Explanation: A detective control is a type of security control that monitors and analyzes events to detect and report on potential or actual security incidents. A SIEM system is an example of a detective control, as it collects, correlates, and analyzes security data from various sources and generates alerts for security teams. Corrective, preventive, and deterrent controls are different types of security controls that aim to restore, protect, or discourage security breaches, respectively. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 33; What is Security Information and Event Management (SIEM)?

Explanation:
A SIEM (Security Information and Event Management) system is specifically designed to aggregate log data from various sources (e.g., servers, network devices, applications), correlate events, and create alerts based on predefined rules or anomalous patterns. It provides centralized visibility and analysis, enabling security teams to detect and respond to threats like intrusions, malware, or unusual user behavior.

Why the others are incorrect:

B. WAF (Web Application Firewall):
This protects web apps by filtering HTTP traffic and blocking attacks (e.g., SQL injection). It does not aggregate logs from diverse sources or create alerts for broader anomalous activity.

C. Network taps:
These are passive devices that copy network traffic for monitoring but do not aggregate logs or generate alerts. They feed data to other tools (e.g., IDS, SIEM).

D. IDS (Intrusion Detection System):
This monitors network or host activity for signs of attacks and generates alerts but typically focuses on specific signatures or anomalies. It does not centrally aggregate and correlate logs from multiple sources like a SIEM.

Reference:
This aligns with SY0-701 Objective 4.3 ("Given an incident, utilize appropriate data sources to support an investigation"). SIEMs are critical for log aggregation and analysis, as outlined in frameworks like NIST SP 800-92 ("Guide to Computer Security Log Management"). They enable proactive threat detection through correlation and alerting.

Explanation:
Threat hunting is a proactive security practice where analysts actively search for signs of malicious activity or threats that may have evaded existing detection tools (like SIEM alerts, which are not yet configured in this scenario). Given that the cyber operations team provided intelligence about a new tactic, the security analyst should use this information to hypothesize and hunt for indicators of this behavior across the network—manually examining logs, endpoint data, network traffic, and other sources to identify potential compromises. Threat hunting bridges the gap between known threats and undetected attacks, especially when automated alerts are not in place.

Analysis of Incorrect Options:

A. Digital forensics:
Digital forensics involves the detailed investigation and analysis of incidents after they have been detected to gather evidence (e.g., for legal purposes). It is reactive, not proactive, and assumes an incident has already occurred.

B. E-discovery:
E-discovery is a legal process for identifying, collecting, and producing electronic information in response to litigation or investigations. It is not related to identifying active malicious behavior.

C. Incident response:
Incident response is the structured process for managing and mitigating security incidents after they are detected. Since no incident has been confirmed yet, this is premature; threat hunting is the step to determine if an incident exists.

Reference:
This aligns with Domain 4.0: Security Operations, specifically proactive threat management. Threat hunting is emphasized in frameworks like MITRE ATT&CK and NIST SP 800-53 (CA-7) as a means to improve detection capabilities and reduce dwell time. It relies on analyst expertise and threat intelligence to uncover stealthy attacks.

Explanation:
The scenario describes a Business Email Compromise (BEC) or phone-based social engineering attack (vishing), where the accounting clerk was tricked into sending money to a fraudulent account. The most effective prevention is to update the wire transfer process to include robust verification steps, such as:

Requiring multi-person approval for transfers.

Verifying changes to account details via a secondary, trusted channel (e.g., in-person confirmation or a pre-established phone number).

Implementing callback procedures to validate requests.

These measures add layers of authentication to prevent unauthorized transactions.

Why the others are incorrect:

A. Standardizing security incident reporting:
This improves response after an incident but does not prevent the initial social engineering attack.

B. Executing regular phishing campaigns:
These train users to recognize email phishing, but the attack occurred via phone (vishing), not email.

C. Implementing insider threat detection measures:
This focuses on malicious insiders, not external attackers using social engineering.

Reference:
This aligns with SY0-701 Objective 1.1 ("Compare and contrast common social engineering techniques"). Mitigating BEC/vishing attacks requires process controls like dual authorization and verification, as recommended by the FBI and financial institutions. Updated wire transfer procedures are a core defense against such fraud.

