A staging environment is a replica of the production environment used for final testing before deployment. Its primary purpose is to validate new features, code changes, and updates in a setting that mirrors the live system's hardware, software, and network configuration. Testing a "newly released feature" here allows the administrator to identify any issues related to integration, performance, or deployment in a controlled, production-like setting without impacting actual users. This environment is the final gate before a feature goes live, making it the best choice for this scenario.

B. Testing environment: This environment is for general quality assurance (QA) testing and often precedes staging. It may not be an exact replica of the production environment.

C. CI/CD pipeline: This is an automated process for building, testing, and deploying code through various stages; it is not a test location itself.

D. Development environment: This is where developers write and perform initial unit tests on their code, a phase that a "newly released feature" has already passed.

---

1. Google Cloud Architecture Center. (2023). Application development and delivery: Environments. "A staging environment is the last step before a production environment. The staging environment should be as identical to the production environment as possible... This environment is used to test the code and to check for any production-specific deployment issues."

2. AWS Well-Architected Framework. (July 2023). Operational Excellence Pillar (Whitepaper)

p. 31. In the section "Implement changes

" the framework advises

"Test deployment procedures in an environment that is a replica of your production environment. This is often called a staging or pre-production environment."

3. Saltzer

J. H.

& Kaashoek

M. F. (2009). Principles of Computer System Design: An Introduction. MIT OCW

Course 6.033 Computer System Engineering

Spring 2009

Chapter 8

p. 218. The text discusses the principle of a "staging system" as a crucial step for testing changes in a realistic environment before they are deployed to the primary

operational system to minimize risk.

The Security Content Automation Protocol (SCAP) is a suite of specifications standardized by NIST for automating vulnerability management and policy compliance evaluation. It is designed specifically for tasks like performing a gap assessment against a security benchmark, checking for required configurations such as firewall status, password policies, and application lists.

Secure Access Service Edge (SASE) is a cloud-native architecture that converges network and security services. A core tenet of SASE is Zero Trust Network Access (ZTNA), which directly addresses the "Zero Trust application access" requirement. SASE solutions enforce access policies by continuously assessing the security posture of endpoints, verifying compliance with requirements like full disk encryption and host-based firewalls before granting access to resources.

A. CASB: A Cloud Access Security Broker (CASB) primarily secures traffic between users and cloud applications; it does not perform comprehensive OS-level configuration assessments.

B. SBoM: A Software Bill of Materials (SBoM) is an inventory of software components, used for vulnerability management and supply chain security, not for enforcing endpoint configuration policies.

E. HIDS: A Host-based Intrusion Detection System (HIDS) is a monitoring tool that detects malicious activity or policy violations, but it is not a framework for configuration assessment or Zero Trust access control.

1. NIST Special Publication 800-126 Revision 3

The Security Content Automation Protocol (SCAP) Version 1.3. Section 2

"Introduction

" states

"SCAP is a suite of specifications for exchanging security automation content... It is used for purposes such as automating vulnerability checking

compliance checking

and security measurement."

2. NIST Special Publication 800-207

Zero Trust Architecture. Section 3.2.2

"Device

" discusses the importance of the system's security posture in a Zero Trust Architecture. It states

"The enterprise monitors and manages the security posture of devices... This includes patch levels

OS versions

and integrity of security components." SASE is an implementation of this principle.

3. Yousef

W.

& Shosha

A. F. (2023). A Survey on Secure Access Service Edge (SASE). IEEE Access

11

51119-51143. https://doi.org/10.1109/ACCESS.2023.3279111. The paper defines SASE as a framework that "integrates networking and security functions into a unified

cloud-native service

" with Zero Trust Network Access (ZTNA) as a core component for enforcing granular

identity- and context-aware access policies.

