Best Prevention for Rapidly Infecting Computers with Unknown Vulnerabilities
Question
A recently discovered zero-day exploit utilizes an unknown vulnerability in the SMB network protocol to rapidly infect computers.
Once infected, computers are encrypted and held for ransom.
Which of the following would BEST prevent this attack from reoccurring?
A.
Configure the perimeter firewall to deny inbound external connections to SMB ports. B.
Ensure endpoint detection and response systems are alerting on suspicious SMB connections. C.
Deny unauthenticated users access to shared network folders. D.
Verify computers are set to install monthly operating system, updates automatically.
A.
Explanations
A recently discovered zero-day exploit utilizes an unknown vulnerability in the SMB network protocol to rapidly infect computers.
Once infected, computers are encrypted and held for ransom.
Which of the following would BEST prevent this attack from reoccurring?
A.
Configure the perimeter firewall to deny inbound external connections to SMB ports.
B.
Ensure endpoint detection and response systems are alerting on suspicious SMB connections.
C.
Deny unauthenticated users access to shared network folders.
D.
Verify computers are set to install monthly operating system, updates automatically.
A.
The best approach to prevent a zero-day exploit that uses an unknown vulnerability in the SMB network protocol would be to limit access to the protocol itself.
Option A, configuring the perimeter firewall to deny inbound external connections to SMB ports, is the most effective approach in this case. This would block any unauthorized access to SMB ports from external sources, such as the internet. This would prevent the attacker from exploiting the vulnerability in the SMB protocol, as they would not be able to establish a connection to the SMB port.
Option B, ensuring endpoint detection and response systems are alerting on suspicious SMB connections, is a useful technique for detecting and responding to attacks, but it would not prevent the attack from occurring. Endpoint detection and response systems can detect suspicious activity, but if the exploit is a zero-day, it may not be detected until it is too late.
Option C, denying unauthenticated users access to shared network folders, would limit the potential damage of the attack, but it would not prevent the attack from occurring. The attack would still be able to propagate throughout the network, and any authenticated users could still be affected.
Option D, verifying computers are set to install monthly operating system updates automatically, would not prevent the attack from occurring. The attack is exploiting an unknown vulnerability in the SMB protocol, so installing updates would not prevent the attack from exploiting the vulnerability.
In summary, the best approach to prevent the reoccurrence of the attack is to configure the perimeter firewall to deny inbound external connections to SMB ports.
