An administrator would like to review the effectiveness of existing security in the enterprise. Which
of the following would be the BEST place to start?
A.
Review past security incidents and their resolution
B.
Rewrite the existing security policy
C.
Implement an intrusion prevention system
D.
Install honey pot systems
Explanation:
The main functions of intrusion prevention systems are to identify malicious activity, log
information about this activity, attempt to block/stop it, and report it
Shouldn’t it be A, review the past incidents and resolution? Implementing IPS does not help evaluating the past incidents?
0
0
The question states “existing” security, not past incidents. Implementing an IPS would satisfy the existing aspect. Yes, confusing question.
0
0
Another terribly written question. A is the better answer, because it is about reviewing the existing security, and you cannot know the effectiveness of where you are if you haven’t reviewed how you got there. Any security tech who implements an IPS without reviewing the history should be fired. An IPS can be very intrusive, and the goal is to review, not to enact. Once you have reviewed, then (and only then) will it be time to act. (And a review need not take long.)
The question, though, is what does CompTIA expect. JP has a point, and it could be argued both ways. One could also make a case that a honeypot system will tell you more about how secure your existing systems are than any of the other options, but I think that would not be a good place to start. A honeypot is not a trivial thing to set up.
Again, the goal is to review existing security in the enterprise. So, do you start by collecting active data while interacting with it via an IPS, or do you start by reviewing what has worked/not worked in the past? I stand by A as the best answer, that a review should be the best place to start. What if you find out that two prior security chiefs have been fired for implementing IPS systems that took down the network? Oops.
0
0
A follow-up thought. An IPS set in passive mode could provide the information needed. It would in that case be indistinguishable from an IDS, and would gather the information for the rewview without having much impact on the network. So that could still be the “correct” answer.
0
0
At first I thought, as most people probably have, that the administrator is walking into a NEW enterprise, but he’s not. He wants to review how effective his solutions are at deterring his enemy, by examining the effectiveness of the existing security in the existing enterprise (that he manages). What is it catching, what is it missing? Etc. An IDS or IPS would be the logical choice, here. “Examine” would be a more appropriate verb to describe what he’s doing, not review.
0
0