not talking about vulnerability scanning but whether endpoints meet a particular baseline. Option A