Exam SY0-501 topic 1 question 867 discussion

B. To MITIGATE these threats in the future, a firewall can help. A. Would only "detect" not mitigate. C. Would only "detect" not mitigate. D. Blacklisting is never a good security practice (as opposed to whitelisting), because it's hard to stay on top of all factors that would need to be blacklisted.

The problem of a virus spreading within a network is NOT going to be stopped by a firewall. You don't have firewalls that restrict traffic between VLANs, but routers or layer3 switches, which have no knowledge of application-level executables like viruses. A firewall can help with perimeter defense against viruses but only if it's a UTM device capable of AV scanning. So we're still required to mitigate a virus threat by using an AV. And since we don't have the AV-on-UTM option, we're left with the AV-on-workstations solutions. C is the right answer.

B. Segment the network with firewalls would be the BEST recommendation to mitigate the impacts of a similar incident in the future. Segmenting the network with firewalls creates smaller network segments that can be isolated in the event of an incident, preventing a worm from spreading throughout the entire network. This can limit the scope of an incident and prevent the damage from being widespread. While installing a NIDS device at the boundary and updating all antivirus signatures daily are also good practices, they are not as effective at preventing the spread of a worm throughout a network as segmenting the network with firewalls. Implementing application blacklisting can help to prevent certain applications from running on the network, but it is not a comprehensive solution to prevent the spread of a worm.

B. Segment the network with firewalls would be the BEST recommendation to mitigate the impacts of a similar incident in the future. Segmenting the network with firewalls creates smaller network segments that can be isolated in the event of an incident, preventing a worm from spreading throughout the entire network. This can limit the scope of an incident and prevent the damage from being widespread. While installing a NIDS device at the boundary and updating all antivirus signatures daily are also good practices, they are not as effective at preventing the spread of a worm throughout a network as segmenting the network with firewalls. Implementing application blacklisting can help to prevent certain applications from running on the network, but it is not a comprehensive solution to prevent the spread of a worm.

b--For example, when new worms infect Internet servers and then try to spread to other Internet servers, the connections must pass through an organization’s firewall. The network administrator who monitors the firewall is the first to notice and report these worm outbreaks. The administrator will notice hundreds of denied connections to servers on the network, as the firewall is blocking these connections from entering. DoS attacks are also detected in a similar manner.

since it defines the case as unhindered (not detected or stopped) so it was able to spread. Based on this we could prioritize the daily update of the signatures. Segmentation is also fine but since CSIRT member is subject to act, AV signature daily update more reasonable.

The answer is C. Remember this Antivirus software detects and removes malware, such as viruses, Trojans, and worms. Signature-based antivirus software detects known malware based on signature definitions. Heuristic-based software detects previously unknown malware based on behavior. Malware developers regularly release new viruses, so it’s essential to update signature definition files regularly. Most antivirus software includes the ability to automate the process of checking and downloading updated signature definition files. They typically check for updates several times a day. From Darril Gibson's study Guide

The given answer is right because the objective is to limit the damage.zone when incident occurred. Updating ant virus is a good practice, but big companies having excellent antivirus are still being affected by cyber criminals so the question is inrested to focus how to limit the damage Firewall segmentation: Firewalls are deployed inside a network or data center to create internal zones to segment functional areas from each other in order to limit attack surfaces, thereby preventing threats from spreading beyond a zone. An example could be separating engineering applications from finance.

Segmenting networks is done VLANS

Has to be C. Update all antivirus signatures daily.

The catch is "spread unhindered throughout the network". A=>Detects B=>Correct C=>Precautions on the System D=>How many applications would you blacklist?