Exam SY0-601 topic 1 question 9 discussion

is the only one that obligate to have more info than a password to login in the system

CompTIA Sec+ Objectives 3.7 Account policies: - Password complexity - Password history - Password reuse - Network location - Geofencing - Geotagging - Geolocation - Time-based logins - Access policies - Account permissions - Account audits - Impossible travel time/risky login - Lockout - Disablement 2FA is not an account policy, has to be D

Guys...Girls... D: Implementing a password history policy ensures that users cannot reuse their previous passwords when they are required to change them. This can help prevent users from cycling back to old passwords that may have been compromised. But from the question (COULD BE EXFILTRATED) the credentials have already been exfiltrated, and attackers potentially have access to current, valid passwords. Thats why implementing MFA can immediately help protect accounts without waiting for users to change their passwords....

Answer: Password history - In this scenario, the report stated that some credentials could have been exfiltrated. This means that an unauthorized transfer of these credentials has occurred, possibly due to a security breach. Password history policies determines the number of unique new passwords that must associated with a user's account before an old password be reused. Essentially forcing users to create new passwords on a regular basis. The reports that that there are users that reuse the same credentials and password history policies will be useful as users would have to create new unique passwords. MFA could be a preventative measure as an attacker could have their credentials, but with MFA configured they would still need to have access to whatever the other element(s) that user has configured for the MFA process. However, this option does not prevent an attacker from using the exfiltrated credentials which is the primary concern in the scenario; so this doesn't directly address the issue. As password history policies would prevent previous passwords from being used after a password change.

The CISO should use MFA (multi-factor authentication) to prevent someone from using the exfiltrated credentials. MFA is a security measure that requires multiple forms of authentication to access a system or data. MFA typically involves the use of two or more of the following factors: something the user knows (e.g. a password or PIN), something the user has (e.g. a security token or smart card), or something the user is (e.g. a biometric characteristic). By requiring multiple forms of authentication, MFA helps to prevent unauthorized access to a system or data, even if a user's credentials are exfiltrated. The report delivered to the CISO indicates that some user credentials could be exfiltrated, and that users tend to choose the same credentials on different systems and applications. This means that if an attacker were to obtain a user's credentials, they could potentially use them to gain access to multiple systems or applications. MFA would help to prevent this by requiring additional forms of authentication, making it more difficult for an attacker to gain access to a system or data.

A. MFA (Multi-Factor Authentication) would be the most effective policy to prevent someone from using the exfiltrated credentials. With MFA in place, even if an attacker gets hold of the user's credentials, they would still need to provide an additional authentication factor, such as a token or biometric authentication, before accessing the system. This greatly reduces the risk of unauthorized access even if the user's credentials are compromised. Lockout, time-based logins, and password history policies can all help to increase the security of user credentials, but they may not be as effective as MFA in preventing unauthorized access in the case of exfiltrated credentials. Lockout policies can prevent brute-force attacks, time-based logins can limit the amount of time a user can stay logged in, and password history policies can prevent the reuse of old passwords, but none of these policies can provide the same level of protection as MFA.

Password history is a security policy that enforces users to choose unique and previously unused passwords when changing their credentials. It prevents users from reusing the same passwords that may have been compromised or obtained through unauthorized means. By enforcing password history, users will be required to choose new passwords that they haven't used before, making it more difficult for an attacker to gain unauthorized access using stolen credentials. This policy helps enhance the security of user accounts and protects against the potential misuse of exfiltrated credentials.

The actual question asks what prevents" someone from using the exfiltrated credentials". So it is actually asking what will stop someone AFTER the credentials have already been exfiltrated - therefore it is MFA. Password history is something that is typically enforced every 30 - 90 days. If a password is extracted on day 1, there are at least 29 more days where the password isn't changed and the attacker can use that password freely. Furthermore, it states "on different systems and applications". Password history stops you from using the same password on the same system - the user can still use the same new password across multiple systems which then results in the same problem.

