Unnecessary open ports and services are common elements that contribute to weak configurations so it’s important to close ports that aren’t needed and disable unnecessary services.

A network-based intrusion detection system (NIDS) helps protect internal systems, but a NIDS would not be installed on the server and administrators are tasked with checking the server.

Unsecured root accounts indicate a weak configuration. If root accounts are disabled, enabling them won’t increase security on the server.

Secure Sockets Layer (SSL) is a weak encryption protocol and should not be implemented on servers.

A sandbox provides a simple method of testing updates. It provides an isolated environment and is often used for testing.

A baseline configuration is a starting point of a computing environment.

Bring your own device (BYOD) refers to allowing employee-owned mobile devices in a network and is not related to this question. Change management practices ensure changes are not applied until they are approved and documented.

Network administrators have identified what appears to be malicious traffic coming from an internal computer, but only when no one is logged on the computer. You suspect the system is infected with malware. It periodically runs an application that attempts to run hping3 via remote websites. After comparing the computer with a list of applications from the master image, they verify this application is likely the problem.

What allowed them to make this determination?

The master image is the baseline, and the administrators performed integrity measurements to identify baseline deviations. By comparing the list of applications in the baseline with the applications running on the suspect computer, it's possible to identify unauthorized applications.

None of the other answers include the troubleshooting steps necessary to discover the problem.

Version control tracks software version as software is updated.

A sandbox is an isolated are of a system, typically used to test applications.

A blacklist is a list of prohibited applications

Enforcing an application allow list (sometimes called an application whitelist) would prevent this. An application allow list identifies the only applications that can be installed on a computer and would not include a malicious remote access tool (RAT).

An application block list identifies applications to block, but malware changes so often, this wouldn’t help.

Code signing verifies code is valid and hasn’t been modified.

A bring your own device (BYOD) policy identifies mobile devices employees can buy and connect to a network but is unrelated to this question.

A data loss protection (DLP) system typically monitors outgoing traffic and wouldn’t stop a user from installing a malicious application.

Self-encrypting drives (SEDs) are the best solution. SEDs have encryption circuitry built into the drive. They encrypt and decrypt data without user interaction, though it's common to require personnel to use credentials to unlock the SED when booted.

A data loss prevention (DLP) solution typically monitors outgoing traffic to prevent confidential information from getting outside the organization.

A hardware security module (HSM) is used to manage, generate, and store cryptographic keys. It's generally used on a network instead of on laptops.

Mobile device management (MDM) refers to technologies used to manage mobile devices.

A remote attestation process checks a computer during the boot cycle and sends a report to a remote system. The remote system attests or confirms that the computer is secure.

None of the other answers sends data to a remote system.

A Trusted Platform Module (TPM) is a hardware chip on a motherboard and provides a local secure boot process.

A TPM includes an encryption key burned into the CPU, which provides a hardware root of trust. Tokenization replaces sensitive data with a token or substitute value, and this token can be used in place of the original data.

Blocking write capabilities to removable media is the best choice. This can be done with a data loss prevention (DLP) solution on all computers. Training employees might help, but it won’t stop an insider threat.

Monitoring firewall logs might detect data exfiltration out of the network, but it won’t monitor the use of external storage devices.

A network-based DLP solution might detect and stop data exfiltration out of the network, but it would stop users from copying data to removable media.