Modify Enterprise Capabilities to Enhance Security
Firewalls, IDS/IPS, web and DNS filtering, email security (SPF+DKIM+DMARC), FIM, DLP, NAC, EDR/XDR, UEBA — the layered control set that turns a network into a defended environment.
4.5 is a catalog objective — the longest list in Domain 4. The exam does not ask you to memorize every knob; it asks you to match capability to need. “Block spoofed email from our own domain” → SPF + DKIM + DMARC. “Detect ransomware encrypting files” → EDR with behavioral rules. “Prevent an employee from copying PHI to a thumb drive” → endpoint DLP with device control. “Verify critical system files have not been tampered with” → FIM. Each capability solves a specific problem; when you read a question, identify the verb, then pick the control.
The hardest-tested pair is email authentication: SPF + DKIM + DMARC together. SPF alone does not stop spoofing, DKIM alone does not tell receivers what to do, DMARC alone has nothing to enforce — all three are required to actually defeat domain-spoofing phishing.
Firewall. The network-layer gatekeeper. Rules are ordered — first match wins, and the list ends with an implicit deny. Access lists (ACLs) are filters at layer 3/4. Ports/protocols: allow only what is needed, deny everything else. Screened subnet (DMZ): a segregated zone for public-facing services so the external attack surface does not touch internal networks.
IDS / IPS. Detection vs prevention on network traffic. Signatures match known-bad patterns — updated continuously. Trend/anomaly detection baselines normal and alerts on deviation. IDS alerts only (passive); IPS blocks in-line (active). Anomaly-based can catch novel attacks but generates more false positives.
Web filter. Controls outbound HTTP(S). Modes: agent-based (endpoint agent inspects traffic), centralized proxy (all traffic flows through a forward proxy like Zscaler, Umbrella, Proofpoint). Techniques: URL scanning (reputation + category), content categorization (block adult, gambling, malware), block rules (allow-list / block-list), reputation scoring (dynamic based on observed source behavior).
Operating system security. Group Policy (GPO) — centralized Windows configuration (password policy, restricted admin, software restriction). SELinux / AppArmor — Linux mandatory access control; confines processes even if compromised. A compromised nginx under SELinux still cannot read /etc/shadow without an explicit policy allowing it.
Secure protocols — substitution table.
- HTTP → HTTPS (443, TLS)
- FTP → SFTP (22) or FTPS (990 implicit, 21 explicit)
- Telnet → SSH (22)
- SMTP → SMTPS / STARTTLS (465 / 587)
- POP3 → POP3S (995); IMAP → IMAPS (993)
- LDAP → LDAPS (636) or STARTTLS-wrapped LDAP
- DNS → DNS-over-HTTPS / DNS-over-TLS (privacy + integrity)
DNS filtering. Block malicious domains at resolution time. Umbrella, Quad9, internal RPZ. Stops malware before C2 is established and blocks phishing sites before the user reaches them.
Email security. The anti-spoof stack.
- SPF (Sender Policy Framework) — DNS TXT record listing IPs authorized to send for your domain. Receivers check the envelope sender against the record.
- DKIM (DomainKeys Identified Mail) — outbound mail is cryptographically signed; receivers verify the signature using a public key published in DNS. Proves the message was sent by an authorized server and was not altered in transit.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) — policy layer. Tells receivers what to do when SPF or DKIM fails: none (report only), quarantine (spam folder), reject (bounce). Also provides aggregate reporting so you can see who is sending as you.
- Secure email gateway — Proofpoint, Mimecast, Microsoft Defender for O365. Sandboxing of attachments, URL rewriting, content inspection, spoof detection.
All three (SPF + DKIM + DMARC) are required to defeat outbound domain spoofing. SPF alone misses forwarded mail; DKIM alone does not tell receivers what to do; DMARC with no SPF/DKIM has nothing to enforce.
File Integrity Monitoring (FIM). Hashes critical files at a known-good baseline and alerts on change. Tripwire, OSSEC, Wazuh, Windows Defender FIM. FIM tells you a file changed — it does not protect the file’s contents. It is a detection, not a confidentiality control.
Data Loss Prevention (DLP). Content-aware egress control. Three deployment points: endpoint DLP (agent inspects copy/paste, USB writes, cloud sync), network DLP (inspects email, web uploads, FTP), cloud DLP (inspects SaaS traffic). Classification drives policy: block SSNs leaving the network, quarantine PHI in outbound email, alert on source code going to personal Dropbox.
Network Access Control (NAC). Pre-admission device posture check (AV installed? OS patched? encryption enabled?) before granting access. 802.1X is the port-authentication protocol; NAC is the broader policy system that includes posture, quarantine VLAN, remediation portal.
EDR / XDR. Behavior-based endpoint detection with response actions (isolate host, kill process, roll back changes). XDR extends correlation across endpoints, network, identity, and cloud. Covered in 4.4; appears in 4.5 because it is also a capability you modify (tune policies, rule sets, response playbooks).
