An incident report is the formal documentation used to communicate the details of a significant event, such as a technical outage, to relevant stakeholders, including management. This report provides a comprehensive summary of the incident, a timeline of events, the impact on operations, and a detailed account of the remedial actions taken by the technical team. Its primary purpose is to provide a clear, concise record for analysis, review, and decision-making, which directly aligns with the management team's request.

A. Knowledge base article: This is a troubleshooting guide for recurring issues, not a formal report to management about a specific, concluded outage.

B. Non-disclosure agreement: This is a legal contract to ensure confidentiality and is irrelevant to reporting the details of a technical failure.

D. Standard operating procedure: This document dictates the pre-approved steps to perform during an incident, not the summary report created after the incident.

1. National Institute of Standards and Technology (NIST) Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide.

Section 2.3.4

Reporting (Page 13): States

"Reports can also be created to give management a synopsis of the incident handling team’s activities." This confirms that reports are the appropriate medium for summarizing incident details for management.

Section 3.4

Post-Incident Activity (Page 43): Discusses creating a follow-up report after an incident is resolved

which "provides a complete documentation of the incident" and is used for review and lessons learned.

2. Purdue University

Incident Response Handbook.

Section: Incident Reporting (Page 5): Describes the purpose of an incident report: "The purpose of the incident report is to document the details of the incident... This report will be used to brief management... and to document actions taken." This directly supports providing an incident report to management.

A Virtual Private Network (VPN) is a technology that creates a secure, encrypted connection over a public network, such as the internet, to a private network, like a company's internal network. For a user working from home, a VPN client on their laptop establishes this secure "tunnel," allowing them to access internal company resources, such as file servers, as if they were physically present in the office. This is the standard and most direct solution for providing secure remote access to private corporate files.

A. Wide-area network: This is a broad network category (e.g., the internet) that the user is already on. It is not a specific configuration to grant access to a private network.

B. Wireless network: This provides the user's initial internet connection at home but does not inherently grant access to the secure, private company network.

C. Proxy network settings: A proxy server primarily manages and filters web traffic. It does not typically provide the encrypted, network-level access required for file shares.

1. Microsoft Documentation: "A virtual private network (VPN) is a point-to-point connection over a private or public network

such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols

called tunneling protocols

to make a virtual call to a virtual port on a VPN server."

Source: Microsoft

"What is VPN?". Windows Server Documentation

VPN Gateway Section.

2. University Courseware: "VPNs are essential for telecommuting

allowing employees to access their company's intranet from home or while traveling. The VPN software on the user's computer encrypts data before sending it through the internet

and the VPN server at the company decrypts it

ensuring a secure channel."

Source: Kurose

J. F.

& Ross

K. W. (2021). Computer Networking: A Top-Down Approach (8th ed.). Pearson. Chapter 8

Section 8.2

"Securing TCP connections: SSL". (This textbook is widely used in university networking courses).

3. Academic Publication: "The primary purpose of a VPN is to provide a secure communication mechanism between remote users and a private corporate network... It encapsulates private network data within encrypted packets and tunnels them over the public Internet."

Source: Zand

A.

& Jacob

S. M. (2019). A Survey on Virtual Private Network (VPN) Technologies. International Journal of Computer Applications

178(45)

1-5. DOI: 10.5120/ijca2019918591.

The scenario describes a high-density environment—a major music festival. In such locations, a large number of mobile devices attempt to connect to the cellular network simultaneously. This high demand can exceed the capacity of the local cell towers, leading to network congestion. Symptoms of network congestion include slow data speeds, connection timeouts, and the inability to access online services, which perfectly aligns with the executive's email application getting "stuck during connection attempts." This is the most direct and contextually appropriate cause for the described disruption.

A. The phone has no storage space available: A lack of storage would typically prevent new data from being saved and generate a specific "storage full" error, not cause a network connection to hang.

B. Company firewalls are configured to block remote access to email resources: A firewall policy would likely cause a consistent failure to connect from any remote location, not a performance-related issue specific to a crowded event.

D. The festival organizer prohibits internet usage during the event and has blocked the internet signal: Actively blocking cellular signals (jamming) is highly improbable, technically difficult for a large area, and generally illegal in most jurisdictions.

1. Kurose

J. F.

& Ross

K. W. (2021). Computer Networking: A Top-Down Approach (8th ed.). Pearson. In Chapter 1

Section 1.4.2

the text explains that network congestion occurs when the demand for a network link's bandwidth exceeds its capacity

leading to packet loss and increased delays

which manifests as slow performance or connection timeouts for users.

