Exam CAS-004 topic 1 question 366 discussion

D. Adding MFA to all accounts Adding Multi-Factor Authentication (MFA) to all accounts enhances security by requiring users to provide multiple forms of identification before gaining access. This can significantly reduce the risk of unauthorized access, even if passwords are compromised or the password reset system is abused.

C. Implementing a new password reset system. This directly addresses the root cause. If the existing system is poorly secured or easily abused, replacing it with a more secure version that includes verification steps (like tokens, CAPTCHA, rate limiting, etc.) can stop the attack. While MFA enhances security during login, it does not necessarily protect or secure the password reset process itself, especially if the attack is occurring without user authentication.

MFA is more robust that simply implementing another password policy.

It's obviously B because the scenario suggests a potential brute force or credential stuffing attack targeting the password reset system. Account lockout will prevent bulk/automated attempts from being made. Why Other Options Are Less Effective: A. Including input sanitization to the logon page: While input sanitization is critical for preventing SQL injection and other input-based attacks, it does not address the problem of excessive storage use or automated password reset attempts. C. Implementing a new password reset system: Simply replacing the password reset system without addressing the underlying issue (e.g., lack of rate limiting or account lockout) does not mitigate the attack. D. Adding MFA to all accounts: MFA strengthens account authentication but does not prevent attackers from spamming the password reset system. This could still lead to excessive storage usage and potentially disrupt the system.

The significant increase in storage use suggests that the existing password reset system may be vulnerable to abuse, possibly due to being overly simple or lacking sufficient security measures. Implementing a more secure password reset system can help address this vulnerability.

D. Going with MFA, the most sense to me is the users could be sharing their storage....but too many assumptions to have a possible answer.

I am going to make couple assumptions here. 1. the storage increase is due to the excessive logs when a bot keeps spamming the reset webpage with requests 2. then having or not having MFA wont matter much as the MFA token could also be spammed, just like the password. 3. Captcha would help as no transaction to the db system will happen until the captcha is correct. 4. To implement captcha the need to do C.

I'm not a big fan of this question either, but I could actually make a case for "B". If users can reset their password an unlimited amount of times without their account being locked, then the storage will constantly fill up. If after 5 attempts, a user's account locks, then the user will have to contact an admin who will provide a temporary password, which when used will (if configured) force the user to create a new password. This example would only have 6 (or 7 if including temp pw) password resets that will be included in storage. If not B, then I'd go C as well.

Of all the questions on this site, I hate this one the most. Why is the storage filling up? Is it because of many failed reset attempts (lets get a new p/w reset system). is it because attackers can get in through it somehow (lets add MFA). ugh...C...

If the observed increase in storage use is linked to potential abuse of the password reset system, implementing a new and more secure password reset system with improved controls and monitoring can be an effective remediation step.

implementing a new password reset system is more of a vault answer not specific because it can still lead to same problem, but adding MFA is more of a solution than any other.

going with C. Having a password reset will prevent large amounts of attempts and stop the requests being sent in due to the configurations done on the password reset.

I feel like this question is poorly worded. Are they talking about the storage on the SaaS provided to users or are they talking about the storage on the password reset system? Given that the SaaS storage would be completely out of context unless they were talking about that storage being what is seeing the increase, I'm going to assume that is what they are referencing. Therefore I think MFA would be the best answer. If they are somehow taking advantage of the password reset system to obtain user passwords and then gaining access to the user's SaaS storage, MFA would stop them. They should also replace the password reset system because it is letting user's passwords be compromised but user passwords can become compromised in many ways. MFA should be a higher priority.

C. Implementing a new password reset system. The current password reset system appears to be a potential vector for an attack, as it may be exploited to consume additional storage resources. By implementing a new, more secure password reset system, you can potentially address the storage abuse issue.

The significant increase in storage use could be due to an attack where an attacker is trying to exploit the password reset system, possibly by flooding it with requests, which could be causing a lot of data to be stored. To remediate this attack, the organization should consider implementing a new password reset system © that includes protections against such attacks. For example, the new system could include measures like CAPTCHA to prevent automated attacks, rate limiting to prevent too many requests from the same IP address in a short period of time, and minimal data retention to reduce the amount of data stored.

A. Including input sanitization to the logon page. Explain: by sanitizing inputs, you can prevent malicious data from being inserted or uploaded to the system, which could be causing the unexpected increase in storage use.