A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?
A.
Geoblock the offending source country.
B.
Block the IP range of the scans at the network firewall.
C.
Perform a historical trend analysis and look for similar scanning activity.
D.
Block the specific IP address of the scans at the network firewall.
A is correct! Based on my work experience as an information security analyst. Re-read the question carefully. There's a reason it states the business does NOT conduct business with them. So the reasoning about it blocking legitimate traffic from users there or the CEO going on vacation there go out the window. Why would you allow incoming connections from a country you do no business with? Additionally, blocking just the range of IPs isn't a good option since the attacker can just use an IP outside of that range and they are in.
Blocking by geolocation is a common practice. China, Russia, Moldova, etc.
In my opinion, this is a trick question. They are leading you to believe the country is an unfriendly country like Russia or China but what if you are not doing business with Canada and you geoblock the country. This will have an impact where users won't be able to browse certain websites or use certain services like VoIP Trunking just to list as an example. Microsoft products communicate with IPs in many different countries around the world. The two possible answers are A or D. I believe the answer is D in this case. B doesn't make sense since the scan source will either be a single IP or it will come from many random IPs that are not in any particular subnet that can be blocked.
What if the country isn't China, Russia, Moldova? Based on my working experience it would be B. A is way to broad and blocking whole country based on 1 scanning IP is straight up stupid if it's not a high risk country.
Also, this is common practice to block countries conducting unauthorized port scanning. Lookup recyber.net on Reddit. https://www.reddit.com/r/pfBlockerNG/comments/x0gty6/anyone_else_getting_a_ton_of_recyber_pings/
They have a lot of reports on AbuseIPDB for that exact reason. Port scanning.
A is correct. Multi-billion dollar organization that I work for blocks every country we do not do business with. We make exceptions on a per user basis when they are out of the country
There is literally ZERO reason to have any traffic coming from that source country as they do not conduct business with them. If you block a specific IP range then the attacker can just spoof or obtain new IPs from the source country and continue their attack. Blocking the country as a whole will mitigate the risk forcing the attacker to utilize other TTPs. For those who are arguing for option 'B' because maybe the CEO may travel; in the real world the CEO will typically get with the SOC to advise of their ypcoming vacation and ask for apolicy or exception to be put in place for his network access.
I choose A. Geoblock the offending source country, because we do it at my work and because the question specifically mentions that the company does not do business with that WHOLE country, and we know how CompTIA plays this game.
I would agree with A if the country would be specify as a high risk country. In this case let's say you are german company not doing business in Belgium. Isn't geoblocking whole Belgium after 1 scan like shooting a fly with the nuke?
I choose A but I also understand your point but you are reading more into it. With Comptia you gotta take it as it is in the question, thats what I got from taking all their certs, never over analyze.
A is correct! Based on my work experience as an information security analyst. Re-read the question carefully. There's a reason it states the business does NOT conduct business with them. So the reasoning about it blocking legitimate traffic from users there or the CEO going on vacation there go out the window. Why would you allow incoming connections from a country you do no business with? Additionally, blocking just the range of IPs isn't a good option since the attacker can just use an IP outside of that range and they are in.
Blocking by geolocation is a common practice. China, Russia, Moldova, etc.
I see that banning the geographical scope is better and it is true because in Sario, he explained to us important data that he does not deal with this company and that there is no dealing with this country with a company, that is, why I only ban IP may be an intruder or a hacker who wants to collect information or hack my company's system, and if I block ABB, I will not benefit, I may have a thousand IP deceive or in other ways as long as I do not work with us, take a geographical domain and there is no work in my company with them, I see that the best solution is the best closure or a geographical ban, so the answer to a geographical ban
This section is not available anymore. Please use the main Exam Page.CS0-003 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
[Removed]
Highly Voted 1 year, 4 months agoJimmyJohnSubs
11 months, 3 weeks agobmadajczyk
1 year, 4 months ago[Removed]
1 year, 4 months agoLiteralGod
Highly Voted 1 year, 5 months agoSusan4041
Most Recent 4 days, 9 hours agoSusan4041
2 weeks, 3 days agoGDLY
4 months, 3 weeks ago8f1fc75
7 months agoLilik
8 months, 1 week agommsbaseball3
8 months, 3 weeks agocartman_sc
11 months agoMMK777
11 months, 1 week agobettyboo
1 year, 1 month agosheilawu
1 year, 3 months agoBudin
1 year, 3 months agobmadajczyk
1 year, 4 months agovoiddraco
1 year, 1 month ago[Removed]
1 year, 5 months agoDanJia
1 year, 5 months agoSaleh00
1 year, 6 months ago