A Threat Intelligence Platform (TIP) is the most suitable option as it is specifically designed to manage the threat intelligence lifecycle. A TIP aggregates raw data from various sources (including dark web monitoring and honeypots), enriches and analyzes it to produce contextualized, actionable intelligence. This output can then be directly operationalized by integrating with other security tools like SIEMs, SOAR platforms, and firewalls to automate defensive actions, thus fulfilling the company's goal of investing in research and making its output useful for security operations.

A. Dark web monitoring: This is a specific source of threat data, not a comprehensive platform for aggregating, analyzing, and operationalizing intelligence from multiple research efforts.

C. Honeypots: These are decoy systems used to gather specific intelligence on attacker tactics, techniques, and procedures (TTPs). The data from a honeypot is a research input, not the platform for operationalization.

D. Continuous adversary emulation: This is a validation technique used to test the effectiveness of existing security controls against known threats, rather than a platform for collecting and operationalizing new research.

---

1. European Union Agency for Cybersecurity (ENISA). (2021). Threat Intelligence Platforms.

Page 11

Section 3.1

"What is a TIP?": The document states

"A Threat Intelligence Platform (TIP) is a technology solution that collects

aggregates

and organises threat data from multiple sources... The primary goal of a TIP is to help organisations manage the overwhelming amount of threat data... and provide actionable intelligence to their security teams." This directly supports the choice of a TIP for operationalizing research.

2. Tounsi

W.

& Rais

H. (2018). A Survey on Technical Threat Intelligence in the Age of Big Data. IEEE Communications Surveys & Tutorials

20(3)

2123-2146.

Page 2133

Section V-A

"Threat Intelligence Platforms": The paper describes TIPs as solutions that "allow the operationalization of threat intelligence" by integrating with security controls like firewalls and IDS. It contrasts TIPs with simple data feeds

highlighting their role in analysis and action.

DOI: https://doi.org/10.1109/COMST.2018.2808252

3. Martin

R. A. (2016). A Framework for Classifying and Comparing Threat Intelligence Platforms. Carnegie Mellon University

Software Engineering Institute.

Page 3

Section 2

"Threat Intelligence Platform (TIP) Defined": This technical note defines a TIP as a platform that "facilitates the collection

analysis

and dissemination of threat intelligence." It emphasizes the function of dissemination

which is key to operationalizing the research output by feeding it to other security systems.

Regression testing is specifically designed to detect the re-emergence of previously fixed defects after code changes, upgrades, or component reintegration. By executing a maintained suite of regression tests every time earlier versions or modules are merged into the current code base, the team verifies that earlier fixes (such as the RBAC segmentation control) still hold, preventing the reintroduction of old bugs in a multitenant SaaS environment.

B. Code signing – Verifies publisher authenticity and integrity of delivered binaries; it does not test for functional defects.

C. Automated test and retest – Generic phrase; without a focused regression test suite it may miss previously resolved issues.

D. User acceptance testing – Confirms user requirements in production-like conditions, not systematic detection of resurrected internal bugs.

E. Software composition analysis – Scans third-party libraries for known vulnerabilities/licensing issues, not logic flaws introduced by integrating earlier in-house code.

1. SWEBOK v3.0

Ch. 4 “Software Testing”

§4.1.4 Regression Testing

p. 43-44: describes purpose of regression testing to detect re-introduced faults after changes.

2. IEEE Std 29119-1:2013

§7.2.7 Regression Testing: mandates executing regression suites whenever existing software components are modified or integrated.

3. MIT OpenCourseWare 6.005 “Software Construction”

Lecture notes 12 “Regression Testing”

slides 3-5: explains preventing old bugs from resurfacing via automated regression tests.

4. NIST Special Publication 500-291 (Software Assurance Metrics)

§5.3.2: highlights regression tests in continuous integration pipelines to ensure fixes remain effective after updates.

Attack surface reduction is the security design principle of minimizing the number of potential entry points for an adversary. This is achieved by removing all non-essential software, disabling unnecessary services, closing unused network ports, and restricting protocols. This process directly addresses the architect's requirement to expose the least number of services possible, thereby limiting an adversary's ability to access and exploit the systems. It is the foundational strategy that encompasses other more specific hardening actions.