2. Tanenbaum

A. S.

& Wetherall

D. J. (2014). Computer Networks (5th ed.). Pearson Education. Chapter 5

Section 5.3 discusses congestion control

explaining that when too many packets are present in a subnet

performance degrades. This principle applies directly to a cellular network (a subnet) being overwhelmed by too many devices.

3. CompTIA A+ Core 2 (220-1102) Exam Objectives. (n.d.). CompTIA. Section 2.7

"Given a scenario

troubleshoot mobile device issues

" includes troubleshooting "No network connectivity." This objective covers understanding environmental factors like signal strength and interference

which are directly impacted by network congestion in high-density areas.

Managed Detection and Response (MDR) is a cybersecurity service that provides organizations with threat hunting, monitoring, and response capabilities delivered by a third-party vendor. The service leverages a combination of technologies and human expertise to perform incident management and protect an organization's assets. The scenario's description of a "third-party vendor with multiple tools to protect its assets" directly aligns with the definition of an MDR service.

A. PaaS: Platform as a Service is a cloud computing model that provides a platform for developing, running, and managing applications, not a security incident management service.

B. EDR: Endpoint Detection and Response is a specific security technology solution focused on monitoring and responding to threats on endpoints (e.g., workstations, servers), not a comprehensive managed service type.

D. XDR: Extended Detection and Response is a technology platform that unifies security data from multiple sources (endpoints, network, cloud). While an MDR service may use XDR, XDR itself describes the technology, not the outsourced service model.

1. MDR Definition: Soua

R.

& Seara

F. (2022). A Survey on Managed Detection and Response. ACM Computing Surveys

55(3)

1–37. https://doi.org/10.1145/3522766. The paper defines MDR as "a managed cybersecurity service that provides organizations with threat hunting services and responds to threats once they are discovered." (Section 2

para. 1).

2. PaaS Definition: Mell

P.

& Grance

T. (2011). The NIST Definition of Cloud Computing (Special Publication 800-145). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-145. Page 2 defines Platform as a Service (PaaS) as the capability to "deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages

libraries

services

and tools supported by the provider."

3. EDR/XDR Distinction: Büttner

K.

Happe

L.

& Klesel

M. (2023). From EDR to XDR: A Systematic Literature Review. In Proceedings of the 18th International Conference on Availability

Reliability and Security (ARES '23). Association for Computing Machinery

New York

NY

USA

Article 120

1–10. https://doi.org/10.1145/3600160.3600229. The paper distinguishes EDR as endpoint-focused

while XDR "extends the concepts of EDR to other data sources" (Section 3.2). This highlights them as technology types

contrasting with the service model of MDR.

The primary security issue is the sharing of passcodes. Facial recognition is a biometric authentication method that verifies a user's identity based on their unique facial characteristics. Unlike passcodes or patterns, which are knowledge-based factors that can be shared or observed, biometrics are inherent to the individual and are not easily transferable. Deploying facial recognition as the screen lock method directly mitigates the risk of credential sharing, thereby increasing the device's security as requested by management.

A. Pattern lock: This is a knowledge-based method, similar to a passcode, that can be easily observed (shoulder surfing) and shared, failing to address the core problem.

C. Device encryption: This is a data protection mechanism that secures data at rest. It is not a screen lock or user authentication method itself.

D. Multifactor authentication: This is a broad security concept requiring multiple authentication factors. Facial recognition is a specific technology (an inherence factor) that fulfills the requirement for a more secure, non-shareable lock method.

1. Apple

Inc. (2024). Apple Platform Security Guide. "Face ID and Touch ID" section. The guide details how Face ID provides intuitive and secure authentication using the TrueDepth camera system and neural networks

creating a mathematical representation of the user's face. This biometric data is unique to the user and encrypted within the Secure Enclave

making it a non-shareable authentication method. (Refer to the "Face ID security" subsection).

2. Google. (n.d.). Android Open Source Project: Implementing Biometrics. The documentation describes how the Android Biometric framework provides a standardized way for apps and the system to use biometric authentication

including face and fingerprint. It emphasizes biometrics as a secure alternative to traditional knowledge-based credentials like PINs or passwords for device unlock. (Refer to the "Biometric authentication" overview).

3. Carnegie Mellon University Information Security Office. (n.d.). Mobile Device Security. University security guidelines frequently recommend enabling biometric features like facial recognition or fingerprint scanning in addition to a strong passcode. This is advised because biometrics tie device access to the physical user

preventing unauthorized access from shared or stolen credentials. (Refer to the section on "Securing Your Device").

Employee offboarding is the formal process of separating a user from an organization's resources. A standard security checklist for this process prioritizes the immediate revocation of both physical and logical access. Deactivating key fobs (B) revokes physical access to buildings and secure areas. Suspending the user's email account (D) is a critical step in revoking logical access to communication systems and other federated services, preventing potential data exfiltration or unauthorized activity. These two actions are fundamental and universally applied during offboarding to secure company assets.

