Exam SY0-701 topic 1 question 315 discussion

A. Check for recently terminated DBAs. The code indicates that the database was intentionally dropped based on a specific date, which suggests that someone with access and knowledge of the database setup (such as a database administrator) may have executed or scheduled this command. Checking for recently terminated DBAs could help identify if an insider threat or an ex-employee had a role in this incident.

The answer is B. Based on the provided scenario, the security analyst should prioritize reviewing Web Application Firewall (WAF) logs for evidence of command injection. The unusual database command suggests an unauthorized change, possibly through an injection attack. Checking for recently terminated DBAs is less relevant in this situation.

This isn’t command injection, and it isn’t random malware. It’s a logic bomb—a deliberate, time-based destructive action planted by someone with access. WAF logs – Irrelevant here. The code executed internally, not via a web-based command injection.

The answer is B and I believe that should be the first step. A check with copilot says Based on the situation described, where malicious code appears to have intentionally dropped the database on a specific date, the most appropriate next step for the security analyst would likely be B. Review WAF logs for evidence of command injection. Here’s why: Investigating the WAF logs might lead to valuable insights into how this malicious action was triggered

The best action is to check WAF logs first to determine its not an external command injection attack. After that A is the go-to

Why not B? Review WAF logs for evidence of command injection: This is unnecessary in this case because the malicious code is already in the database, indicating insider action rather than external exploitation via command injection.

The given SQL code (DROP DATABASE) appears to be intentionally destructive, as it specifies a condition (IF DATE() = "01/30/2023") to delete the primary database on a specific date. Such activity is often indicative of an insider threat, particularly by someone who had privileged access to the database, such as a Database Administrator (DBA). The first step is to investigate whether a disgruntled employee or recently terminated DBA inserted this malicious code into the backup process.

Answer should be A. The analyst found a logic bomb in the database backup code most likely in a job running on the sever on schedule. Most likely this job was created by the DBA. SQL injection code typically uses special command characters to comment out the normally run code.

he WAF logs could provide valuable information on malicious requests or attempts to exploit such vulnerabilities, especially command injection.

B. Review WAF logs for evidence of command injection. The code provided (DROP DATABASE WebShopOnline) suggests that the database was deliberately dropped on a specific date (January 30, 2023). This could potentially be the result of a command injection attack, where an attacker inserts malicious code to manipulate or destroy the database.

Answer is B

While insider threats are always a possibility, the structure of the code suggest an automated or external trigger, rather than an action by a disgruntled employee. A terminate DBA would likely have direct access to drop the database rather than making such as time specific command. Attackers use SQL injection to execute commands like DROP Database remotely through vulnerable interfaces. So B. Reviewing the WAF logs for evidence of command injection makes the correct answer.