A. Enforce Secure Boot.

This protects the pre-boot and boot process from rootkits and bootkits, ensuring system integrity at startup, but it does not reduce the number of services running once the OS is loaded.

C. Disable third-party integrations.

This is a specific tactic within the broader strategy of attack surface reduction. While a valid step, it is not the comprehensive first action to take, which is the overall analysis and reduction process.

D. Limit access to the systems.

This involves access control measures (e.g., firewalls, ACLs) that restrict who can reach the services. It does not reduce the number of services themselves, which remain running and potentially vulnerable.

---

1. National Institute of Standards and Technology (NIST) Special Publication 800-53

Revision 5

Security and Privacy Controls for Information Systems and Organizations. Control CM-7 (Least Functionality)

Page 138. The control states

"The organization: a. Configures the system to provide only essential capabilities; and b. Prohibits or restricts the use of... functions

ports

protocols

and/or services..." This directly describes the core activity of attack surface reduction.

2. National Institute of Standards and Technology (NIST) Special Publication 800-160

Volume 1

Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. Section 3.3.3.2 (Attack Surface Reduction)

Page 68. This section defines the principle: "Attack surface reduction is a means of reducing risk by giving attackers less opportunity to exploit a potential weakness or vulnerability. This can be achieved by running only essential services

removing unnecessary software

disabling unnecessary user accounts

and eliminating unused or unnecessary system capabilities or functions."

3. Purdue University

Center for Education and Research in Information Assurance and Security (CERIAS)

Introduction to Systems and Network Security. This courseware emphasizes attack surface minimization as a primary defense strategy. It defines the attack surface as the "set of ways in which an adversary can enter a system and potentially cause damage

" and its reduction as the first step in hardening a system by removing all but the necessary services. (Reference to general principles taught in foundational cybersecurity courses at institutions like Purdue).

.

Explanation:

Code Snippet 1

Vulnerability 1: SQL injection

SQL injection is a type of attack that exploits a vulnerability in the code that interacts with a

database. An attacker can inject malicious SQL commands into the input fields, such as username or

password, and execute them on the database server. This can result in data theft, data corruption, or

unauthorized access.

Fix 1: Perform input sanitization of the userid field.

Input sanitization is a technique that prevents SQL injection byvalidating and filtering the user input

values before passing them to the database. The input sanitization should remove any special

characters, such as quotes, semicolons, or dashes, that can alter the intended SQL query.

Alternatively, the input sanitization can use a whitelist of allowed values and reject any other values.

Code Snippet 2

Vulnerability 2: Cross-site request forgery

Cross-site request forgery (CSRF) is a type of attack that exploits a vulnerability in the code that

handles web requests. An attacker can trick a user into sending a malicious web request to a server

that performs an action on behalf of the user, such as changing their password, transferring funds, or

deleting dat

a. This can result in unauthorized actions, data loss, or account compromise.

Fix 2: Implement anti-forgery tokens.

Anti-forgery tokens are techniques that prevent CSRF by adding a unique and secret value to each

web request that is generated by the server and verified by the server before performing the action.

The anti-forgery token should be different for each user and each session, and should not be

predictable or reusable by an attacker. This way, only legitimate web requests from the user’s

browser can be accepted by the server.

Analysis and Remediation Options for Each IoC:

IoC 1:

Evidence:

Source: Apache_httpd

Type: DNSQ

Dest: @10.1.1.1:53,@10.1.2.5

Data: update.s.domain, CNAME 3a129sk219r9slmfkzzz000.s.domain, 108.158.253.253

Analysis:

Analysis: The service is attempting to resolve a malicious domain.

Reason: The DNS queries and the nature of the CNAME resolution indicate that the service is trying

to resolve potentially harmful domains, which is a common tactic used by malware to connect to

command-and-control servers.

Remediation:

Remediation: Implement a blocklist for known malicious ports.

