Exam CAS-004 topic 1 question 158 discussion

Not sure why this wouldn't be B. You would want to totally isolate and segregate the vulnerable host in efforts to minimize the potential risk that it poses on your network. Any thoughts ?

Lock down the VLANs to specific ports and ACLs to permit only one-way traffic as absolutely needed to receive the information. Jump box would be ideal, but sounds very manual, unlike what the question is getting after. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

If data flows between the legacy system and the new one needs to be exchanged, then the best option is to place them in different VLANs and restrict traffic by implementing ACLs.

I'm going to agree with C because most critical systems which have no patch or hard to patch are air-gapped (e.g. ICS, nuclear facility, power plant, power utility, etc.) do not take a chance if the risk is too great (meaning existential level or unrecoverable damage), even in a highly unlikely scenario.

The best design option to optimize security in this scenario is: B. Place the new system and legacy system on separate VLANs. The organization has a legacy system with critical vulnerabilities and no patches available. While the system is expected to remain operational for the next 18 to 24 months, it is important to minimize risk and segregate the vulnerable system from newer, more secure systems to prevent the vulnerabilities from being exploited. While C. Deploy the legacy application on an air-gapped system is a system that is physically isolated from other networks, making it harder to breach. This option can provide strong isolation, it may be unrealistic or impractical for a system that needs to communicate with a new system for reference data integration. The legacy system would need a secure method of exchanging data with the new system, which could complicate operations and integration. So, the best option is to place the legacy system and the new system on separate VLANs.

The best design option to optimize security in this scenario is: B. Place the new system and legacy system on separate VLANs. Explanation: The organization has a legacy system with critical vulnerabilities and no patches available. While the system is expected to remain operational for the next 18 to 24 months, it is important to minimize risk and segregate the vulnerable system from newer, more secure systems to prevent the vulnerabilities from being exploited. While deploy the legacy application on an air-gapped system is a system that is physically isolated from other networks, making it harder to breach. This option can provide strong isolation, it may be unrealistic or impractical for a system that needs to communicate with a new system for reference data integration. The legacy system would need a secure method of exchanging data with the new system, which could complicate operations and integration.

This option provides the highest level of security by completely isolating the legacy system from any network threats. Given that there are no patches available for the critical vulnerabilities, an air-gapped system ensures that the legacy system is not accessible over the network, which is a strong measure to prevent exploitation. While it may complicate data transfer, secure methods such as encrypted USB drives or other physical transfer methods can be employed.

All day

Air gapped is not an option guys. It has to be able to communicate with other systems. You're not going to be walking to the system and downloading files to a thumb drive and walking them over to the other systems. That's ridiculous.

I originally went with B as I have a networking background and have been enjoying BiteSize's explanations and answers, but comparing B and C you have to look at which one offers more security from what the question ask, "BEST". Segmenting from a separate VLAN is great and isolates the traffic, but does not potentially enhance the security. Currently learning about air-gapped system through this question, the characteristics that is offers is way better than just using a VLAN. Physical isolation, Network isolation, and enhanced security. VLANs only logically separate the connection, not physically. So with the side by side comparison I have to go with C

Keyword is "BEST" security optimization is what Comptia is going after here. Air gapping provides the BEST security compared to a vlan. However, a vlan is more practical irl

Air-Gapped System: An air-gapped system is physically isolated from other networks or systems, including the internet or external networks. This isolation significantly reduces the exposure to external threats and unauthorized access because there are no direct network connections to exploit the vulnerabilities. Data transfer into or out of the air-gapped system typically occurs through controlled means, such as manual transfers using physical media (e.g., USB drives) or dedicated secure channels. Limiting access with a jump box (Option A) might enhance access control, but if the legacy system remains vulnerable, unauthorized access could still lead to exploitation of the vulnerabilities. Placing systems on separate VLANs (Option B) is a network segmentation method that provides some isolation, but it might not offer sufficient protection against targeted attacks exploiting known vulnerabilities.

[B]est answer. I had an elaborate case, but it was too long.

"BEST" is relative. C is the most secure. Would it hamper the teams too much since they couldn't access it without direct access? Probably. But if best is the most secure, this is the right answer. In the real world the best answer would probably end up being A I would think.

C. Deploy the legacy application on an air-gapped system: This option is the most secure choice in the given context. An air-gapped system is physically isolated from the network, which means it's not connected to any other systems or networks, making it extremely difficult for attackers to access and exploit the vulnerabilities. This isolation helps protect the legacy system while still allowing it to fulfill its function of incorporating reference data into the new system. In the absence of patches for critical vulnerabilities, isolating the legacy system through an air-gapped setup is the best approach to optimize security and protect the organization's data and operations.

B. Place the new system and legacy system on separate VLANs: This would help to contain potential malicious activity. However, this alone does not eliminate the threat to the legacy system with critical vulnerabilities. A. Limit access to the system using a jump box: A jump box is a secure computer that administrators use to connect to other devices in a security zone. It's essentially a controlled access point. This solution would reduce the potential attack surface by limiting which users and systems can directly access the legacy system

C is physically isolating