.An analyst receives an alert from the continuous-monitoring solution about unauthorized changes to the
firmware versions on several field devices. The
... [Show More] asset owners confirm that no firmware version updates
were performed by authorized technicians, and customers have not reported any performance issues or
outages.
Which Of the following actions would be BEST for the analyst to recommend to the asset owners to
secure the devices from further exploitation?
A. Change the passwords on the devices.
B. Implement BIOS passwords.
C. Remove the assets from the production network for analysis.
D. Report the findings to the threat intel community.
Answer: C
Explanation:
If were referring to other devices, yes - Implement BIOS passwords before they are compromised. But the
ones that were already compromised, they need to be removed from the system to avoid further
exploitation. Plus, if you put a password on there, the attacker may now have your password.
Remove the assets from the production network for analysis. If the analyst receives an alert about
unauthorized changes to the firmware versions on several field devices, the best action to recommend to
the asset owners is to remove the assets from the production network for analysis. This would prevent
further exploitation of the devices by isolating them from potential attackers and allow the analyst to
investigate the source and nature of the unauthorized changes. Changing the passwords on the devices,
implementing BIOS passwords, or reporting the findings to the threat intel community are other possible
actions, but they are not as effective or urgent as removing the assets from the production network for
analysis.
Reference: https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
2.As part of the senior leadership team's ongoing nsk management activities the Chief Information
Security Officer has tasked a security analyst with coordinating the right training and testing methodology
to respond to new business initiatives or significant changes to existing ones The management team
wants to examine a new business process that would use existing infrastructure to process and store
sensitive data.
Which of the following would be appropnate for the security analyst to coordinate?
A. A black-box penetration testing engagement
B. A tabletop exercise
C. Threat modeling
D. A business impact analysis
Answer: C
Explanation:
Threat modeling is a process that helps identify and analyze the potential threats and vulnerabilities of a
system or process. It can help evaluate the security risks and mitigation strategies of a new business
process that would use existing infrastructure to process and store sensitive data. A black-box penetration
testing engagement, a tabletop exercise, or a business impact analysis are other methods that can be
used to assess the security or resilience of a system or process, but they are not as appropriate as threat
modeling for coordinating the right training and testing methodology to respond to new business initiatives
or significant changes to existing ones. [Show Less]