To prevent someone from using the exfiltrated credentials effectively, the CISO should implement: A. MFA (Multi-Factor Authentication). Multi-Factor Authentication (MFA) is a security mechanism that requires users to provide two or more forms of identification before gaining access to a system or application. It adds an extra layer of security beyond just a username and password combination. The different factors can be something the user knows (like a password), something the user has (like a smartphone or a security token), or something the user is (like a fingerprint or other biometric data). In the given scenario, where user credentials have been exfiltrated, MFA can significantly reduce the risk of unauthorized access even if the passwords are compromised. Even if an attacker gains access to the username and password, they would still need the additional factor (e.g., a one-time code sent to the user's mobile device) to successfully log in. This makes it much more challenging for unauthorized individuals to use the stolen credentials effectively.

This is another one of those difficult questions. Here's what ChatGPT has to say after grilling it on each answer: Multi-factor authentication (MFA) is indeed a highly effective security measure for preventing unauthorized access, and it can significantly enhance security by requiring multiple forms of authentication, such as something you know (password) and something you have (a mobile device or security token). MFA is essential for protecting against unauthorized access, particularly if an attacker possesses stolen credentials. However, the original question specifically asked about preventing someone from using exfiltrated credentials, which implies that the credentials have already been stolen or leaked. In this context, preventing the reuse of exfiltrated credentials is best addressed by a "Password history" policy, which enforces the use of unique and non-repeated passwords, making it more challenging for attackers to reuse stolen credentials across various systems. MFA is an excellent complement to password policies and should be used in conjunction with them for enhanced security. It helps ensure that even if credentials are compromised, an additional factor of authentication is required for access.

The best policy to prevent someone from using the exfiltrated credentials would be A. MFA (Multi-Factor Authentication). MFA adds an additional layer of security by requiring users to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. If one factor is compromised or broken, an attacker still has at least one more barrier to breach before successfully breaking into the target. Even if users tend to choose the same credentials on different systems and applications, MFA would require them to provide another piece of evidence, like a fingerprint or a temporary code sent to their phone, making it much harder for an attacker to gain access with just the stolen credentials.

"to prevent someone from using the exfiltrated credentials?" Password history can't prevent someone from using that credentials. "A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated." Based on this, the best answer is MFA, because even if some user credentials are stolen, they can't use them without the other type of authentication (TOTP, sms, etc..) Of course, password history is a best practice...

MFA adds an extra layer of security by requiring users to provide multiple forms of identification before granting access. Even if an attacker has exfiltrated username and password credentials, they would still need an additional authentication factor (such as a code from a mobile app or a hardware token) to successfully authenticate.

This question is so dumb and if it actually appears on the exam, that’s ridiculous. The obvious ACTUAL corrective action would be to implement MFA. However, since they included the word “Policy” and not in the sense that the CISO would like to create a “corporate policy” i.e. “from now on when utilizing our servers we will” but an account policy, now the “correct” answer is Password History. Just ignorance honestly.

I was stuck on this one for a while. Implementing password history alone does not force an immediate password change. If it did then it would clearly be the better option, as MFA is just added security and is and will continue to be bypassed every single day depending on how dedicated the attacker is and how much resources they have. Regardless of how we think Password history should be implemented, functionally, it's a policy that ONLY prevents the use of previously used passwords, nothing about an immediate password change. MFA has to be the answer.

Multi-Factor Authentication (MFA) adds an additional layer of security beyond just the username and password. Even if an attacker obtains user credentials, they would still need the second factor (which could be something the user has, like a mobile phone for an OTP, or something the user is, like a fingerprint) to gain access. This significantly reduces the risk of credential-based attacks.

I think a good way to approach answering this questions would be, which would you implement first? (A) MFA (D) Password history They're both correct answers. Me I would remove the threat of the credentials ever being a threat again first (D) Password history. For an additional layer of protection I would implement (A) MFA... It's (D) Password History for me...