The best two controls are C and E because the scenario has two distinct technical problems :
the biomedical devices are EOL and vulnerable to known CVEs , and
the attacker also used VLAN hopping .
Since the devices cannot be patched, replaced, or materially changed , the strongest response is to apply compensating network controls around them. That makes this primarily a Security Architecture question focused on segmentation and preventive controls . CompTIA’s official SecurityX CAS-005 objectives explicitly include “Network architecture: segmentation, microsegmentation…” and also list “proactive, detective, and preventative controls” as part of control strategy design.
Why C is correct:
Limiting trunking protocols to specific uplink ports of access switches directly addresses the VLAN hopping portion of the attack. VLAN hopping commonly succeeds when switch ports are incorrectly allowed to negotiate or carry trunk traffic where they should function only as access ports. Restricting trunking to designated uplinks reduces the chance that an attacker can pivot between VLANs by abusing switch behavior. This fits CompTIA’s official SecurityX objective area covering network segmentation and secure boundary enforcement.
Why E is correct:
Inserting an in-line IPS between network segments of the affected hosts is the strongest compensating control for the known CVE exploit traffic against EOL devices. Because the systems cannot be updated, an in-line IPS can actively inspect and block malicious payloads moving between segments. This is much more effective than passive monitoring alone because it is a preventive control, not just a detective one. CompTIA’s official SecurityX objectives specifically emphasize preventative controls and segmentation/microsegmentation , which is exactly what this design uses to protect unpatchable assets.
Why the other options are not the best answers:
A. IDS with active response from a network tap is weaker than an in-line IPS in this case. A network tap is out-of-band, so detection may help visibility, but it does not provide the same direct traffic-blocking capability as an in-line preventive control. In a hospital with unpatchable biomedical systems, prevention at segmentation boundaries is more effective than relying mainly on monitoring. CompTIA’s objectives distinguish between detective and preventative controls, and this scenario clearly favors prevention.
B. QoS limiting throughput does not address either root cause. Lower bandwidth does not stop CVE exploitation and does not prevent VLAN hopping. It may reduce traffic volume, but it is not a meaningful security mitigation for the attack described.
D. Adding a proxy and requiring staff authentication every connection is not the most effective answer because the compromise described is tied to device vulnerabilities and network segmentation weaknesses , not primarily to user authentication. It also may be operationally unsuitable for biomedical workflows.
F. Security awareness training is valuable in general, but it is not an effective primary control for exploit payloads against EOL medical devices or VLAN hopping . The problem is architectural and technical, so the answer must also be architectural and technical.
Official extract alignment:
A short official extract from CompTIA’s SecurityX CAS-005 objectives summary that supports this answer is: “Network architecture: segmentation, microsegmentation…” and “Cloud control strategies: proactive, detective, and preventative controls…” . Also, in CompTIA’s official SecurityX practice questions, CompTIA gives a related design pattern for constrained/embedded devices: “Operating IoT devices on a separate network with no access to other devices internally” , which reinforces isolation and segmentation as the preferred control approach for hard-to-modify devices.
[References:, CompTIA SecurityX (CAS-005) official certification page and exam objectives summary. , CompTIA SecurityX (V5) official practice questions, especially the separate-network control example for IoT devices., , ]
