An it security manager requests a report on company informat - CompTIA Security+ SY0-701
Question
An IT security manager requests a report on company information that is publicly available. The manager's concern is that malicious actors will be able to access the data without engaging in active reconnaissance. Which of the following is the MOST efficient approach to perform the analysis?
Answers
-
correct
-
-
-
Explanation
Correct Answer A. Provide a domain parameter to theHarvester tool.
theHarvester is a reconnaissance tool that gathers publicly available information, such as email addresses, subdomains, and other data related to a specific domain. By providing the domain parameter to theHarvester, the IT security manager can efficiently gather information that is publicly accessible about the company without actively engaging in more intrusive techniques. This approach allows the manager to identify any potential data exposure that could be exploited by malicious actors.
Reasons the other options are incorrect:
- Check public DNS entries using dnsenum: dnsenum is another tool used for DNS enumeration and discovering information such as subdomains, DNS records, and IPs related to a domain. While useful, it is more focused on DNS records and does not provide the broad range of publicly available information, such as email addresses, that theHarvester can gather.
- Perform a Nessus vulnerability scan targeting a public company’s IP: A Nessus vulnerability scan is designed to identify vulnerabilities in a system. However, running a vulnerability scan on public IP addresses without permission could be considered unethical or even illegal. It also doesn't directly focus on analyzing publicly available information.
- Execute nmap using the options: scan all ports and sneaky mode: nmap is a network scanning tool that can identify open ports and services on a target machine. The "sneaky mode" is used to minimize detection, but scanning ports and services is a form of active reconnaissance and not the most efficient or non-intrusive way to gather publicly available information. It also does not directly address the concern of finding data that is publicly available through passive methods.
No Payment Cards Needed
