Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Comptia Discussions

Exam CAS-004 topic 1 question 389 discussion

Actual exam question from CompTIA's CAS-004
Question #: 389
Topic #: 1
[All CAS-004 Questions]

A company recently migrated all its workloads to the cloud and implemented a transit VPC with a managed firewall. The cloud infrastructure implements a 10.0.0.0/16 network, and the firewall implements the following ACLs:



The Chief Information Security Officer wants to monitor relevant traffic for signs of data exfiltration. Which of the following should the organization place in its monitoring tool to BEST detect data exfiltration while reducing log size and the time to search logs?

  • A. FROM UDP 10.0.0.0/16 ANY TO 0.0.0.0/0 ANY
  • B. FROM TCP 10.0.0.0/16 80,443 TO 0.0.0.0/0 ANY
  • C. FROM TCP 0.0.0.0/0 ANY TO 10.0.0.0/16 80,443,22
  • D. FROM IP 10.0.0.0/16 ANY TO 0.0.0.0/0 ANY
  • E. FROM IP 0.0.0.0/0 ANY TO TCP 0.0.0.0/0 ANY
  • F. FROM UDP 0.0.0.0/0 ANY TO 0.0.0.0/0 ANY
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by nuel_12 at Nov. 18, 2023, 12:05 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
YUYUY
5 months, 1 week ago
Selected Answer: D
I'm conflicted here. The question asks for the answer that "BEST detects data exfiltration" so I would go with D because this covers ALL outbound ports that could be used for data exfil. But it also says "while reducing log size and the time to search logs" That would make me go with B. This answer narrows the scope because it only looks at TCP port 80 and 443(Two of the known ports for data Exfil). This would give you a lot fewer logs than option D. I'll stick with the most secure option and go with D.
upvoted 4 times
armid
2 days, 1 hour ago
agree, B would not cover insiders and that darn port 22 I think the "while reducing logs" is meant in comparison to other answers such as E, which would also cover all exfils but there would be much more logging involved
upvoted 1 times
armid
2 hours, 55 minutes ago
Still D but ignore that comment about port 22, brainfart
upvoted 1 times
...
...
CraZee
5 months, 1 week ago
I agree with gunwo below...is not D already implemented in the FW? That being the case, I think B is the right answer.
upvoted 1 times
Whip
3 months, 3 weeks ago
organization place in its monitoring tool... not about FW
upvoted 1 times
...
...
...
talosDevbot
5 months, 3 weeks ago
Has to be D Let's look at the permitted ingress traffic traffic: - HTTP/S traffic from any IP - SSH (maybe SCP or SFTP) traffic from a different internal network to 10.0.10.0/24 There is that risk of a malicious insider/admin to SSH into the VPC and exfiltrate data with various methods. So the most comprehensive option here is D - From the VPC to any. While the log size will be large, it's the only option that covers all possible data exfiltration ways.
upvoted 1 times
...
Potato42
6 months, 2 weeks ago
Selected Answer: B
It's B - you'd typically want to see any TCP traffic originating from 10.0.0.0/16 on ports 80/443 to any other address out there.
upvoted 3 times
saucehozz
3 months ago
This is the opposite of reducing logged data.
upvoted 1 times
...
...
[Removed]
7 months, 2 weeks ago
The best option to detect data exfiltration while reducing log size and the time to search logs would be Option D: FROM IP 10.0.0.0/16 ANY TO 0.0.0.0/0 ANY. This is because data exfiltration typically involves data being sent from the trusted network (10.0.0.0/16) to an untrusted network (0.0.0.0/0). Monitoring all IP traffic (both TCP and UDP) from the trusted to the untrusted network would provide the most comprehensive coverage for detecting potential data exfiltration. So, in summary, this rule monitors all IP traffic (both TCP and UDP), regardless of the port number, originating from the IP address range 10.0.0.0 to 10.0.255.255 and destined for any IP address. This would include all outbound traffic from the trusted network to any destination, which is why it’s useful for detecting potential data exfiltration.
upvoted 2 times
guwno
6 months, 2 weeks ago
This option would be great, if it wouldn't be implemented already on FW. Cus of this I lean towards B
upvoted 2 times
...
...
biggytech
7 months, 3 weeks ago
Selected Answer: B
B is the correct answer as it is the only one which pertains to outbound traffic. C is inbound traffic and not a concern for DLP
upvoted 3 times
...
nuel_12
7 months, 3 weeks ago
Selected Answer: C
C. FROM TCP 0.0.0.0/0 ANY TO 10.0.0.0/16 80,443,22
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
ex Want to SAVE BIG on Certification Exam Prep?
close
ex Unlock All Exams with ExamTopics Pro 75% Off
  • arrow Choose From 1000+ Exams
  • arrow Access to 10 Exams per Month
  • arrow PDF Format Available
  • arrow Inline Discussions
  • arrow No Captcha/Robot Checks
Limited Time Offer
Ends in

Claim Offer Now
286 people claimed it in the last 6 hours