IPS can only protect against known host and application-based attacks and exploits. IPS inspects traffic against signatures and anomalies, it does cover a broad spectrum of attack types, most of them signature-based, and signatures alone cannot protect against zero-day attacks. (www.rawcode7.medium.com)
However, with network segmentation, you're able to isolate critical assets into different segments. And when a zero-day attack occurs, you're not at risk of losing all and are able to isolate the attack's effect to one segment.
But the question isn't about protecting other data, the question directly says how to "control zero-day vulnerabilities". If there is a zero-day vulnerability in a new piece of software on a device, the BEST control against this is patch management to ensure the vulnerability is patched out as soon as possible.
the mention of zero day implies they mean attacks for which there is no patch yet. Patch management wont protect against something that there isn't a patch for which is the definition of a zero day exploit.
Exactly! Patch management is ONLY good for vulnerabilities that have patches. Zero-Day vulnerabilities are patched after a patch is created, AFTER the zero-day exploit was executed. Why is this so difficult to understand? (25 years experience here and have had systems compromised with full patch management systems in place)
Had to look this up myself as there is no real clear answer here. One of the Sec+ books I have suggested IPS and segmenting. Google search even says IPS in this regard as well. I would personally say Network Segmentation but otherwise not sure. My comment is not all that helpful I know but just wanted to throw my thoughts out there.
I believe it's B, patch management. I don't really get how segmenting network can defend or prevent a zero day for being exploited on your network. I put this questions to chatGPT and it gave me B as the answer, so that's what I'm going with.
I did the same and then I pointed out to chat GPT that a Zero Day is by definition not known and it changed its answer and said "However, even though the vendor may be unaware of the vulnerability, there are still ways to mitigate the risks posed by zero-day vulnerabilities. For example, network segmentation, intrusion prevention systems, and multiple vulnerability scanners can help to reduce the attack surface and limit the damage that can be done if a zero-day vulnerability is exploited."
Regular software updates: Installing the latest software updates can help protect against known vulnerabilities and fix security holes that could be exploited by zero-day attacks.
Do you understand what a zero-day is? It's a vulnerability that is unknown to security researchers or the vendor or the product. You can't fix a vulnerability that you don't know about, therefore there would not be a patch for a zero-day vulnerability until it is discovered, at which point it is no longer a zero-day vulnerability.
To be more clear, zero days is an unknown exploit. There are a few chances that the IPS will detect the attack payloads/signature. But segregating the network would eventually prevent lateral movement even if the attacker has Remote Code Execution privilege on the compromised server.
I think its also in the official course a question like this somewhere.
IPS is the only way to actually protect against zero days, since it uses baselines to detect any anomalies in the system. IPS is not only signature based, it's not an antivirus.
Segmentation would just prevent the spread of the infection throughout the network.
I agree, there is no clear answer here. And though I don't think it's what the test would want us to answer I will say in my 20 years of IT expereince that a good Patch management process is the most helpful when it comes to zero-day exploits. I say this because once a Zero Day becomes public knowledge then the vendor normally rushes to put out some kind of patch or workaround. Having a way to deploy that in a quick and reliable manner is key to getting things back to secure as soon as possible.
But I would say IPS would be most effective against zero day vulnerabilities because you might be able to detect the usual traffic or activity. Network segmentation will only help slow the intruder down. If you don't have anything to detect the oddity then the attacker could install a back door and then work their way across the segments. What's the old saying? An once on prevention is worth a pound of cure. But in a perfect world, both would be implemented. My vote is C.
IPSes don't just use known malware definitions to prevent intrusions, they all use heuristics, behavior analysis, baselines, broad signatures (similar to already known ones), and are coupled with threat intelligence.
Patch management is useless for zero-day exploits.