A. Quarantine the hard drive in the user's laptop: This is a forensic procedure for legal holds or investigations, not a standard task for every departing employee.

C. Purge all PII associated with the user: Organizations must retain employee data for legal, tax, and regulatory compliance for a specific period; immediate purging is often not permissible.

E. Turn off the network ports underneath the user's desk: Access is typically managed by user authentication (e.g., 802.1X), not by disabling physical ports, which may be needed by the next user.

F. Add the MAC address of the user's computer to a blocklist: Disabling the user's account is a more effective and standard control than MAC filtering, especially for company-owned devices that will be repurposed.

1. Massachusetts Institute of Technology (MIT) Knowledge Base. (n.d.). Termination Checklist for IT Resources. MIT Information Systems and Technology. Retrieved from https://kb.mit.edu/confluence/display/istcontrib/Termination+Checklist+for+IT+Resources. This document explicitly lists "Disable the user's Kerberos account" (which controls email and other services) and "Collect keys

ID cards

etc." as key offboarding tasks.

2. Cornell University IT. (n.d.). De-provisioning IT Services for Departing Employees. Retrieved from https://it.cornell.edu/deprovisioning/de-provisioning-it-services-departing-employees. The checklist includes "Disable NetID

email

and other accounts" and "Collect university-owned equipment and property (keys

ID card

etc.)."

3. Carnegie Mellon University Information Security Office. (n.d.). Guideline for Account Management. Retrieved from https://www.cmu.edu/iso/governance/guidelines/account-management-guideline.html. Section "Account Termination" states

"Computing accounts and related access privileges must be disabled in a timely manner upon termination of employment..." This supports the principle of disabling accounts like email.

A remote wipe is a security feature, typically managed through a Mobile Device Management (MDM) solution, that allows an administrator to send a command to erase all data on a lost or stolen mobile device. This action is the most effective way to protect sensitive corporate data stored locally on the phone from being accessed by an unauthorized individual who has physical possession of the device. It renders the local data unrecoverable, thus mitigating the data breach risk.

A. Password manager: This application secures credentials for various services but does not protect the phone's local file system or data if the device's primary lock is bypassed.

B. Degaussing: This is a physical data destruction method that uses a powerful magnet to erase data. It requires physical possession of the device and cannot be performed remotely.

D. Antivirus: This software protects against malware infections. It does not prevent an unauthorized user with physical access from attempting to bypass the lock screen and access local data.

1. CompTIA A+ Core 2 (220-1202) Exam Objectives. (2024). CompTIA. Objective 2.6

"Given a scenario

secure mobile devices

" explicitly lists "Remote wipe" as a security feature for mobile devices.

2. National Institute of Standards and Technology (NIST). (June 2021). Special Publication 800-124 Revision 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise. Section 5.3

"Mitigation of Lost or Stolen Device

" states: "Organizations should have the capability to remotely wipe the data from a lost or stolen mobile device to prevent a data breach."

3. Carnegie Mellon University Information Security Office. (n.d.). Mobile Device Security. In the "What to do if your device is lost or stolen" section

it advises users to "Remotely wipe your device to remove all data." This reflects standard institutional guidance on mobile security.

The term "end of life" (EOL) is the specific industry standard for when a software vendor ceases all support for a product, including an operating system. This cessation of support means the vendor will no longer provide security updates, patches, or any technical assistance. The email received by the administrator, which states that security updates and patches will no longer be issued, is a direct announcement of the OS reaching its EOL status. This is a critical security concern as the OS will become increasingly vulnerable to new threats over time.

A. Support from the computer's manufacturer is expiring: This refers to hardware support (e.g., warranty, parts), not the OS vendor's commitment to providing software security updates.

C. The built-in security software is being removed from the next OS version: This describes a feature change in a future OS version and does not explain why the current OS is losing all support.

D. A new version of the OS will be released soon: While a new release often precedes an older version's EOL, it is not the direct cause. The formal EOL declaration is the reason support ends.

1. Microsoft Corporation. (n.d.). General Lifecycle Policy questions. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/lifecycle/faq/general-lifecycle-policy.

Under the "What does end of support mean?" section

it states: "end of support for a product means there will be no more security updates

non-security updates

or assisted support." This directly aligns with the scenario.

2. MIT Information Systems & Technology (IS&T). (2023

October 23). What does 'end-of-life' mean for software and operating systems? MIT. Retrieved from https://ist.mit.edu/news/what-does-end-life-mean-software-and-operating-systems.