Explanation:

B) Placing the system in an isolated VLAN is the correct answer.
An end-of-life (EOL) operating system no longer receives security patches, making it highly vulnerable to exploits. While the ideal long-term solution is to upgrade or replace the system (decommissioning might not be feasible if it's critical for transactions), network segmentation via an isolated VLAN is a practical immediate control. This technique:

Limits the system's network exposure by restricting communication to only necessary hosts/services (e.g., placing it in a DMZ or dedicated segment).

Reduces the attack surface by preventing lateral movement from compromised systems to/from this vulnerable host.

Contains potential breaches, minimizing impact on the broader enterprise network.

Why the others are incorrect:

A) Installing HIDS (Host-based Intrusion Detection System):
While HIDS can monitor for suspicious activity on the host, it cannot patch the underlying EOL OS vulnerabilities. It is a detective control but does not prevent exploits targeting unpatched flaws.

C) Decommissioning the system:
Although decommissioning would eliminate the risk, the scenario states the system is critical for processing customer transactions. Decommissioning is likely not an option without causing business disruption, so it is not the best immediate security improvement.

D) Encrypting the system's hard drive:
Encryption protects data at rest (e.g., if the drive is stolen), but it does not mitigate risks related to network-based attacks, remote exploits, or vulnerabilities in the live OS. The system remains exposed to threats while operational.

Reference:
This question tests knowledge of Domain 2.4: Explain the importance of security concepts in an enterprise environment (addressing legacy systems) and Domain 3.3: Given a scenario, implement secure network designs (segmentation). Isolating vulnerable systems is a core compensating control when patching is not possible, as emphasized in risk management strategies.

Explanation:
A NAC (Network Access Control) platform is primarily designed to secure wired and wireless network access by enforcing security policies on devices before they are allowed to connect to the network. It ensures that only compliant and authorized devices can access network resources. In the context of a security incident, the administrator is likely addressing vulnerabilities related to unauthorized or non-compliant devices connecting via wired ports (e.g., Ethernet), which could lead to threats like rogue devices, malware propagation, or lateral movement.

Why the others are incorrect:

A. Bluetooth:
This is a short-range wireless technology for personal area networks (PANs). NAC focuses on broader network access (LAN/WLAN) and does not typically govern Bluetooth connections.

C. NFC (Near Field Communication):
This is a very short-range wireless technology used for contactless payments/data exchange. NAC is not designed to protect NFC, as it operates at a different network layer and scale.

D. SCADA (Supervisory Control and Data Acquisition):
These are industrial control systems (ICS) used in critical infrastructure. While NAC can be part of securing SCADA networks, it is not specific to SCADA. The question asks for the attack surface NAC is most directly associated with, which is general wired (and wireless) network access.

Reference:
This aligns with SY0-701 Objective 3.4 ("Given a scenario, implement secure network designs"). NAC is a core technology for enforcing access control on wired and wireless networks, as outlined in frameworks like NIST SP 800-181 ("Guide to LTE Security") and best practices for network segmentation and endpoint compliance.

Explanation:
Confidentiality is the security principle that ensures information is not disclosed or accessed by unauthorized individuals, devices, or processes. The scenario describes restricting access to client files only to employees with a specific "need to know" and designated roles. This is a classic example of enforcing confidentiality through access controls.

Why the other options are incorrect:

A. Availability:
This principle ensures that information and systems are accessible and operational when needed by authorized users. The scenario is focused on restricting access, not ensuring it is available.

C. Integrity:
This principle guards against improper modification or destruction of information, ensuring its accuracy and trustworthiness. The scenario is about who can see the files, not about protecting them from being altered.

D. Non-repudiation:
This is a concept that prevents an individual from denying having taken a specific action, such as sending a message or approving a transaction. It is typically achieved through digital signatures and auditing. The scenario does not involve proving an action was taken; it is solely about controlling read-access to information.

Reference:
This question tests the fundamental understanding of the CIA triad (Confidentiality, Integrity, Availability), which is the core of information security.

This is a key concept in Domain 2.1: Explain the importance of security concepts in an enterprise environment of the CompTIA Security+ SY0-701 exam objectives.

The "need-to-know" principle and role-based access are primary mechanisms for enforcing confidentiality, as outlined in various security frameworks like those from NIST.