Vulnerability scanners do not prevent attacks.
segmentation may help, but it's not the most effective
Network Segmentation is always a good idea, but only effective at preventing spread of malware
IPS can potentially detect a zero-day attack in real-time using anomaly or behavior analysis, or even by using euristic analysis which can and take automated action to block or prevent it
Going with C: here as most modern day IPS systems use heuristics and AI (anomaly detection) and is the only thing that might work
B: Patch Management will have no effect on Zero-Day exploits as everyone knows
C: Vulnerability scanners will also be useless of Zero-Day exploits
A: Network segmentation may help a tad bit, but doesn't identify intrusions. so no go
An intrusion prevention system is designed to monitor network traffic and detect and block malicious activities, including those associated with zero-day exploits, based on known attack patterns or abnormal behavior.
It's a tough one but I believe the answer is IPS. Specifically an IPS using heuristic or behavior-based detection. That's usually mentioned as one of the few ways to mitigate Zero-Day attacks. Network segmentation makes sense to an extent, but I think what Comptia is testing here is your understanding of detection methods are how they're leveraged.
While the precise methods of a zero-day exploit can’t be known in advance, a network intrusion protection system (IPS) will continuously monitor the network for unusual activity.
The advantage of IPS over a traditional antivirus-only system is that, it doesn't rely on checking suspicious software against known databases of threats. This means it does not make software vendors need updates or patches to learn about the latest attacks. IPS works by monitoring the day-to-day patterns of network activity across the network.
When there is anomaly detection or events, the IPS/IDS alerts system administrators and lock down the network/firewall.
I think it's IPS. Zero Day again is there is no patch. Network segmenting is an approach to slowing down a bad actor and mitigating damage. The only way to prevent or protect against an unknown vulnerability would be to use a good Next Gen firewall. A vulnerability is only exploitable if it is accessible. IPS, as part of a Next Gen firewall or edge protection, would have a chance at blocking the bad actor for even getting into the network. It's C, final answer.
The correct answer is "A." Network Segmentation. There are no known patches for a zero day attack which is a characteristic of a zero day attack, so that rules out the patches answer. Intrusion prevention systems will not prevent a zero day attack because the nature of a zero day attack is malware that has been present for a while and has not been detected, therefore that implies that the malware has already made it past your IPS. Vulnerability scanners would imply the same thing as the IPS that the zero day attack has already made it past your scanners and has been on your system for a while. The only logical/possible answer is "A."
I believe the answer is network segmentation. When we read the question carefully it says "which would be the most effective CONTROL...." The question is not asking for most effective way to prevent the zero day vulnerability. By segregation you can control the situation to prevent a big loss in my opinion.
Look this site: https://www.imperva.com/learn/application-security/zero-day-exploit/#:~:text=One%20of%20the%
Patch management:
Another strategy is to deploy software patches as soon as possible for newly discovered software vulnerabilities. While this cannot prevent zero-day attacks, quickly applying patches and software upgrades can significantly reduce the risk of an attack.
This section is not available anymore. Please use the main Exam Page.SY0-601 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Ay_ma
Highly Voted 2 years, 7 months agoCTE_Instructor
2 years, 2 months agoBD69
1 year, 2 months agoDriftandLuna
1 year, 11 months agoSecplas
1 year, 5 months ago233Matis
1 year, 4 months agodhaksbro
1 year, 2 months agoBD69
1 year, 2 months agoAzureG0d
1 year, 6 months agobeardsly
Highly Voted 2 years, 7 months agomascot45
2 years, 2 months agosarah2023
1 year, 8 months agorondo24
2 years, 2 months agoSanj
2 years, 2 months agodaddylonglegs
1 year, 6 months agohieptran
2 years, 3 months agoDriftandLuna
1 year, 11 months agothefoque
1 year, 6 months agoTinyTrexArmz
2 years, 3 months agoe2ba0ff
Most Recent 5 months agoEromons
11 months, 1 week agoBD69
1 year, 1 month agolekiam
1 year, 1 month agoBD69
1 year, 2 months agoalicia2024
1 year, 2 months agoBenrosan
1 year, 2 months agoYomzie
1 year, 3 months agohyabasa
1 year, 3 months agojohnabayot
1 year, 3 months agoModiggs2004
1 year, 3 months ago12f1a9a
1 year, 4 months agoykt
1 year, 4 months agoEnzoxx
1 year, 4 months agosaucehozz
1 year, 5 months ago