Reason: Blocking known malicious domains at the DNS level prevents the resolution of harmful

domains, thereby protecting the network from potential connections to malicious servers.

IoC 2:

Evidence:

Src: 10.0.5.5

Dst: 10.1.2.1, 10.1.2.2, 10.1.2.3, 10.1.2.4, 10.1.2.5

Proto: IP_ICMP

Data: ECHO

Action: Drop

Analysis:

Analysis: Someone is footprinting a network subnet.

Reason: The repeated ICMP ECHO requests to different addresses within a subnet indicate that

someone is scanning the network to discover active hosts, a common reconnaissance technique used

by attackers.

Remediation:

Remediation: Block ping requests across the WAN interface.

Reason: Blocking ICMP ECHO requests on the WAN interface can prevent attackers from using ping

sweeps to gather information about the network topology and active devices.

IoC 3:

Evidence:

Proxylog:

GET

/announce?info_hash=%01dff%27f%21%10%c5%wp%4e%1d%6f%63%3c%49%6d&peer_id%3dxJFS

Uploaded=0&downloaded=0&left=3767869&compact=1&ip=10.5.1.26&event=started

User-Agent: RAZA 2.1.0.0

Host: localhost

Connection: Keep-Alive

HTTP200 OK

Analysis:

Analysis: An employee is using P2P services to download files.

Reason: The HTTP GET request with parameters related to a BitTorrent client indicates that the

employee is using peer-to-peer (P2P) services, which can lead to unauthorized data transfer and

potential security risks.

Remediation:

Remediation: Enforce endpoint controls on third-party software installations.

Reason: By enforcing strict endpoint controls, you can prevent the installation and use of

unauthorized software, such as P2P clients, thereby mitigating the risk of data leaks and other

security threats associated with such applications.

Reference:

CompTIA Security+ Study Guide: This guide offers detailed explanations on identifying and mitigating

various types of Indicators of Compromise (IoCs) and the corresponding analysis and remediation

strategies.

CompTIA Security+ Exam Objectives: These objectives cover key concepts in network security

monitoring and incident response, providing guidelines on how to handle different types of security

events.

Security Operations Center (SOC) Best Practices: This resource outlines effective strategies for

analyzing and responding to anomalous events within a SOC, including the use of blocklists, endpoint

controls, and network configuration changes.

By accurately analyzing the nature of each IoC and applying the appropriate remediation measures,

the organization can effectively mitigate potential security threats and maintain a robust security

posture.

below.

Explanation:

10.1.45.65 SFTP ServerDisable 8080

10.1.45.66 Email Server Disable 415 and 443

10.1.45.67 Web Server Disable 21, 80

10.1.45.68 UTM Appliance Disable 21

below

for the solution.

Explanation:

WAP A: No issue found. The WAP A is configured correctly and meets therequirements.

PC A = Enable host-based firewall to block all traffic

This option will turn off the host-based firewall and allow all traffic to pass through. This will comply

with the requirement and also improve the connectivity of PC A to other devices on the network.

However, this option will also reduce the security of PC A and make it more vulnerable to attacks.

Therefore, it is recommended to use other security measures, such as antivirus, encryption, and

password complexity, to protect PC A from potential threats.

Laptop A: Patch management

This option will install the updates that are available for Laptop A and ensure that it has the most

recent security patches and bug fixes. This will comply with the requirement and also improve the

performance and stability of Laptop A. However, this option may also require a reboot of Laptop A

and some downtime during the update process. Therefore, it is recommended to backup any

important data and close any open applications before applying the updates.

Switch A: No issue found. The Switch A is configured correctly and meets the requirements.

Switch B: No issue found. The Switch B is configured correctly and meets the requirements.

Laptop B: Disable unneeded services

This option will stop and disable the telnet service that is using port 23 on Laptop B. Telnet is a

cleartext service that transmits data in plain text over the network, which exposes it to

eavesdropping, interception, and modification by attackers. By disabling the telnet service, you will

comply with the requirement and also improve the security of Laptop B. However, this option may

also affect the functionality of Laptop B if it needs to use telnet for remote administration or other

purposes. Therefore,it is recommended to use a secure alternative to telnet, such as SSH or HTTPS,

that encrypts the data in transit.

