Exam SY0-601 topic 1 question 359 discussion

Containment and Isolation can be ruled out easily. We are left with A - segmentation and B - firewall allow list. I dont believe firewall will work, since IP addresses can be dynamic and change, which would render the report functionality useless, since it wouldnt be able to send data to the new addresses. Also firewalls tend to be placed between the internet and the inside network, thus it wouldnt prevent any traffic from being sent between hosts inside the network. Thats why I think A is more appropriate answer, but I am open for discussion.

Segmentation involves dividing a network into separate segments or zones based on different security requirements. By implementing network segmentation, the security manager can isolate critical systems, such as the smart generator and the internal file server, into separate network segments. This prevents direct communication between them and reduces the risk of unauthorized access or data exfiltration. However, since the smart generator needs to send alerts to third-party maintenance personnel, it is important to ensure that alerting capabilities are maintained. This can be achieved by implementing appropriate access controls and routing rules that allow the generator to communicate with the necessary systems or services while still maintaining network segmentation.

A, C, and D are all overkill - similar to using a flamethrower, a Tesla-Coil/vandegraff, or HAARP for a killing a housefly when all you need is a flyswatter. Appropriate tools for the job. The generator is networked and the reporting application it is talking to is on the server. A firewall rule to allow the MAC & Protocol on the Generator controller to talk only to the server application is all that is needed.

A. Segmentation

Segmentation might seem like the answer but i am more certain its firewall allow list, its a far simplier option to implement and its just as effective

other options (firewall allow list, containment, and isolation) might provide certain levels of control or isolation, but segmentation (A) is specifically designed to address the scenario described, offering a more comprehensive and effective solution to prevent unauthorized or unexpected communication between different parts of the network

How is segmenting the network going to stop the engine from sending packets to a selected IP? Unless segmentation completely blocks outband traffic, I don't understand how's that going to help. Firewall will at least block traffic based on rules.

Containment and isolation, while verbally tempting, refer to actions taken after a breach has already been detected.

The best mitigation for the security manager to implement while maintaining alerting capabilities would be to deploy a firewall rule that only permits traffic from the smart generator’s IP to the third-party maintenance personnel’s IP. This is because segmentation, containment, and isolation would not allow the generator to send alerts to third-party maintenance personnel.

B because the system status and sends alerts to third-party maintenance and we need to maintain alerting capabilities the admin will just make sure the alerts are reaching who they need to reach and making sure if they need to store the alerts on their system as well

A. Segmentation

Segmentation. Both C and D are kind of the same thing. Isolating the generator means that the industrial system cannot monitor any alerts anymore.

Segmentation is the best answer here.

A. Segmentation would be the BEST

A. Segmentation would be the BEST