Answer: Putting security/antitamper tape over USB ports, logging the port numbers, and regularly inspecting the ports
=============================================
Explanation:
The question is asking for two specific requirements for the solution:
1. A solution that's cost-effective
2. A solution that's a physical control
The option to implement a GPO (B) and installing an endpoint agent (D) are software-based implementations, while in the case of the GPO being cost-effective, they do not address the physical control requirement for the solution.
Option C would address the requirement as a physical control by preventing users from physically access the USB port and likely the best out all of the given options, however, this option is not cheapest so it's not addressing the cost-effectiveness required for the solution.
Only option A would address each requirement of the solution being a cost-effective physical control that can be implemented.
The answer is GPO not A. Cost effective is only A, GPOs are configured in AD and require no additional cost accepts the network admin to config. A requires purchasing tape, paying techs to go to all systems and cover! Not cost effective at all. What if the organization has 2000 computers, you are going to pay techs to go out with tape! No! Answer is GPO, easy, zero cost, and bullet proof!
i agree with A but the context would be great. Can u imagine placing tape over a usb port in a high school environment? The tape will be gone in 1 minute. So is the laptop in a trusted or public environment? Because then, after a malware attack, the price of a metal cage is the cheapest option. (just some food for thought)
Option A involves a lot of additional cost for security tape and regular inspection... inspection = time = money.
Option B is essentially no cost because it uses existing domain software and infrastructure to enforce. Restricting access is by definition a physical control.
Option C also involves money (Like option A) and is not cost effective.
Option D involves purchasing individual end point agent software... again not cost effective.
They are all able to control the physical hardware by disallowing removable media or otherwise restricting it, however only one is cost effect - Option B, implementing a Group Policy Object.
my issue with B is that a group policy is LOGICAL. not a physical barrier.
having said that, merely putting tape over a usb port is a terrible idea. surely that is only done in trusted environments?
It's pretty obviously B, I think ya'll are getting too hung up on a physical control being 100% physical. A biometric scanner isn't useful without some kind of software running that compares my signature to a known copy of whatever it's scanning, yet it is still considered a physical control.
The idea behind a "physical control" is that the main control is based on something physical (just like the biometric scan is worthless if we don't have a body part to scan).
A GPO is pure software solution. Also, a GPO does not forbid a user from plugging in a USB removable device during system boot and then loading some sort of malware or even a new OS.
A biometric scanner by itself wouldn't be considered any kind of control because the scanner itself doesn't prevent anything. Assuming that it is part of a door system that only opens if your biometric signature is known to the system, then the door would be a physical control that the biometric scanner controls access to.
Physical: A physical control is one that prevents specific physical actions from occurring, such as a mantrap prevents tailgating. Physical controls prevent specific human interaction with a system and are primarily designed to prevent accidental operation of something.
Whether or not a physical control relies on software is irrelevant. What matters is the fact that the control is physically impeding an action from taking place (actually physically blocking the port with tape or putting the whole computer in a locked container). Using a GPO to block removable media at the OS level is a technical control, it doesn't do anything to prevent the physical action from taking place.
The question asks for two things:
Physical control
Cost effective
I picked C because ONCE in a caged locked up, there's no need to pay techs to keep monitoring USB ports and replacing tape (choice A). It's a done deal, zero access and it's also physical. Why would I want to keep paying for tech support to keep monitoring ports after taping them? Who is to say that insider threats can occur easily by removing the tape.
Permanent Security is the goal here and not band-aid fixes that's going to cost even more in the long run. Put the ports in a cage and lock it up, you're done!
Option B is out because this is NOT physical. It may be cost effective, but it's not a physical control.
Option D is an expensive technical control.
B seems to be the most cost-effective if certain infrastructure were already in place. However; B and C are technical/software-dependent controls NOT physical controls.
"A" is a physical control but if the number of systems to be restricted are in hundreds, it will require a lot of "man hours" to place the security tape on the ports and regularly monitor the systems. This is a recurring expenditure in "man hours" that does not seem to be cost effective.
"C" is a physical control that requires a one-time investment on containers with locks and "man hours". The containers does not necessarily need to be high-grade, they just need to be adequate. Also, from experience, the containers will likely be purchased at discounts if buying in large quantities. This seems to be the most cost effective as it doesn't require recurring expenditure for several years.
How could regularly inspecting the ports be cost effective? We are talking of a tape over USB ports, having a person regularly go and inspect that wouldn't make any sense.
A: is a terrible solution, however, as the tape can be ripped off. But it is cost-effective.
B: is NOT a physical control, so it's out
C: will definitely work, but it's not cost-effective as A:
D: is NOT a physical control, so it's out
B and D involve effective methods for controlling USB access, they are not considered “physical” controls. Option C is a physical control but may not be as cost-effective due to the expense of the locked containers.
This option physically prevents users from accessing the USB ports altogether, thus effectively enforcing the USB removable media restriction policy. It's a straightforward and relatively inexpensive method compared to other options like implementing endpoint agents or using security tape over USB ports, which can be more complex or costly to deploy and maintain.
someone help me here... I chose C as my answer, now I know that A would be the most cost effective in this situation as tamperseals are cheap etc. but why not chose the "set it and forget it" technique with inserting it into a key controlled box instead of using man hours and labor to monitor the ports as well as potentially having to replace the seal (if broken/altered)
A USB removable media restriction policy is a set of guidelines and controls that an organization establishes to manage and control the use of USB and other removable media devices within its computing environment. It can also be supplemented with the physical controls, such as antitamper tapes put on the USB ports and logging the port numbers.
The answer here is "B" GPO. The solution cannot be "A" because it is not cost effective. Buying all that tape to cover ports is not effective, and paying techs to go around periodically checking tapes on each machine to ensure they have not been tampered with is a waist of company time and resources, which ultimately is costing the company a lot of money just to place, check and replace tape. GPO is the only acceptable answer as it counts as physical. Just because you can still plug something in is not relevant. As a security measure is a port is disabled, it is has the same effect as covering the port as it is equally protected even though you can still plug something in.
This section is not available anymore. Please use the main Exam Page.SY0-601 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
rodwave
Highly Voted 2 years, 9 months agobrewoz404sd
2 years, 5 months agoAlcpt
11 months, 2 weeks agoBD69
1 year, 5 months ago[Removed]
2 years, 4 months agoAnonymousJhb
1 year, 5 months agoNirmalabhi
2 years, 8 months agoCTE_Instructor
2 years, 5 months agoBD69
1 year, 5 months agoAnonymousJhb
1 year, 5 months agojcrittendon
1 year, 10 months agoHewn
Highly Voted 2 years, 11 months agoHCM1985
1 year, 11 months agoBD69
1 year, 5 months agojcrittendon
1 year, 10 months agodaddylonglegs
1 year, 10 months agoroukettas
Most Recent 1 year, 1 month agoGigi42
1 year, 1 month agoscoobysnack209
1 year, 1 month agoEromons
1 year, 2 months agowalerash
1 year, 4 months agolekiam
1 year, 4 months ago64d2259
1 year, 5 months agoMasterControlProgram
1 year, 5 months agoBD69
1 year, 5 months agoPaula77
1 year, 6 months agoalicia2024
1 year, 6 months agovitasaia
1 year, 6 months agoSkimbeeble
1 year, 6 months agothekid2457
1 year, 7 months agoModiggs2004
1 year, 7 months agoBD69
1 year, 4 months ago