Explanation: Patch availability most impacts an administrator's ability to address Common Vulnerabilities and Exposures (CVEs) discovered on a server. If a patch is not available for a discovered vulnerability, the administrator cannot remediate the issue directly through patching, which leaves the system exposed until a patch is released.
Patch availability: Directly determines whether a discovered vulnerability can be fixed promptly. Without available patches, administrators must look for other mitigation strategies. Rescanning requirements: Important for verifying the effectiveness of patches but secondary to the availability of the patches themselves.
Organizational impact: Considers the potential consequences of vulnerabilities but does not directly impact the ability to apply patches. Risk tolerance: Influences how the organization prioritizes addressing vulnerabilities but does not affect the actual availability of patches.

Explanation: A Secure Web Gateway (SWG) protects users by filtering unwanted software/malware from user-initiated web traffic and enforcing corporate and regulatory policy compliance. This technology allows the company to secure remote users' data and web traffic without relying on a VPN, making it ideal for organizations supporting remote work.

Explanation: Preparation is the phase in the incident response process when a security analyst reviews roles and responsibilities, as well as the policies and procedures for handling incidents. Preparation also involves gathering and maintaining the necessary tools, resources, and contacts for responding to incidents. Preparation can help a security analyst to be ready and proactive when an incident occurs, as well as to reduce the impact and duration of the incident. Some of the activities that a security analyst performs during the preparation phase are: Defining the roles and responsibilities of the incident response team members, such as the incident manager, the incident coordinator, the technical lead, the communications lead, and the legal advisor. Establishing the incident response plan, which outlines the objectives, scope, authority, and procedures for responding to incidents, as well as the escalation and reporting mechanisms. Developing the incident response policy, which defines the types and categories of incidents, the severity levels, the notification and reporting requirements, and the roles and responsibilities of the stakeholders. Creating the incident response playbook, which provides the step-by-step guidance and checklists for handling specific types of incidents, such as denial-of- service, ransomware, phishing, or data breach. Acquiring and testing the incident response tools, such as network and host-based scanners, malware analysis tools, forensic tools, backup and recovery tools, and communication and collaboration tools. Identifying and securing the incident response resources, such as the incident response team, the incident response location, the evidence storage, and the external support. Building and maintaining the incident response contacts, such as the internal and external stakeholders, the law enforcement agencies, the regulatory bodies, and the media.

Explanation: The activity described, where a department is not using the company VPN when accessing various company-related services and systems, is an example of Shadow IT. Shadow IT refers to the use of IT systems, devices, software, applications, and services without explicit IT department approval. Espionage: Involves spying to gather confidential information, not simply bypassing the VPN.
Data exfiltration: Refers to unauthorized transfer of data, which might involve not using a VPN but is more specific to the act of transferring data out of the organization.
Nation-state attack: Involves attacks sponsored by nation-states, which is not indicated in the scenario.
Shadow IT: Use of unauthorized systems and services, which aligns with bypassing the company VPN.
Reference: CompTIA Security+ SY0-701 Exam Objectives, Domain 2.1 - Compare and contrast common threat actors and motivations (Shadow IT).

Explanation:
A legal hold (also known as a litigation hold) is a directive issued by an organization's legal counsel to preserve all forms of relevant information when litigation is reasonably anticipated or has already been initiated. This is a critical process to prevent the spoliation (destruction or alteration) of evidence.

The key characteristic of a legal hold is that it is broad and indefinite. It applies to all data—including emails, documents, logs, system images, and communications—that could be potentially relevant to the case. The hold remains in effect "until further notice," meaning until legal counsel determines the litigation or threat of litigation has concluded and formally releases the hold.

In this scenario, the lawsuit is related to the security compromise. Therefore, the security team would be required to retain any and all communications, data, and evidence related to the security breach to ensure it is available for the discovery process in the lawsuit.

Why the Other Options are Incorrect:

A. Retain the emails... for 30 days:
A legal hold is not for a fixed, short-term period. It remains in effect for the duration of the legal process, which could last months or years. A 30-day retention policy would directly conflict with the requirements of a legal hold.

C. Retain any communications between security members...:
While this is part of the hold, the scope is too narrow. A legal hold applies to all relevant information, not just internal team communications. It includes communications with third parties, system logs, data backups, and more.

D. Retain all emails from the company to affected customers...:
This is also too narrow. The legal hold would require preserving not just outbound customer emails, but also inbound communications, internal discussions about those customers, and any other data related to the breach and its impact.

Reference:
This question falls under CompTIA SY0-701 Objective 4.3: "Explain the importance of policies to organizational security." Specifically, it covers data governance concepts like legal hold and e-discovery, which are critical components of an organization's incident response and data retention policies, especially in the context of compliance and litigation.