Based on the provided authentication logs, we observe that User1 ' s accountexperienced multiple failed login attempts within a very short time span (at 8:01:23 AM on 12/15). This pattern indicates a potential brute-force attack or an attempt to gain unauthorized access. Here's a breakdown of why disabling User1 ' s account is the appropriate first step:
Failed Login Attempts: The logs show that User1 had four consecutive failed login attempts:
VM01 at 8:01:23 AM
VM08 at 8:01:23 AM
VM01 at 8:01:23 AM
VM08 at 8:01:23 AM
Security Protocols and Best Practices: According to CompTIA Security+ guidelines, multiple failed login attempts within a short timeframe should trigger an immediate response to prevent further potential unauthorized access attempts. This typically involves temporarily disabling the account to stop ongoing brute- force attacks.
Account Lockout Policy: Implementing an account lockout policy is a standard practice to thwart brute-force attacks. Disabling User1 ' s account will align with these best practices and prevent further failed attempts, which might lead to successful unauthorized access if not addressed.
References:
CompTIA Security+ SY0-601 Study Guide by Mike Chapple and David Seidl
CompTIA Security+ Certification Exam Objectives
NIST Special Publication 800-63B: Digital Identity Guidelines
By addressing User1 ' s account first, we effectively mitigate the immediate threat of a brute-force attack, ensuring that further investigation can be conducted without the risk of unauthorized access continuing during the investigation period.

Understanding the Security Event:
Unauthorized usersgained access from non-production to production.
IAM policies were weak, allowingbulk user creation.
Vulnerability assessments were disabled, andpatching was delayed.
Logs were unavailable, making incident response difficult.
Why Options A, D, and E areCorrect:
A (Disable bulk user creation by IAM team)# Prevents unauthorized mass user account creation, which could beexploited by attackers.
D (Routine updates for endpoints & network devices)# Patch management ensuresvulnerabilities are not left open for attackers.
E (Ensure all security/network devices send logs to SIEM)# Helps withreal-time monitoring and detection of unauthorized activities.
Why Other Options Are Incorrect:
B (180-day log retention)# While log retention is good,real-time monitoring is the priority.
C (Review application allow list daily)# Reviewing itdaily is impractical. Regular audits are better.
F (Restrict production-to-non-production traffic)# The issue isunauthorized access, not traffic routing.
Reference:
CompTIA SecurityX CAS-005 Official Study Guide:IAM, Patch Management & SIEM Logging Best Practices NIST 800-53 (AC-2, AU-12):Audit Logging & Access Control

To meet the requirements of centrally managing configurations, pushing policies, remotely wiping devices, and maintaining an asset inventory, the best solution is to implement a Mobile Device Management (MDM) solution.
MDM Capabilities:
* Central Management: MDM allows administrators to manage the configurations of all devices from a central console.
* Policy Enforcement: MDM solutions enable the push of security policies and updates to ensure compliance across all managed devices.
* Remote Wipe: In case a device is lost or stolen, MDM provides the capability to remotely wipe the device to protect sensitive data.
* Asset Inventory: MDM maintains an up-to-date inventory of all managed devices, including their configurations and installed applications.
Other options do not provide the same comprehensive capabilities required for managing specialized endpoints.
References:
* CompTIA SecurityX Study Guide
* NIST Special Publication 800-124 Revision 1, "Guidelines for Managing the Security of Mobile Devices in the Enterprise"
* "Mobile Device Management Overview," Gartner Research

Best practice in CAS-005 network security design is to deploy:
* NIDS passively via a port mirror (SPAN port) to avoid introducing latency or failure points.
* NIPS inline in a strategic point, such as integrated with the main firewall, to actively block threats.This combination provides both visibility and active protection without overloading network paths.