User Behavior Analytics (UBA / UEBA). Baseline user activity; alert on deviations like impossible travel, privilege anomalies, data-volume spikes, off-hours admin use. Primary detection for insider threat and compromised credentials — the signal that “a valid user is behaving unusually.”
| Need | Primary Capability | Why |
|---|---|---|
| Stop spoofed email pretending to be our domain | SPF + DKIM + DMARC (all three) | Each alone is insufficient |
| Block known-bad domains at resolution time | DNS filter (Umbrella, Quad9, RPZ) | Stops C2 and phishing before connection |
| Detect modification of critical system files | FIM | Hash comparison against baseline |
| Prevent PHI from leaving the network | DLP (endpoint + network) | Content-aware egress control |
| Gate devices at the port based on posture | NAC + 802.1X | Pre-admission posture check |
| Detect ransomware encrypting files on a laptop | EDR (behavioral) | Signature AV misses novel variants |
| Spot compromised-credential behavior | UEBA | Baseline deviation (impossible travel, data spikes) |
| Confine a compromised process on Linux | SELinux / AppArmor | Mandatory access control |
| Central enforcement of Windows configs | Group Policy (GPO) | Domain-wide policy |
| Block access to gambling/adult sites | Web filter with categorization | Category-based policy |
| Email Control | Role | Failure Mode Alone |
|---|---|---|
| SPF | Lists authorized sending IPs in DNS | Breaks on forwarding; no integrity proof |
| DKIM | Cryptographic signature on the message | No receiver policy; does not stop display-name spoofing alone |
| DMARC | Policy for what receivers do when SPF/DKIM fails; aggregate reports | Nothing to enforce without SPF/DKIM |
| Secure email gateway | Sandboxing, URL rewriting, anomaly detection | Does not replace authentication stack |
| Insecure | Replace With | Default Port |
|---|---|---|
| HTTP | HTTPS (TLS) | 443 |
| FTP | SFTP / FTPS | 22 / 990 |
| Telnet | SSH | 22 |
| SMTP (cleartext) | SMTPS / STARTTLS | 465 / 587 |
| POP3 / IMAP | POP3S / IMAPS | 995 / 993 |
| LDAP | LDAPS | 636 |
| DNS cleartext | DNS-over-HTTPS / DNS-over-TLS | 443 / 853 |
4.5 is a match-the-tool objective. Memorize the verbs: “block spoof” → SPF+DKIM+DMARC; “detect behavioral malware” → EDR; “prevent data exfil” → DLP; “posture devices at port” → NAC; “detect insider anomaly” → UEBA. Then the scenarios collapse into one-step lookups.
A retail brand’s customers are receiving phishing emails that pretend to be from campaigns@brand.com with convincing promo messaging and links to credential-harvest sites. The CMO demands action before the holiday push. The brand has SPF (partial), no DKIM, and no DMARC published. Abuse reports are flooding customer service.
Domain spoofing — holiday-season phishing targeting customers
Retail · brand impersonation · no DMARCDMARC rollout must be staged, not flipped. Publish at p=none first, use aggregate reports to find every legitimate sending source, authorize each one in SPF or DKIM, then move to quarantine and finally reject. DNS filtering against known phishing domains is a bridge during the rollout. The end-state is DMARC reject + monitored reports.
DMARC is the single highest-leverage email control, and it is chronically under-deployed. A major brand without DMARC reject is shipping customer trust into a fire. The security engineer who can run a DMARC rollout without breaking marketing is worth their weight.
On the exam: “block spoofed mail from our domain” → SPF + DKIM + DMARC, all three. One alone is not enough.
A small-business IT lead is selecting endpoint protection for 200 laptops. The existing tool is signature-based AV with a 10-year reputation. The CISO is pushing for EDR. Budget permits one primary endpoint tool. Which is the better fit for modern threat landscape?
Keep signature-based AV; add a scheduled full scan weekly
Lower cost, familiar workflow, relies on vendor signatures for coverage.
Replace with EDR (behavioral + signature + response actions)
Behavior-based detection, process-tree analysis, isolate/rollback actions, higher cost and alerting load.
Option B fits better — behavioral detection is now the baseline
Option B: Modern ransomware, fileless attacks, and living-off-the-land techniques regularly evade signature AV. EDR adds behavior-based detection (rapid encryption, credential dumping, LOLBin execution patterns) and response actions (isolate host, kill process tree, roll back). The alerting load is real; it is a workload the security program must invest in — either in-house or via a managed detection and response (MDR) provider.
Option A’s kernel of truth: Signature AV is cheaper and quieter. It is also the reason many organizations are breached by malware that does not appear in any signature feed.
On the exam: “detect ransomware” / “behavioral malware” / “fileless” → EDR. Plain AV is a supporting control, not the primary.
4.5 is pattern recognition. Read the verb in the stem — “detect behavior,” “block spoofed email,” “prevent data leaving,” “verify file integrity,” “posture devices at the port,” “confine compromised process,” “baseline user activity” — and the capability falls out. The only stack that requires all three pieces is email anti-spoof: SPF + DKIM + DMARC.
- A SPF only with a hard fail policy
- B SPF + DKIM + DMARC with a staged rollout to p=reject
- C A banner on the website telling customers to be careful
- D DKIM only because it cryptographically signs the message
Correct: B. All three layers are required: SPF lists authorized senders, DKIM signs messages, DMARC tells receivers what to do when SPF/DKIM fail. Stage the DMARC rollout through none → quarantine → reject.
Source: CompTIA SY0-701 Objectives v5.0 — 4.5
- A A firewall rule
- B SELinux (or AppArmor) in enforcing mode with a tailored policy
- C Antivirus signature update
- D File integrity monitoring
Correct: B. Mandatory access control (SELinux/AppArmor) confines processes to declared access paths regardless of user privilege. FIM detects changes after the fact; firewall is network-layer.
Source: CompTIA SY0-701 Objectives v5.0 — 4.5
- A Web filter category rules
- B User and Entity Behavior Analytics (UEBA)
- C Firewall ACL
- D File integrity monitoring
Correct: B. UEBA baselines user activity and flags deviations — the canonical control for compromised-credential and insider-threat detection.
Source: CompTIA SY0-701 Objectives v5.0 — 4.5