CySA+ CS0-001 – Q. 358


An alert is issued from the SIEM that indicates a large number of failed logins for the same account name on one of the application servers starting at 10:20 a.m. No other significant failed login activity is detected. Using Splunk to search for activity pertaining to that account name, a security analyst finds the account has been authenticating successfully for some time and started to fail this morning. The account is attempting to authenticate from an internal server that is running a database to an application server. No other security activity is detected on the network. The analyst discovers the account owner is a developer who no longer works for the company. Which of the following is the MOST likely reason for the failed login attempts for that account?

A. The account that is failing to authenticate has not been maintained, and the company password change policy time frame has been reached for that account
B. The host-based firewall is blocking port 389 LDAP communication, preventing the login credentials from being received by the application server
C. The license for the application has expired, and the failed logins will continue to occur until a new license key is installed on the application
D. A successful malware attack has provided someone access to the network, and failed login attempts are an indication of an attempt to privilege access to the application