Exam SY0-601 topic 1 question 566 discussion

lol what a bad question. improper error handling is the issue here. but error handling has already been enabled. its just that it is of a bad design. We should be able to note down bad questions asked during the exam and request for an official response from COMPTIA. I am just going to protest the bad language and pick C.

The matter is that the error is not generic, instead of 'user does not exist', which is a tell in favor of the attacker, it should better be 'incorrect credentials' or smth that do not distinguish between a wrong username and a wrong password. C. Error Handling

C. Error handling. By improving error handling, the system can provide generic error messages that do not reveal whether a username exists or not. This prevents attackers from gaining information about valid usernames, which is crucial in defending against credential harvesting attacks.

D. Username lockout. Enabling username lockout functionality would prevent attackers from performing brute force attacks by locking out user accounts after a certain number of failed login attempts. This helps protect against credential harvesting and brute force attacks by slowing down or preventing automated attempts to guess passwords. Options A, B, and C may provide additional security measures, but they do not directly address the issue of preventing brute force attacks and credential harvesting. Therefore, enabling username lockout would be the most effective recommendation in this context.

C is wrong here's why. Error handling mean that when a pop up shows up on a web browser application, it gives too much detail that attackers can use to attack the application. The correct answer should be input validation b/c you need to validate the input to prevent SQL injections.

"multiple attempts of random usernames and password" implies that Account Lockout Policy is not in place. A GPO policy to lock any/every account after (max, 2) attempts would better take care of brute-force attacks. So, option D is the right one. Even if the Error Handling part were more discrete in giving away info about valid/invalid usernames, once the attacker receives say, a "bad credentials error" message, he would just randomize and keep trying different combos until he succeeds.

in my opinion a system is giving away too much information to an attacker by saying username do not exist. why not simply just lockout to prevent the attacks to happen.

Most important part of the question, as badly worded as it is, is that the attacker is trying to do CREDENTIAL HARVESTING, not a brute-force attack. The only thing that mitigates CREDENTIAL HARVESTING is better error handling, so that the attacker does not learn which usernames are legitimate.

From Bard I selected D over error handling because username lockout is a more specific and effective countermeasure against credential harvesting attacks. Error handling is important for security, but it is not specifically designed to prevent credential harvesting attacks. Error handling involves displaying helpful messages to users when they make mistakes. For example, an error handling message might tell a user that they have entered an invalid username or password. However, this type of message can also provide attackers with information about valid usernames and passwords. For example, if the error message says "The username you entered does not exist", the attacker knows that the username is not valid. They can then move on to trying other usernames until they find one that is valid.

The analyst should recommend enabling **C. Error handling**. The message "The username you entered does not exist" gives away too much information and could aid an attacker in their attempts to gain unauthorized access. A better approach would be to use a generic error message such as "Invalid username or password." This way, the application does not reveal whether it was the username, the password, or both that were incorrect, making it harder for an attacker to guess valid credentials.

Username lockout is a security measure that prevents an attacker from repeatedly trying to log in with invalid credentials. When a user enters an invalid username or password, the system will lock the account for a period of time. This prevents the attacker from trying the same username and password over and over again.

The issue here is the attacker knows for certain that a user doesn't exist when the error pops and knows it is pointless to put in more passwords. It allows them to better target their attack. This is thus an issue with the pop up related to error handling.

It's C. You're not supposed to give out too much details when error handling, now the attacker knows that username exists in the database.

I have to go with D. Error handling is already enabled, so I don't think that can be right.

The more of these questions I read, the more I feel like they are AI generated. But bad AI, not even ChatGPT.

I hope for god i dont see this nasty ass question. I am reading below and you guys are all over the place

Error Handling seems right. They should change the output so the attacker can't use the error to find out valid usernames. Username lockout is not correct because the attacker only has to try a username once to find out if it exists, so a lockout after X number of tries would still let the attacker gather all valid usernames.