The document defines the term: "When a software or operating system (OS) reaches the end of its life

the developer will no longer provide updates

including critical security patches."

3. Householder

A. D. (2019

May 20). The Security Dangers of End-of-Life Software. Carnegie Mellon University Software Engineering Institute (SEI) Blog. Retrieved from https://insights.sei.cmu.edu/blog/the-security-dangers-of-end-of-life-software/.

This publication from a reputable research institution explains

"End-of-life (EOL) is a term that the vendor uses to indicate that a product... is at the end of its useful life... From the vendor's perspective

this means that they will no longer be marketing

selling

or updating the product with patches."

The application's failure to populate information suggests a connectivity issue with the database server. curl is a command-line tool for transferring data using various network protocols. It can be used to test connectivity to a specific server and port, which is essential for diagnosing if the database service is accessible from the client machine. By attempting a connection to the server's IP address and the database's specific port (e.g., curl -v telnet://serverip:port), a technician can quickly verify if the port is open and listening. This makes curl the most direct and effective troubleshooting tool among the choices for this specific problem.

A. ipconfig: This command displays the local machine's IP configuration. It does not test connectivity to a remote server or a specific service port.

B. nslookup: This tool is used for DNS queries to resolve hostnames to IP addresses. It does not verify if the host is reachable or if a service is running.

C. netstat: This command shows active network connections and listening ports on the local machine. It does not actively test the ability to establish a new connection to a remote server.

1. curl project documentation: The official documentation describes curl's capabilities

including its use with the TELNET protocol to test port connectivity. "curl is a tool to transfer data from or to a server

using one of the supported protocols... TELNET..."

Source: Stenberg

D. (2023). curl - Manual. curl project. Retrieved from https://curl.se/docs/manpage.html (See protocol descriptions).

2. Microsoft Command-line reference: Microsoft's documentation for curl

which is included in modern Windows operating systems

outlines its syntax and use for transferring data from a server

which implicitly includes testing the connection to that server's service.

Source: Microsoft. (2023). curl command-line tool. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/curl.

3. University Courseware on Network Tools: Computer networking courses frequently teach the use of command-line utilities for diagnostics. curl and telnet are standard tools for verifying application-layer connectivity to a specific port.

Source: Kurose

J.

& Ross

K. (2021). Computer Networking: A Top-Down Approach (8th ed.). Pearson. Chapter 2

"Application Layer

" discusses client-server interactions and the tools used to debug them

such as Telnet

which curl can emulate.

Virtual Network Computing (VNC) is a platform-independent remote access technology that uses the Remote Framebuffer (RFB) protocol. It is designed to transmit the screen's pixel data from a server to a client and send control inputs (keyboard, mouse) back to the server. This allows a technician to view and interact with the exact graphical desktop session the user is currently using, which directly fulfills the requirements of the scenario. VNC is widely supported on both Linux and Windows, making it the ideal solution for this cross-platform support case.

A. VPN: A Virtual Private Network provides secure, encrypted network access to a remote network but does not offer any native screen sharing or remote control capabilities.

C. SSH: Secure Shell provides secure command-line (text-based) access to a remote system. It does not support graphical desktop sharing, which is a key requirement.

D. RDP: Remote Desktop Protocol is a Microsoft proprietary protocol. While RDP servers exist for Linux, RDP typically creates a new, separate user session rather than sharing the console user's active session.

1. Tristan Richardson

et al. (March 2011). The Remote Framebuffer Protocol. IETF RFC 6143. This document specifies the VNC protocol

stating

"The Remote Framebuffer (RFB) protocol is a simple protocol for remote access to graphical user interfaces... it is 'thin' in the sense that the client is a simple framebuffer display and the server does all the application processing." (Abstract

Page 1). This confirms VNC's role in graphical remote access.

DOI: https://doi.org/10.17487/RFC6143

2. Carnegie Mellon University

School of Computer Science. Remote Access to Linux Systems. This courseware distinguishes between access methods: "SSH is the standard way to get a command-line prompt on a remote machine... VNC is a way to get a graphical 'desktop' on a remote machine." This highlights VNC as the appropriate tool for graphical interaction.

Reference: https://www.cs.cmu.edu/~help/systems/remoteaccess.html (Section: "Graphical/Desktop Access")

3. Microsoft Corporation. Remote Desktop Services architecture. Official documentation describes RDP architecture

which typically involves creating sessions via the Session Host. "The RD Session Host server hosts Windows-based programs or the full Windows desktop. Users can connect to an RD Session Host server to run programs

save files

and use network resources on that server." This model contrasts with VNC's direct session sharing.

Reference: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-architecture (Section: "Remote Desktop Session Host")