PC B: Enable disk encryption

This option will encrypt the HDD of PC B using a tool such as BitLocker or VeraCrypt. Disk encryption

is a technique that protects data at rest by converting it into an unreadable format that can only be

decrypted with a valid key or password. By enabling disk encryption, you will comply with the

requirement and also improve the confidentiality and integrity of PC B’s data. However, this option

may also affect the performance and usability of PC B, as it requires additional processing time and

user authentication to access the encrypted data. Therefore, it is recommended to backup any

important data and choose a strong key or password before encrypting the disk.

PC C: Disable unneeded services

This option will stop and disable the SSH daemon that is using port 22 on PC C. SSH is a secure

service that allows remote access and command execution over an encrypted channel. However,

port 22 is thedefault and well-known port for SSH, which makes it a common target for brute-force

attacks and port scanning. By disabling the SSH daemon on port 22, you will comply with the

requirement and also improve the security of PC C. However, this option may also affect the

functionality of PC C if it needs to use SSH for remote administration or other purposes. Therefore, it

is recommended to enable the SSH daemon on a different port, such as 4022, by editing the

configuration file using the following command:

sudo nano /etc/ssh/sshd_config

Server A. Need to select the following:

https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Security_X_CASP+_CAS-005/page_108_img_1.jpg

A black and white screen with white text Description automatically generated

Matching Relevant Findings to the Affected Hosts: Finding 1: Affected Host: DNS Reason: Users are unable to log into the domain from their workstations after relocating to Site B, which implies a failure in domain name services that are critical for user authentication and domain login. Finding 2: Affected Host: Pumps Reason: Thepump room at Site B becoming inoperable directly points to the critical infrastructure components associated with pumping operations. Finding 3: Affected Host: VPN Concentrator Reason: Unreliable internet connectivity at Site B due to route flapping indicates issues with network routing, which is often managed by VPN concentrators that handle site-to-site connectivity. Corrective Actions for Finding 3: Finding 3 Corrective Action: Action: Modify the BGP configuration Reason: Route flapping is often related to issues with Border Gateway Protocol (BGP) configurations. Adjusting BGP settings can stabilize routes and improve internet connectivity reliability. Replication to Site B for Finding 1: Affected Host: DNS Domain Name System (DNS) services are essential for translating domain names into IP addresses, allowing users to log into the network. Replicating DNS services ensures that even if Site A is disrupted, users at Site B can still authenticate and access necessary resources. Replication to Site B for Finding 2: Affected Host: Pumps The operation of the pump room is crucial for maintaining various functions within the infrastructure. Replicating the control systems and configurations for the pumps at Site B ensures that operations can continue smoothly even if Site A is affected. Configuration Changes for Finding 3: Affected Host: VPN Concentrator Route flapping is a situation where routes become unstable, causing frequent changes in the best path for data to travel. This instability can be mitigated by modifying BGP configurations to ensure more stable routing. VPN concentrators, which manage connections between sites, are typically configured with BGP for optimal routing. Reference: CompTIA Security+ Study Guide: This guide provides detailed information on disaster recovery and continuity of operations, emphasizing the importance of replicating critical services and making necessary configuration changes to ensure seamless operation during disruptions. CompTIA Security+ Exam Objectives: These objectives highlight key areas in disaster recovery planning, including the replication of critical services and network configuration adjustments. Disaster Recovery and Business Continuity Planning (DRBCP): This resource outlines best practices for ensuring that operations can continue at an alternate site during a disaster, including the replication of essential services and network stability measures. By ensuring that critical services like DNS and control systems for pumps are replicated at the alternate site, and by addressing network routing issues through proper BGP configuration, the organization can maintain operational continuity and minimize the impact of natural disasters on their operations.